What security controls do I need for cyber insurance?

Getting cyber insurance used to be simple. Fill out a short application, check a few boxes, pay your premium. You were covered.

That’s not how it works anymore.

Cyber insurance carriers have paid out billions in ransomware claims, business email compromise losses, and breach recovery costs. They’ve responded by dramatically raising their requirements. Today, if you can’t demonstrate specific security controls, you’ll either be denied coverage, face sky-high premiums, or get a policy with so many exclusions it’s barely worth having.

Here’s exactly what carriers are looking for and how to make sure you qualify.

Why Carriers Require Security Controls

This isn’t arbitrary gatekeeping. Carriers analyzed their claims data and found clear patterns:

• Businesses without MFA were dramatically more likely to suffer account compromise
• Businesses without EDR had significantly higher ransomware claim rates
• Businesses without tested backups had longer recovery times and larger payouts
• Businesses without employee training fell victim to phishing at much higher rates

So carriers started requiring the controls that actually prevent claims. From their perspective, insuring a business without MFA is like insuring a house without smoke detectors - the risk is simply too high.

The Core Requirements

These are the security controls that virtually every cyber insurance carrier now requires. Missing any one of them can result in denial.

1. Multi-Factor Authentication (MFA)

MFA is the single most important requirement. It’s also the most common reason businesses get denied.

Where carriers require MFA

• Email (Microsoft 365, Google Workspace)
• VPN and remote access
• All administrative accounts
• Cloud services and SaaS platforms
• Remote desktop connections
• Financial and banking systems

What carriers actually verify

• MFA is enforced, not just available. Having MFA turned on but optional doesn’t count.
• MFA covers all users, not just administrators
• There are no bypass exceptions or legacy accounts exempted
• The MFA method is acceptable (authenticator apps and push notifications are preferred; SMS is increasingly considered weak)

Common denial scenario

“We have MFA on email.” That’s a start, but carriers want MFA on every system accessible from the internet. If your VPN has no MFA, or legacy admin accounts are exempted, you’ll have problems.

2. Endpoint Detection and Response (EDR)

Traditional antivirus is no longer sufficient. Carriers require EDR on all endpoints - laptops, desktops, and servers.

What carriers want to see

• EDR deployed on every endpoint - 100% coverage is expected, not 95%
• Active monitoring - Someone (your IT team or a managed security provider) is watching alerts and responding
• Automated response capabilities - The solution should isolate compromised devices without waiting for human intervention
• A reputable solution - Carriers recognize products like CrowdStrike, SentinelOne, Sophos, and Microsoft Defender for Endpoint

What doesn’t qualify

• Free antivirus (Windows Defender alone, Avast Free)
• Signature-only antivirus without behavioral detection
• EDR that’s installed but nobody monitors
• Incomplete deployment (some machines covered, others not)

3. Backups (Encrypted, Tested, and Offline)

Carriers have very specific expectations for backups because backups determine whether a ransomware incident costs $10,000 or $1,000,000.

Backup requirements

• 3-2-1 strategy: 3 copies of data, on 2 different media types, with 1 copy offsite
• At least one offline or immutable copy: Ransomware can’t encrypt backups that are air-gapped or stored in an immutable format
• Encryption: Backups must be encrypted both at rest and in transit
• Regular testing: Can you prove your backups actually restore? Carriers may ask for test results and dates.
• Separate credentials: Backup system credentials should be different from your primary network credentials so a network compromise doesn’t also compromise your backups

Questions carriers ask

• “How frequently are backups performed?”
• “Are backups stored offline or in an immutable format?”
• “When was the last backup restoration test?”
• “What is your recovery time objective (RTO)?“

4. Security Awareness Training

Carriers know that humans are the weakest link. They want to see that you’re actively training your employees.

Requirements

• Ongoing training - Not just a one-time onboarding session. Carriers want regular, recurring training (monthly or quarterly).
• Phishing simulations - Regular simulated phishing emails that test whether employees click. Carriers may ask for click rates and improvement trends.
• Training completion records - You need to document who completed training and when
• New hire training - Every new employee should receive security training during onboarding

What carriers look for

They don’t just want to know that training exists. They want evidence: completion percentages, simulation results, and a schedule showing the program is ongoing.

5. Patch Management

Unpatched systems are a leading attack vector. Carriers expect a formal patching process.

Requirements

• Critical patches applied promptly - Most carriers expect critical security patches within 14-30 days of release
• Documented process - A written patching policy showing how patches are identified, tested, and deployed
• Coverage across all systems - Operating systems, applications, firmware, and server software
• Reporting - Evidence showing patch compliance rates and timelines

6. Incident Response Plan

You need a documented plan for what happens when something goes wrong. Not a plan you’ll figure out in the moment - a written plan that’s been reviewed and tested.

What the plan must include

• Roles and responsibilities - Who does what during an incident
• Contact information - IT provider, legal counsel, insurance carrier, law enforcement
• Containment procedures - How you stop an attack from spreading
• Communication plan - How you notify affected parties, regulators, and the public
• Recovery procedures - How you restore operations
• Post-incident review - How you learn from the incident to prevent recurrence

Carrier expectation

Having a document is the minimum. Increasingly, carriers want evidence that you’ve tested the plan through tabletop exercises - where your team walks through a simulated incident scenario.

Additional Controls Carriers May Require

Beyond the core six, many carriers ask about these additional controls. Having them strengthens your application and may reduce premiums.

Email Security

• Advanced anti-phishing protection
• Link and attachment scanning
• DMARC, DKIM, and SPF records configured
• Impersonation protection

Privileged Access Management

• Admin credentials separate from daily-use accounts
• Privileged access is logged and monitored
• Minimal number of admin accounts
• Time-limited admin sessions where possible

Network Segmentation

• Critical systems isolated from general user networks
• Guest WiFi separated from business networks
• Server environments segmented from user workstations

Encryption

• Full disk encryption on all laptops and mobile devices
• Encryption in transit (HTTPS, VPN, encrypted email for sensitive data)
• Encryption at rest for sensitive databases

What Happens When You Don’t Qualify

If your security doesn’t meet carrier requirements, here’s what you face:

Outright Denial

No MFA? No EDR? No backups? Many carriers won’t even provide a quote. Your application stops at the pre-qualification stage.

Premium Increases of 50-300%

Partial compliance might get you coverage, but at dramatically higher cost. A policy that would cost $5,000 with proper controls in place might cost $15,000-$20,000 without them.

Coverage Exclusions

Some carriers issue policies but exclude the scenarios you’re most worried about. No MFA on email? Business email compromise claims might be excluded. No EDR? Ransomware might not be covered. You’re paying for insurance that won’t cover your biggest risks.

Lower Coverage Limits

Instead of $1 million in coverage, you might only qualify for $250,000. That doesn’t go far when the average breach costs several times that amount.

Higher Deductibles

Your out-of-pocket cost before insurance kicks in could jump from $10,000 to $50,000 or more.

How to Prepare for Your Application

If You’re Renewing

Start at least 90 days before your renewal date. Requirements change every year, and you may need time to implement new controls.

Renewal checklist

• Review current security controls against the latest carrier requirements
• Gather documentation: MFA configuration screenshots, EDR deployment reports, backup test results, training completion records
• Identify gaps and create a plan to close them before the application
• Update and test your incident response plan
• Ensure patching documentation is current

If You’re Applying for the First Time

Get a security assessment first. You need to know where you stand before you apply, because being denied is worse than waiting a few weeks to get your controls in place.

Implementation timeline

Control	Typical Time to Implement
MFA on all systems	1-2 weeks
EDR deployment	2-3 weeks
Backup improvements	2-4 weeks
Security awareness training	1-2 weeks to launch
Patch management process	1-2 weeks
Incident response plan	1-2 weeks

A managed IT provider can typically implement all required controls in 4-8 weeks.

Working with Your IT Provider

Your IT provider should be able to:

• Tell you exactly where you stand on every carrier requirement
• Provide the documentation and evidence carriers ask for
• Implement missing controls on a defined timeline
• Maintain ongoing compliance so you’re always ready for renewal

If your IT provider can’t do this, that’s a problem worth addressing.

Insurance Is Not a Substitute for Security

This is worth saying directly: Some businesses treat cyber insurance as an alternative to security. That approach fails for several reasons.

• Insurance covers financial losses after a breach - it doesn’t prevent the breach
• Insurance doesn’t cover reputation damage, lost clients, or the stress of dealing with an incident
• Claims history affects future premiums and eligibility
• Carriers can deny claims if you misrepresented your security posture on the application

The best position is strong security that prevents incidents (and keeps your premiums low), with insurance as a backstop for the scenarios your security can’t prevent.

The Bottom Line

Cyber insurance carriers now require real security controls with real evidence. The core requirements - MFA everywhere, EDR on all endpoints, encrypted offline backups, incident response plan, security training, and patch management - are non-negotiable.

The good news: everything carriers require is something your business should have anyway. Getting insurance-ready is really just getting security-ready. And the controls that qualify you for coverage are the same controls that significantly reduce your chances of ever needing to file a claim.

---

Need help getting insurance-ready? We help businesses implement the controls carriers require and provide the documentation for applications. Contact us to get started.