A few years ago, cyber insurance was almost rubber-stamped. You filled out a short questionnaire, checked a few boxes, paid a modest premium, and you were covered. Those days are firmly over.
After a wave of massive ransomware payouts — Colonial Pipeline, JBS, Kaseya — carriers got religion fast. Premiums went up 50–100% in some cases. Application questionnaires went from two pages to twenty. And claim denial rates have climbed sharply.
We've seen it firsthand. A client gets hit, calls their broker, files a claim — and then spends three months fighting over whether they actually had the controls they said they had when they applied. Sometimes they did. Sometimes they honestly thought they did but didn't. Either way, it's a miserable situation that could have been avoided.
What Cyber Insurance Underwriters Actually Care About
Every carrier is different, but the following controls now appear on virtually every serious cyber insurance application. Not having them doesn't necessarily mean you can't get coverage — but it will increase your premium, reduce your limits, or add exclusions.
1. Multi-Factor Authentication (MFA)
This is non-negotiable in 2025. Underwriters want MFA on email (especially Microsoft 365 and Google Workspace), remote access (VPN, RDP), and privileged accounts. "We have it on most accounts" is not the answer they want. They want comprehensive MFA across the board.
2. Endpoint Detection & Response (EDR)
Traditional antivirus is no longer sufficient for most carriers. They want behavioral EDR — tools like Datto EDR, CrowdStrike, or SentinelOne — deployed on all endpoints. Some carriers won't write a policy at all without EDR coverage. Others will write it with a ransomware sub-limit (meaning your ransomware coverage is capped at a much lower amount) if you only have AV.
3. Offsite and Immutable Backups
"We have backups" doesn't cut it anymore. Underwriters want to know:
- Are backups stored offsite (not just on a local drive that can be encrypted)?
- Are they immutable (can't be modified or deleted by ransomware)?
- Have you tested restoration recently?
- Is your Microsoft 365 data backed up separately from Microsoft?
4. Privileged Access Management
Admin accounts should use dedicated credentials — not the same username and password your IT person uses to check email. Privileged accounts should have MFA. Local admin rights should be restricted to people who actually need them.
5. Security Awareness Training
Most carriers want documented proof that employees receive regular security awareness training. Not a PDF they clicked through once. Actual training with completion records — ideally with phishing simulation results too.
6. Patch Management
Known vulnerabilities need to be patched promptly. Carriers increasingly look at your patch cadence — how quickly critical patches are applied after release. Running software that's years out of support is a significant red flag.
The Questionnaire Trap
Here's where businesses get into trouble. The cyber insurance application asks: "Do you have MFA deployed on all remote access systems?" You think about it, remember that your IT person set up MFA on your VPN a while back, and check "Yes."
What you didn't know: three employees are still using an old RDP connection that bypasses the VPN. No MFA. That's the exact vector the attacker used.
When the carrier investigates the claim, they find the RDP connection. Your "Yes" answer was technically inaccurate. They argue material misrepresentation. Your claim is in jeopardy.
This isn't hypothetical. This is happening to real businesses right now. The solution is to actually know what your security posture is — not just guess — before you fill out the application.
What a Good Cyber Insurance Program Looks Like
| Control | Minimum Acceptable | Best Practice |
|---|---|---|
| MFA | Email + remote access | All systems, all users |
| EDR | All endpoints | EDR + managed SOC |
| Backup | Offsite, tested quarterly | Immutable + SaaS backup + tested monthly |
| Training | Annual | Quarterly + phishing simulations |
| Patching | Critical patches within 30 days | Automated patching within 14 days |
One More Thing: Read What You're Buying
Cyber insurance policies are full of exclusions. Common ones include:
- War exclusions — some policies exclude state-sponsored attacks (this has been litigated extensively)
- Unencrypted data exclusions — breached data that wasn't encrypted may not be covered
- Social engineering sub-limits — wire fraud and BEC attacks often have much lower coverage limits than ransomware
- Infrastructure exclusions — attacks on cloud providers or third-party systems may not be covered under your policy
We're not insurance brokers, so we won't tell you which policy to buy. But we will tell you this: the best way to make sure your cyber insurance pays out is to actually have the security controls in place that you said you had when you signed up. That way the investigation after an incident finds exactly what it's supposed to find.
If you want a clear picture of where you stand against the typical underwriting checklist, we do security assessments and can walk you through exactly what you have, what you don't, and what it would take to fill the gaps.