| MFA deployment requirement | Email, VPN/RDP, cloud apps, and privileged admin accounts — minimum (Common across major cyber insurance carrier applications, 2023–2024) |
| EDR standard | Required on all endpoints; legacy antivirus-only is insufficient (Coalition, Beazley, and Chubb underwriting guidelines) |
| Critical patch window | 30 days from release (72 hours for emergency/actively exploited vulnerabilities) (Typical cyber underwriting benchmark) |
| Backup testing requirement | Restoration tested at least quarterly; untested backups raise underwriting flags (Underwriting questionnaire standards, multiple carriers) |
| IR plan review cadence | Reviewed or tested (tabletop exercise) within the past 12 months (Standard cyber application requirement) |
| PAM requirement threshold | Increasingly required for limits above $1 million in coverage (Mid-market cyber underwriting, 2023) |
| Air-gapped backup standard | At least one offline or logically isolated backup copy required (3-2-1-1-0 backup rule; widely cited in cyber underwriting) |
| Email authentication protocols | DMARC, DKIM, and SPF all expected to be configured (Standard cyber insurance application checklist item) |
Why Controls Went from 'Nice to Have' to 'Required'
Five years ago, a small business owner could obtain a decent cyber liability policy by checking a few boxes about antivirus software and having a vague backup routine. That era is gone. Between 2020 and 2023, insurers absorbed catastrophic losses from ransomware campaigns — including the Colonial Pipeline attack and dozens of healthcare network breaches — that exposed how undefended most commercial policyholders actually were. Underwriters responded the only way underwriters know how: they made the baseline harder.
Today, failing to have specific technical controls in place can mean one of three outcomes: a flat-out declination, a policy loaded with exclusions that gut the coverage you think you're buying, or a premium surcharge that makes the policy economically painful. None of those are hypotheticals. I see all three regularly in commercial accounts.
What's shifted most is the underwriting questionnaire itself. Where applications once asked 'Do you have a firewall?' they now ask about MFA deployment across specific user classes, endpoint detection and response (EDR) vendor names, backup testing frequency, and privileged access management strategies. The questions are technical because the risk is technical.
For small business owners without dedicated IT staff, this creates a real challenge. You need to understand what insurers are looking for before you sit down to get a quote — not after. See also how underwriters assess cyber risk when pricing a policy, which walks through the full evaluation framework.
| MFA deployment requirement | Email, VPN/RDP, cloud apps, and privileged admin accounts — minimum (Common across major cyber insurance carrier applications, 2023–2024) |
| EDR standard | Required on all endpoints; legacy antivirus-only is insufficient (Coalition, Beazley, and Chubb underwriting guidelines) |
| Critical patch window | 30 days from release (72 hours for emergency/actively exploited vulnerabilities) (Typical cyber underwriting benchmark) |
| Backup testing requirement | Restoration tested at least quarterly; untested backups raise underwriting flags (Underwriting questionnaire standards, multiple carriers) |
| IR plan review cadence | Reviewed or tested (tabletop exercise) within the past 12 months (Standard cyber application requirement) |
| PAM requirement threshold | Increasingly required for limits above $1 million in coverage (Mid-market cyber underwriting, 2023) |
| Air-gapped backup standard | At least one offline or logically isolated backup copy required (3-2-1-1-0 backup rule; widely cited in cyber underwriting) |
| Email authentication protocols | DMARC, DKIM, and SPF all expected to be configured (Standard cyber insurance application checklist item) |
The Non-Negotiable Controls Insurers Check First
Not all controls carry equal weight. Underwriters triage applications quickly, and there's a short list of controls that function as hard gates — if they're absent, the conversation often ends before it starts. Here are the ones that matter most:
Multi-Factor Authentication (MFA)
This is the single most scrutinized control in the market right now. Insurers want MFA deployed on email, remote access (VPN, RDP), and privileged administrative accounts at minimum. Many carriers now extend that requirement to cloud applications and financial systems. Critically, SMS-based MFA has started to fall out of favor with stricter underwriters — authenticator apps or hardware tokens are preferred because SIM-swapping attacks have made SMS MFA relatively easy to bypass.
If you run a business with any remote workers or cloud-hosted systems and you don't have MFA fully deployed, this should be your first investment before applying for coverage.
Endpoint Detection and Response (EDR)
Traditional antivirus software is no longer sufficient. EDR tools — platforms like CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint — provide behavioral analysis and real-time threat response rather than just signature matching. Carriers want to see EDR installed on all endpoints, including employee laptops and servers, not just desktops. Applications that list 'antivirus only' now raise red flags in underwriting triage.
Privileged Access Management (PAM)
Ransomware attackers specifically hunt for domain admin credentials because they unlock everything. PAM controls limit who has administrative access, enforce least-privilege principles, and audit privileged account activity. Many mid-market carriers now treat PAM as a prerequisite for limits above $1 million.
Email Filtering and Anti-Phishing Controls
Phishing is still the most common ransomware delivery method. Underwriters want to see advanced email filtering (not just the basic spam filters built into free email tiers), DMARC/DKIM/SPF email authentication records properly configured, and ideally some form of phishing simulation and employee training program running continuously — not just at onboarding.
Multi-Factor Authentication (MFA)
A login security method that requires users to verify their identity through two or more independent factors — typically a password plus a one-time code from an app or hardware token. Insurers treat MFA as a baseline control because it blocks the majority of credential-based account takeover attacks.
Endpoint Detection and Response (EDR)
Security software installed on individual devices (endpoints) that continuously monitors for suspicious behavior, detects threats in real time, and can automatically isolate a compromised machine. EDR goes well beyond traditional antivirus by analyzing behavioral patterns rather than just known malware signatures.
Privileged Access Management (PAM)
A security discipline that controls, monitors, and audits accounts with elevated system permissions — such as domain administrators or database administrators. PAM limits the blast radius of a breach by ensuring that only authorized users can access sensitive systems and that all privileged activity is logged.
Air-Gapped Backup
A backup copy that is physically or logically disconnected from any network, making it inaccessible to malware or ransomware that compromises connected systems. Air-gapped backups are critical for ransomware recovery because they cannot be encrypted by an attacker who has breached the primary environment.
DMARC / DKIM / SPF
Three complementary email authentication protocols that verify a sending domain is legitimate and prevent attackers from spoofing your business's email address in phishing campaigns. Properly configured DMARC, DKIM, and SPF records are increasingly checked during cyber insurance underwriting as a proxy for basic email security hygiene.
Incident Response (IR) Plan
A documented procedure outlining how an organization detects, contains, investigates, and recovers from a cybersecurity incident. Cyber insurers want to see a current IR plan because it directly affects how quickly and effectively a business limits damage — and therefore the size of the insurer's loss.
Network Segmentation
The practice of dividing a computer network into isolated subnetworks so that a breach in one segment cannot automatically spread to others. Segmentation is especially important for separating sensitive systems like payment processing or patient data from general business traffic.
Patch Management
The process of regularly identifying, testing, and applying software updates that fix known security vulnerabilities. Inadequate patch management is one of the most cited risk factors in cyber underwriting because unpatched vulnerabilities give attackers well-documented paths into systems.
Backup and Recovery: What Insurers Actually Want to See
Backup is probably the control where small businesses most often think they're covered but actually aren't. Having backups isn't enough — insurers have gotten specific about how backups are configured because they've paid out too many ransomware claims where attackers encrypted the backups too.
94%
Of malware delivered via email
According to Verizon's 2023 Data Breach Investigations Report, email remains the dominant initial attack vector for malware delivery.
76%
Of ransomware victims had endpoint protection
Sophos State of Ransomware 2023 found that most ransomware victims had some endpoint protection in place — underscoring why EDR behavioral detection is now prioritized over legacy AV.
3x
Premium increase risk without MFA
Industry brokers report that businesses without fully deployed MFA commonly face premium surcharges of 2x to 3x compared to equivalently sized peers with MFA in place.
21 days
Average ransomware downtime
Coveware Q4 2023 Ransomware Marketplace Report found the average business interruption period from ransomware was 21 days — making tested backup recovery a direct financial exposure.
The current industry standard that underwriters look for is the 3-2-1-1-0 backup rule: three copies of data, on two different media types, with one copy offsite, one copy offline or air-gapped, and zero unverified backups. That last element — zero unverified — is the one most businesses miss. Insurers want evidence that backups are tested for restoration, not just copied and forgotten.
Specific questions you should expect on applications:
- How frequently are backups performed? (Daily is the expected minimum for critical systems.)
- Are backups stored in a location that is logically and physically separated from production environments?
- Are backups encrypted at rest?
- When was the last time you tested restoration from backup, and how long did it take?
- Do your backups include Active Directory and configuration data, or only file data?
If you're using a cloud backup service that automatically syncs your primary storage, be careful — many of those solutions are not air-gapped and an attacker who compromises your primary environment can often reach the sync destination too. Your broker should be able to help you document your backup architecture clearly before submission.
Gaps in backup architecture are also among the most common reasons cyber claims get complicated. See policy gaps that leave businesses exposed for a broader look at what else can go wrong when coverage meets a real incident.
Patch Management, Network Segmentation, and Incident Response Plans
Beyond the top-tier controls, insurers look at a second layer of security hygiene that increasingly differentiates standard-rate applicants from those who pay a surcharge — or get declined entirely.
Patch Management
Unpatched vulnerabilities are consistently among the top three initial attack vectors in reported cyber incidents. Carriers want to see a documented patch management process that addresses critical patches within 30 days and high-severity patches within 72 hours of release. If you're running end-of-life operating systems (Windows Server 2012, for example) that no longer receive security updates, expect that to be a specific underwriting obstacle — some carriers will exclude claims arising from known, unpatched vulnerabilities.
Network Segmentation
A flat network — where every device can talk to every other device — means a compromised workstation can reach your payment systems, HR data, and cloud management credentials without any internal barriers. Segmentation creates those barriers. Underwriters for mid-market accounts increasingly ask whether operational technology (OT) networks, point-of-sale systems, and guest Wi-Fi are isolated from core business systems. This doesn't require a full enterprise architecture, but it does require intent and documentation.
Incident Response Plan
An incident response (IR) plan is the document that tells your team — and your insurer — what you do when something goes wrong. Carriers want to see that it exists, that it names specific roles and escalation contacts (including your cyber insurer's incident hotline number), and that it's been reviewed or tested within the past 12 months. A tabletop exercise counts. An outdated plan with staff members who left two years ago does not.
Building a proper IR plan is a foundational element of a broader cyber risk strategy. The cyber risk management strategy guide covers how to integrate your plan with your insurance coverage in a way that actually works when you need it.
Controls Must Be Fully Deployed — Not Planned
A surprisingly common mistake on cyber insurance applications is reporting a control as 'in progress' or 'planned for Q3.' Underwriters evaluate your posture as it exists on the application date, and partial deployment is often treated similarly to no deployment for pricing purposes. If MFA is only active on some accounts, say so — and be prepared for the follow-up question about which accounts are excluded and why. Misrepresenting implementation status can create a coverage dispute when you need the policy most.
Preparing Your Application and Closing Control Gaps
Understanding what insurers require is useful. Actually getting coverage at a reasonable premium means closing the gaps before you apply. Here's the practical sequence:
- Audit your current state against the control checklist. Walk through MFA deployment, EDR coverage, backup architecture, patch cadence, and whether an IR plan exists. Be honest about what's partial versus fully implemented — underwriters ask follow-up questions and misrepresentations can void coverage.
- Prioritize remediation by underwriting impact. MFA and EDR will move the needle most on insurability and premium. Fix those first if you're starting from scratch.
- Document everything. Insurers can't evaluate what they can't see. Policies, architecture diagrams, vendor contracts, and test results all support your application. A well-documented security posture communicates risk management maturity even if your stack isn't perfect.
- Engage a broker who specializes in cyber. A generalist commercial lines broker may not know which carriers have the most favorable terms for your industry or control profile. Cyber is a specialty product and the market moves fast.
- Review the policy before binding — not after. Sublimits on ransomware, waiting periods on business interruption, and exclusions for unpatched systems can dramatically narrow what you're actually covered for. Use the cyber policy evaluation checklist to scrutinize terms before signing.
If you want to go into the application process with full preparation, the cyber insurance application preparation guide walks through the documentation and system readiness steps in detail.
CISA Cybersecurity Performance Goals
The U.S. Cybersecurity and Infrastructure Security Agency's baseline performance goals map directly to the controls insurers now require. A free, authoritative reference for benchmarking your security posture.
CIS Controls v8
The Center for Internet Security's Controls framework is one of the most widely referenced security standards in cyber insurance underwriting. Implementation Group 1 covers the essential controls relevant to small and mid-sized businesses.
MFA Deployment Planner (Microsoft)
Microsoft's free deployment planning tool helps organizations map out MFA rollout across Azure Active Directory environments — useful for documenting MFA coverage for underwriters.
Ransomware Readiness Assessment (CISA)
A no-cost self-assessment tool from CISA that evaluates your organization's readiness to prevent and recover from ransomware — covering backup, access controls, and response planning in a single structured report.
Cyber Insurance Readiness Checklist
A practical pre-application checklist template covering MFA, EDR, backup testing, patch management, and IR plan documentation — designed to help businesses organize evidence before submission.
All claims in this article are backed by peer-reviewed research. We follow strict editorial guidelines to ensure accuracy and reliability. Sources available on request from our editorial team.


