Cyber Insurance Requirements Are Changing

Cyber insurance used to feel like a paperwork exercise. A business filled out an application, answered a few security questions, chose a coverage limit, and waited for a quote. That world is fading fast.

Today, cyber insurance requirements are more technical, more evidence-driven, and much less forgiving. Insurers no longer want vague promises like “we use antivirus” or “our IT company handles security.” They want to know whether your business has multi-factor authentication, endpoint detection, tested backups, patch management, incident response procedures, and controls that can actually reduce the chance of a costly cyber claim.

That shift is not happening by accident. Ransomware, business email compromise, data theft, privacy lawsuits, cloud misconfigurations, and vendor-related incidents have changed the economics of cyber liability insurance. The National Association of Insurance Commissioners reported that cyber claims across 2024 included ransomware, business interruption, and class action-related losses, showing how broad cyber risk has become for insurers and policyholders. (NAIC Content)

For business owners and risk managers, the message is clear: cyber insurance is no longer just a financial product. It is now closely tied to your cybersecurity maturity.

The good news? You do not need to build a Fortune 500 security program overnight. But you do need to understand what underwriters are asking, why they ask it, and how to prepare before renewal season catches you off guard.

Why Cyber Insurance Requirements Are Getting Stricter

Cyber insurance carriers are tightening requirements because the old underwriting model was too loose for modern cyber risk.

A traditional property policy can estimate fire risk based on building materials, location, sprinkler systems, and occupancy. Cyber risk is different. A company’s exposure can change overnight because of a leaked password, unpatched VPN appliance, compromised vendor, misconfigured cloud storage bucket, or new ransomware campaign.

That makes cyber insurance a moving target.

Insurers are responding by asking more detailed questions about security controls. They want to know whether a business can prevent common attacks, detect suspicious activity, contain incidents quickly, and recover without paying a ransom.

CISA’s ransomware guidance, for example, emphasizes offline encrypted backups, regular backup testing, and the importance of keeping backups unavailable to ransomware attackers who try to delete or encrypt recovery copies. (CISA)

That kind of guidance lines up closely with what cyber insurers now care about: resilience, not just prevention.

The underwriting shift: from checkbox answers to proof

A few years ago, a business might have answered “yes” to MFA because a few employees used it for email. Now, insurers may ask whether MFA protects remote access, administrator accounts, cloud applications, webmail, VPNs, and privileged systems.

That difference matters.

A weak answer may lead to:

• Higher premiums
• Lower coverage limits
• Ransomware sublimits
• More exclusions
• Longer underwriting review
• Required security improvements before binding
• Renewal denial
• Claim disputes after an incident

The practical takeaway is simple: underwriters are no longer only asking, “Do you have cyber insurance controls?” They are asking, “Are those controls complete, documented, and working?”

What Cyber Insurance Usually Covers

Cyber insurance, often called cyber liability insurance, helps businesses handle financial losses tied to cyber incidents. Exact coverage depends on the policy, carrier, exclusions, limits, sublimits, and endorsements.

The FTC describes cyber insurance as one option that can help protect a business from losses resulting from a cyberattack, and it recommends discussing first-party coverage, third-party coverage, or both with an insurance professional. (Federal Trade Commission)

Most cyber insurance policies are built around two broad coverage categories.

First-party cyber coverage

First-party coverage protects your own business after a cyber incident. It may help pay for costs such as:

• Digital forensics
• Incident response
• Data restoration
• Business interruption losses
• Ransomware negotiation support
• Legal consultation
• Customer notification
• Credit monitoring
• Public relations support
• Crisis management
• System recovery

This is especially important for businesses that rely heavily on software, online payments, cloud systems, customer databases, email, digital operations, or remote work.

Third-party cyber liability coverage

Third-party coverage applies when another party claims your business caused harm. This may involve:

• Customer lawsuits
• Vendor claims
• Contractual liability disputes
• Privacy-related claims
• Regulatory defense costs
• Network security liability
• Media liability
• Data breach claims

For example, if a customer claims your company failed to protect personal data, third-party cyber liability coverage may help with legal defense and settlement costs, depending on the policy.

Ransomware insurance coverage

Ransomware insurance is usually not a separate product. It is commonly part of a cyber insurance policy, although some policies may include ransomware-specific sublimits, coinsurance, exclusions, or special notification requirements.

NAIC notes that many cyber policies may cover ransom payments, extortion-related expenses, and repair costs, but insurers typically require notification before payment, and failure to follow policy conditions may result in denial of coverage. (NAIC Content)

That point is critical. A ransomware incident is not the time to improvise. If your policy says you must notify the insurer before making an extortion payment, you need to follow that process.

The New Baseline for Cyber Insurance Eligibility

The exact cyber insurance requirements vary by carrier, business size, industry, revenue, data sensitivity, claims history, and coverage limits. A small local service business will not face the same underwriting review as a healthcare provider, law firm, fintech company, manufacturer, school district, or SaaS vendor.

Still, a common baseline has emerged.

Most businesses seeking cyber liability insurance should expect questions about:

• Multi-factor authentication
• Endpoint detection and response
• Email security
• Offline or immutable backups
• Backup restoration testing
• Patch management
• Vulnerability scanning
• Security awareness training
• Incident response planning
• Privileged access management
• Remote access security
• Cloud security
• Data encryption
• Network segmentation
• Vendor risk management
• Business continuity planning

Huntress’ 2026 cyber insurance guide lists a minimum viable stack that includes universal MFA for privileged accounts and remote access, EDR with monitoring and response, email security, tested offline backups, patch-management SLAs, and measurable security awareness training. (Huntress)

That is a useful way to think about the modern market. Insurers want to see a working security foundation, not just a policy purchase.

Multi-Factor Authentication Is Now a Core Requirement

If there is one cyber insurance requirement almost every business should take seriously, it is multi-factor authentication.

MFA reduces the risk that a stolen password alone can compromise an account. Since phishing, credential stuffing, password reuse, and business email compromise are still common entry points, insurers pay close attention to how MFA is deployed.

Where insurers expect MFA

Businesses should expect MFA questions around:

• Email accounts
• Microsoft 365 or Google Workspace
• VPN access
• Remote desktop access
• Cloud applications
• Administrator accounts
• Financial systems
• HR platforms
• Customer databases
• Privileged IT tools
• Backup consoles
• Domain administrator accounts

A weak MFA deployment may not satisfy underwriters. For example, MFA only for executives may not be enough. MFA only for email may not be enough. MFA only when users are outside the office may not be enough.

The trend is toward broader, more consistent enforcement.

Strong MFA vs weak MFA

Not all MFA methods carry the same risk.

Stronger options include:

• Authenticator apps
• Hardware security keys
• FIDO2/WebAuthn
• Number matching
• Phishing-resistant MFA
• Conditional access policies

Weaker options may include SMS-based codes, especially for privileged accounts. SMS can still be better than no MFA, but it is more vulnerable to SIM swapping, interception, and social engineering.

For cyber insurance purposes, the most important question is not only whether MFA exists. It is whether it protects the accounts and systems attackers actually target.

Practical example

A 40-person accounting firm uses Microsoft 365. MFA is enabled for partners, but not for support staff. One staff member reuses a password on a breached website. An attacker logs into their mailbox, studies invoice patterns, and sends fraudulent payment instructions to clients.

From an insurer’s perspective, that is not just an email problem. It is a control failure.

A better setup would enforce MFA across all users, require stronger authentication for admin accounts, monitor suspicious login behavior, and restrict access based on risk.

Endpoint Detection and Response Is Replacing Basic Antivirus

Traditional antivirus is no longer enough for many cyber insurance applications.

Endpoint detection and response, usually called EDR, gives businesses better visibility into laptops, desktops, and servers. It can detect suspicious behavior, isolate infected devices, and help investigators understand what happened.

Many insurers now ask whether the business uses EDR, MDR, or 24/7 monitored endpoint protection. MDR stands for managed detection and response. It combines technology with human monitoring, often through a security operations center.

Field Effect describes the current cyber-insurance environment as requiring demonstrable cybersecurity controls before approval or renewal, rather than simple traditional coverage assumptions. (fieldeffect.com)

That “demonstrable” part is important. Installing a tool is not the same as operating it well.

What underwriters may ask about endpoint security

Expect questions such as:

• Do all workstations have endpoint protection?
• Are all servers covered?
• Is EDR deployed across remote devices?
• Is alert monitoring 24/7 or business-hours only?
• Who investigates alerts?
• Are devices automatically isolated after high-severity detections?
• Are endpoint agents tamper-resistant?
• Are logs retained?
• Are unmanaged devices blocked?

Why this matters for ransomware insurance

Ransomware attackers often move through endpoints before encrypting systems. They may dump credentials, disable security tools, move laterally, and identify backup systems. EDR can help detect those behaviors earlier.

That does not guarantee ransomware prevention. But it can reduce dwell time and improve incident response.

For insurers, that lowers risk.

Backup and Recovery Requirements Are Getting Tougher

Backups are no longer just an IT best practice. They are now a major cyber insurance requirement.

A business may say, “We back up everything.” Underwriters may ask a sharper question: “Can you restore critical systems quickly if ransomware encrypts your network?”

Those are not the same thing.

What insurers want to see

Modern cyber insurance applications may ask whether backups are:

• Encrypted
• Tested regularly
• Stored offline
• Stored immutably
• Segmented from the main network
• Protected by MFA
• Monitored for failure
• Documented in a recovery plan
• Able to restore business-critical data
• Protected from deletion by compromised admin accounts

CISA specifically recommends offline, encrypted backups and regular testing of backup availability and integrity because ransomware variants often try to find and delete or encrypt accessible backups. (CISA)

That is exactly why backup quality affects ransomware insurance underwriting.

Offline vs immutable backups

Offline backups are disconnected from the network. Immutable backups cannot be changed or deleted for a defined period. Both approaches can help protect recovery data from ransomware.

Many businesses use a layered strategy:

• Local backups for fast recovery
• Cloud backups for resilience
• Immutable storage for ransomware protection
• Offline copies for worst-case recovery
• Regular restore tests for confidence

The key is not just having backups. It is proving they work.

The restore test problem

Many companies discover too late that their backups are incomplete, corrupted, too slow, or missing critical systems. A backup that cannot be restored is not a recovery plan. It is a false sense of security.

For cyber insurance, documented restore testing can help show underwriters that your business is serious about resilience.

A practical restore test should answer:

• Which systems were restored?
• How long did recovery take?
• Was data complete?
• Who performed the test?
• What failed?
• What was improved afterward?

This creates useful evidence for both underwriting and real-world incident response.

Patch Management and Vulnerability Management Are Under the Microscope

Attackers love known vulnerabilities because they are cheap to exploit. Insurers know this.

That is why patch management is now a common cyber insurance topic. Underwriters want to know whether your business can identify and fix critical weaknesses before they become claims.

Patch management basics

A strong patch management process includes:

• Asset inventory
• Vulnerability monitoring
• Risk-based prioritization
• Critical patch timelines
• Testing procedures
• Emergency patching
• Third-party software updates
• Operating system updates
• Network device firmware updates
• Documentation

The phrase “patch management” sounds simple, but in practice it is one of the hardest controls for growing businesses. You cannot patch what you do not know exists.

Vulnerability scanning

Many insurers increasingly care about external vulnerability exposure. If your public-facing systems have outdated software, exposed remote desktop services, weak SSL configurations, or known exploitable vulnerabilities, that may affect your quote.

Some cyber insurance providers and brokers use external scanning tools during underwriting. Others may ask for vulnerability scan reports, penetration test summaries, or remediation evidence.

Common mistake

A business patches laptops but ignores:

• Firewalls
• VPN appliances
• Remote access gateways
• WordPress plugins
• Email security gateways
• Cloud workloads
• File transfer systems
• Network-attached storage
• Legacy servers
• Development systems

That creates a dangerous gap. Attackers often target forgotten systems first.

Email Security and Phishing Defense Matter More Than Ever

Email remains one of the most common paths into a business. Phishing, invoice fraud, credential theft, malicious attachments, and business email compromise all create losses that cyber insurers understand well.

That is why cyber insurance requirements often include email security controls.

Expected email security controls

Underwriters may ask about:

• Secure email gateway
• Anti-phishing protection
• Malware scanning
• Attachment sandboxing
• URL rewriting or link protection
• DMARC, SPF, and DKIM
• User reporting button
• Security awareness training
• Phishing simulations
• Mailbox login monitoring
• Conditional access
• MFA for webmail

Email security is especially important for businesses that handle invoices, wire transfers, customer data, legal documents, healthcare data, payroll, tax records, or vendor payments.

DMARC, SPF, and DKIM

These email authentication standards help reduce spoofing and domain impersonation.

• SPF helps define which mail servers can send email for your domain.
• DKIM adds a cryptographic signature to verify message integrity.
• DMARC tells receiving mail servers what to do when authentication fails.

DMARC enforcement can be tricky, but it is increasingly relevant for brand protection, fraud prevention, and cyber risk management.

Training is not enough by itself

Security awareness training is useful. But training alone does not stop modern phishing.

A better approach combines:

• MFA
• Email filtering
• Domain authentication
• Payment verification workflows
• User reporting
• Login monitoring
• Conditional access
• Executive impersonation protection
• Vendor payment controls

Insurers like layered defenses because layered defenses reduce single points of failure.

Incident Response Planning Is Becoming a Must-Have

An incident response plan tells your business what to do when something goes wrong. It should not be a dusty PDF that no one reads. It should be a practical playbook.

CISA’s ransomware response guidance walks organizations through response steps such as detection, containment, and eradication, which reflects how structured response procedures help during high-pressure incidents. (CISA)

Cyber insurers care about incident response because the first 24 to 72 hours can dramatically affect claim size.

What an incident response plan should include

A useful plan should define:

• Who leads the response
• Who contacts the insurer
• Who contacts legal counsel
• Who contacts IT or security vendors
• Who approves public communication
• How systems are isolated
• How evidence is preserved
• How backups are protected
• How customers are notified
• How regulators are handled
• How ransom demands are evaluated
• How business operations continue

Why insurer notification matters

Many cyber policies include strict notification requirements. If a business suffers ransomware and pays without notifying the carrier, it may create coverage problems. NAIC notes that insurers typically require notification before ransom payments, and failure to comply may result in denial of coverage. (NAIC Content)

That means your incident response plan should include insurance contact details and claim-reporting steps.

Tabletop exercises

A tabletop exercise is a practice run. Your leadership team walks through a simulated incident and tests decision-making.

A good tabletop exercise might ask:

• What if payroll systems are encrypted on Monday morning?
• What if a vendor says your data was stolen?
• What if the CFO’s mailbox is compromised?
• What if backups fail?
• What if the attacker threatens to leak customer data?

These exercises reveal gaps before a real crisis does.

Access Control and Privileged Account Security

Cyber insurers are paying closer attention to identity security because compromised accounts are involved in many incidents.

Access control is about making sure users have only the access they need, and no more.

Privileged accounts create bigger risk

Administrator accounts can install software, change security settings, create users, access sensitive files, disable protections, and modify backups. If attackers compromise privileged accounts, they can move faster and cause more damage.

That is why privileged access management is becoming a stronger underwriting topic.

Controls businesses should consider

Important identity and access controls include:

• Separate admin accounts
• MFA for all privileged access
• Least-privilege permissions
• Role-based access control
• Regular access reviews
• Disabling inactive accounts
• Conditional access policies
• Logging admin activity
• Password managers
• Strong password policies
• Just-in-time admin access
• Service account governance

The “former employee” problem

One overlooked risk is poor offboarding. If former employees, contractors, vendors, or temporary staff still have access, that creates unnecessary exposure.

A simple monthly access review can reduce this risk. For larger businesses, identity governance tools can automate access reviews and approvals.

Vendor Risk and Cloud Security Are Now Part of the Conversation

Many cyber incidents involve third parties. A business may have strong internal controls but still rely on software vendors, payment processors, cloud platforms, managed service providers, marketing tools, payroll systems, and file-sharing platforms.

Cyber insurers know that vendor risk can become claim risk.

Vendor risk questions

Underwriters may ask:

• Do vendors access your network?
• Do vendors handle sensitive data?
• Do you review vendor security practices?
• Do contracts include security obligations?
• Do vendors carry cyber insurance?
• Can vendor access be disabled quickly?
• Is remote vendor access protected by MFA?
• Are managed service provider accounts monitored?

Cloud security

Cloud platforms can be secure, but misconfiguration is common. Businesses using Microsoft 365, Google Workspace, AWS, Azure, Salesforce, Shopify, HubSpot, QuickBooks Online, or industry-specific SaaS platforms should understand their own responsibilities.

Insurers may ask about:

• MFA
• Admin roles
• Data sharing
• Logging
• Backup settings
• Conditional access
• Email security
• Cloud storage permissions
• Data retention
• Encryption
• Single sign-on
• Security monitoring

The cloud does not remove cyber risk. It changes where risk lives.

Ransomware Insurance Requirements Are More Detailed

Ransomware changed the cyber insurance market because losses can stack quickly. A single ransomware incident may involve business interruption, forensic investigation, restoration costs, ransom negotiation, legal review, data breach notification, regulatory issues, reputational harm, and customer claims.

That is why ransomware insurance requirements are often stricter than general cyber liability questions.

What insurers may expect for ransomware coverage

Ransomware-related underwriting may focus on:

• MFA for remote access
• EDR or MDR
• Immutable backups
• Backup restoration tests
• Network segmentation
• Privileged account protection
• Incident response plan
• Security awareness training
• Vulnerability management
• Email filtering
• Remote desktop restrictions
• Logging and monitoring
• Business continuity planning

Ransomware sublimits

Some policies may include a lower limit for ransomware than for the overall policy. For example, a business might buy a $1 million cyber policy but have a smaller ransomware sublimit. Exact terms vary by policy.

This is one reason business owners should not only ask, “Do we have ransomware coverage?” They should ask:

• What is the ransomware sublimit?
• Is extortion covered?
• Are ransom payments covered?
• Are negotiation costs covered?
• Are restoration costs covered?
• Is business interruption covered?
• Is contingent business interruption covered?
• Are there exclusions for poor controls?
• Is prior insurer approval required before payment?
• Are sanctions checks required?

Double extortion

Ransomware is no longer just about encryption. Attackers may also steal data and threaten to publish it. This is called double extortion.

That increases legal, privacy, notification, and reputational risk. It also makes incident response more complex because restoring from backup may not solve the data exposure problem.

Evidence Insurers May Ask For

The biggest change in cyber insurance requirements is evidence.

A business may be asked to provide proof that controls are active and properly configured.

Possible evidence examples

Insurers, brokers, or underwriters may request:

• MFA screenshots
• Conditional access policy screenshots
• EDR deployment reports
• Endpoint coverage reports
• Backup test reports
• Vulnerability scan summaries
• Patch management records
• Incident response plan
• Security awareness training completion reports
• Phishing simulation results
• Network diagrams
• Asset inventory
• Penetration test summary
• Cloud security configuration evidence
• Vendor risk policies
• Business continuity plan
• Disaster recovery test results

You should not wait until renewal week to gather this. Build a simple cyber insurance evidence folder throughout the year.

Evidence folder structure

A practical folder might include:

• 01-MFA-and-Identity
• 02-Endpoint-Security
• 03-Backups-and-Recovery
• 04-Patch-Management
• 05-Incident-Response
• 06-Training-and-Awareness
• 07-Policies-and-Procedures
• 08-Vendor-Risk
• 09-Cloud-Security
• 10-Testing-and-Reports

This helps your broker, insurer, IT provider, and leadership team speak from the same facts.

Why Businesses Get Denied or Pay Higher Premiums

Cyber insurance denial does not always mean the business is reckless. Sometimes it means the company has not documented controls well enough. Other times, the actual security gaps are serious.

Common reasons for difficult underwriting

Businesses may face higher premiums, restrictive terms, or denial when they have:

• No MFA
• MFA only partially deployed
• No EDR or MDR
• Unsupported operating systems
• Weak backup protection
• No backup testing
• Exposed remote desktop access
• Poor patch management
• No incident response plan
• No security training
• Prior cyber claims
• High-risk industry exposure
• Large volumes of sensitive data
• Weak vendor controls
• Unclear IT ownership
• Incomplete application answers

The danger of inaccurate answers

Cyber insurance applications should be answered carefully. If a business says it has MFA everywhere but later suffers a breach through an account without MFA, that discrepancy can become a serious claim issue.

Do not guess. Do not let a non-technical executive answer technical questions alone. Involve IT, security, legal, risk management, and your broker.

Cyber Insurance Checklist for Business Owners

Use this checklist before applying for cyber liability insurance or renewing an existing policy.

Identity and access

• MFA is enabled for all email users.
• MFA is enabled for remote access.
• MFA is enabled for administrator accounts.
• Former employee accounts are disabled.
• Privileged access is limited and reviewed.
• Password policies are enforced.
• Admin accounts are separate from daily-use accounts.

Endpoint security

• All laptops have endpoint protection.
• All desktops have endpoint protection.
• Servers are covered.
• Remote devices are included.
• EDR or MDR is deployed where required.
• Alerts are reviewed by responsible personnel.
• Devices can be isolated during an incident.

Backup and recovery

• Critical data is backed up.
• Backups are encrypted.
• Backups are offline or immutable.
• Backup access is protected by MFA.
• Restore tests are performed.
• Recovery time expectations are documented.
• Backup failures are monitored.

Patch management

• Assets are inventoried.
• Critical patches have defined timelines.
• External systems are scanned.
• Unsupported systems are replaced or isolated.
• Third-party software is updated.
• Firewalls, VPNs, and appliances are patched.

Email and phishing

• Email filtering is active.
• MFA protects webmail.
• SPF, DKIM, and DMARC are configured.
• Staff receive security awareness training.
• Payment changes require verification.
• Suspicious emails can be reported.

Incident response

• Incident response plan exists.
• Roles are assigned.
• Insurer notification steps are included.
• Legal and forensic contacts are listed.
• Ransomware response steps are documented.
• Tabletop exercises are performed.
• Lessons learned are tracked.

Governance

• Security policies are documented.
• Vendor access is reviewed.
• Cyber insurance evidence is organized.
• Leadership understands key cyber risks.
• Security controls are reviewed before renewal.

How to Prepare Before Cyber Insurance Renewal

Do not treat renewal as a last-minute form. Start 90 to 120 days early if possible, especially if your business has grown, changed systems, added remote workers, moved to the cloud, or handled more sensitive data.

Step 1: Review last year’s application

Find the old application and compare it with your current environment.

Ask:

• Are the answers still accurate?
• Did we add new systems?
• Did we change email platforms?
• Did we add remote access?
• Did we outsource IT?
• Did we expand into new markets?
• Did we collect new types of data?
• Did we have any incidents?

Step 2: Involve the right people

Cyber insurance renewal should include:

• Business owner or executive sponsor
• Risk manager
• IT provider
• Security lead
• Legal counsel when needed
• Finance leader
• Insurance broker

This prevents inaccurate answers and avoids surprises.

Step 3: Fix obvious gaps first

If MFA is missing, fix it. If backups have never been tested, test them. If admin accounts are shared, separate them. If remote desktop is exposed to the internet, address it immediately.

Some gaps are too important to leave unresolved.

Step 4: Gather evidence

Create current reports and screenshots. Make sure they show dates, scope, and coverage where possible.

Evidence beats verbal assurance.

Step 5: Ask your broker what carriers are emphasizing

Cyber insurance requirements vary. A good broker can tell you which controls are currently affecting quotes, exclusions, and ransomware terms.

Step 6: Read the policy carefully

Look for:

• Coverage limits
• Sublimits
• Retentions
• Exclusions
• Waiting periods
• Panel vendor requirements
• Notification duties
• Ransomware conditions
• Business interruption definitions
• Dependent business interruption
• Social engineering coverage
• Funds transfer fraud coverage
• Privacy liability coverage
• Regulatory coverage

Cyber policies are not all the same.

Common Misconceptions About Cyber Insurance Requirements

“We are too small to be targeted.”

Small businesses are often easier targets because they have weaker controls. Attackers do not always choose victims manually. They scan the internet for exposed systems, stolen credentials, vulnerable software, and misconfigured services.

“Cyber insurance replaces cybersecurity.”

It does not. Cyber insurance transfers some financial risk, but it does not prevent downtime, customer frustration, reputational damage, or operational disruption.

“Our IT company handles this.”

Maybe. But the insurer will still ask your business to confirm controls. You need to know what your provider actually does, what tools are deployed, and what evidence is available.

“Backups mean ransomware is not a big deal.”

Backups help, but ransomware can still create downtime, data theft, legal exposure, and recovery costs. Also, backups must be protected and tested.

“A cyber policy covers everything.”

No policy covers everything. Exclusions, sublimits, conditions, and claim-reporting duties matter. Read the policy carefully.

“MFA on email is enough.”

It is a good start, but many insurers now expect MFA across remote access, admin accounts, cloud apps, and other critical systems.

Practical Mini Case Studies

Case study 1: The renewal surprise

A 75-person manufacturing company applies for renewal. Last year, the insurer accepted basic antivirus and email MFA. This year, the carrier asks for EDR, tested backups, and MFA on VPN access.

The company has backups, but no restore test. It has antivirus, but not EDR. VPN MFA is not enabled.

Result: the renewal quote comes back with a higher premium and a ransomware sublimit.

What should have happened: the business should have reviewed requirements 90 days before renewal, upgraded endpoint protection, tested backup recovery, and enabled VPN MFA before submitting the application.

Case study 2: The partial MFA problem

A professional services firm says “yes” to MFA on its application. In reality, MFA is enabled for Microsoft 365 users but not for the remote monitoring tool used by its IT vendor.

An attacker compromises the vendor access tool and deploys ransomware.

This creates two problems: the actual incident and the accuracy of the insurance application.

Lesson: MFA requirements should include third-party remote access and privileged tools, not just employee email.

Case study 3: The backup that failed

A healthcare office pays for daily backups. During ransomware recovery, it discovers that backups were failing for three weeks because storage was full. No one reviewed backup alerts.

Lesson: backup monitoring and restore testing are not optional details. They are the difference between a recovery plan and wishful thinking.

Cyber Insurance and Compliance: Related but Not Identical

Cyber insurance requirements often overlap with cybersecurity frameworks and compliance obligations, but they are not the same thing.

A business may need to consider:

• HIPAA
• PCI DSS
• SOC 2
• ISO 27001
• NIST Cybersecurity Framework
• CIS Controls
• State privacy laws
• Contractual security requirements
• Industry-specific rules

Cyber insurance underwriters may view alignment with recognized frameworks as a positive signal. However, compliance does not automatically guarantee insurability.

A company can be compliant on paper and still have poor backup protection, weak remote access, or exposed systems.

What Risk Managers Should Track Throughout the Year

Risk managers should treat cyber insurance as a continuous process, not an annual scramble.

Useful metrics include:

• MFA coverage percentage
• Number of unmanaged devices
• Endpoint protection coverage
• Critical patch aging
• Backup success rate
• Restore test results
• Phishing training completion
• Reported phishing emails
• Open critical vulnerabilities
• Time to disable former employee accounts
• Incident response exercise completion
• Vendor access reviews
• Cloud security findings

These metrics help leadership understand cyber risk in business language.

How Better Security Can Improve Insurance Outcomes

Strong controls do not guarantee cheap premiums. The insurance market is influenced by claims trends, industry risk, revenue, data exposure, coverage limits, and carrier appetite.

Still, better controls can improve your underwriting story.

A business with documented MFA, EDR, tested backups, incident response planning, and patch management is easier to underwrite than a business with vague answers and no evidence.

Better controls may help with:

• Faster quote review
• Better carrier options
• Higher available limits
• Fewer exclusions
• Better ransomware terms
• Lower likelihood of renewal denial
• Stronger claim defensibility
• Reduced incident impact

The best reason to improve security is not just insurance. It is operational survival.

FAQ: Cyber Insurance Requirements

Conclusion

Cyber insurance requirements are changing because cyber risk has changed. Insurers are no longer comfortable covering businesses that cannot show basic security maturity. They want proof that a company can prevent common attacks, detect suspicious behavior, recover from ransomware, and respond quickly when something goes wrong.

For business owners and risk managers, this is not just an insurance issue. It is a business resilience issue.

The smartest approach is to treat cyber insurance readiness as an ongoing security program. Enable MFA broadly. Deploy effective endpoint protection. Test backups. Patch critical systems. Document your incident response plan. Train employees. Review vendor access. Keep evidence organized.

That work can help you qualify for better cyber liability insurance terms. More importantly, it can help your business survive the kind of incident that makes insurance necessary in the first place.