Cyber Insurance Requirements: What IT Controls Insurers Actually Want

Cyber insurers commonly require multi-factor authentication on email, remote access, and administrative accounts; endpoint detection and response (EDR) software; tested offline backups; an active patching process; security awareness training; and a documented incident response plan. These are the controls that appear most frequently across carrier applications. The specifics vary by carrier — some require more, some are flexible on certain items — but this list covers what most underwriters are checking for before they bind coverage.

If your business cannot honestly attest to these controls, you have two choices: implement them before you apply, or buy coverage that may not pay out when you need it.

What do cyber insurers require?

The short answer is that insurers want to see the controls that actually reduce the likelihood and severity of a breach. The industry has learned a lot from claims — and the pattern is clear. Most ransomware attacks, most business email compromises, most network intrusions exploit a small set of weaknesses: no MFA, inadequate endpoint protection, backups that turn out to be compromised or untested, and organizations that had no plan when the incident started.

Here is what appears most frequently across carrier applications:

Multi-factor authentication (MFA) on email accounts, remote access (VPN and RDP), and administrative or privileged accounts. This is not optional for most carriers. MFA alone blocks the overwhelming majority of credential-based attacks. If your staff accesses email or company systems remotely without a second factor, expect that to be the first question on any serious application.

Endpoint detection and response (EDR) on all endpoints, not just basic antivirus. Traditional antivirus catches known malware signatures. EDR monitors behavior — it can detect and contain an attack in progress that a signature-based tool would miss entirely. Carriers have seen enough claims where antivirus was present and useless to make this a standard requirement.

Tested, offline or air-gapped backups. The word “tested” matters. An untested backup is not a backup — it is a backup-shaped assumption. Ransomware routinely targets and encrypts connected backups before encrypting production systems. Carriers want to know your backups are isolated from your primary environment and that you have actually verified they restore correctly. A restore test you ran once, three years ago, documented somewhere no one can find, does not satisfy this.

Active patching and vulnerability management. A documented process for applying security patches — with realistic timelines. Most insurers ask about patching cadence for critical vulnerabilities specifically. “We patch when we get around to it” is not a process. Carriers want to see that known vulnerabilities are being addressed before attackers exploit them.

Security awareness training for all staff. Phishing remains the most common initial attack vector. Carriers increasingly require documented, recurring training — not a one-time onboarding video. Simulated phishing exercises strengthen the case further.

Incident response plan. A written document that defines who does what when something goes wrong. It does not have to be elaborate. It does have to exist, and people have to know it does. Organizations that discover a breach and have no plan spend critical hours figuring out who to call while the damage compounds.

For a baseline on the security controls your business should have in place regardless of insurance, the cybersecurity guide for small business covers the fundamentals in practical terms.

Why do insurers require MFA?

Because the data is unambiguous. Microsoft has published research indicating MFA blocks over 99% of automated credential attacks. Carriers have seen enough claims where compromised credentials — often from phishing or credential stuffing — were the initial access point to make MFA the single non-negotiable control.

The requirement is not just any MFA. Carriers look specifically at:

• Email accounts (Microsoft 365, Google Workspace)
• Remote access — VPN, RDP, any path into your network from outside
• Administrative and privileged accounts — the accounts with access to your most sensitive systems and data

Some carriers will not bind coverage at all if MFA is absent on privileged accounts. Others will bind coverage but exclude breach events where compromised credentials were the attack vector and MFA was not in place. Read the exclusions carefully — a policy that excludes the most common attack scenario is not the policy you think you bought.

The good news: MFA is one of the cheaper controls to implement. Microsoft 365 and Google Workspace include it at no additional cost. The barrier is organizational, not financial — getting staff to enroll and accept the additional step.

What controls affect your premium?

Insurers price risk. Controls that reduce risk reduce premiums. The controls with the most consistent premium impact are the ones that address the highest-frequency claims.

MFA across all accounts, not just admin. Carriers that require MFA on privileged accounts often reward organizations that extend it universally. The incremental cost is near zero; the risk reduction is measurable.

EDR versus basic antivirus. The presence of EDR signals a more mature security posture. Carriers have seen the claims data. An organization running EDR is statistically less likely to suffer a ransomware incident that results in a significant payout.

Backup isolation and verified restores. Ransomware actors specifically look for and destroy connected backups before deploying the payload. Carriers know this. Air-gapped or immutable backups that have been verified to restore are a meaningful differentiator at underwriting.

Patching SLAs. Organizations that can document a specific patching cadence — critical patches within X days of release — are demonstrating a control that prevents a substantial portion of exploited vulnerabilities from becoming successful attacks.

Written incident response plan. Some carriers offer premium credits for organizations that have a tested IR plan. Even where no formal credit exists, the presence of an IR plan signals organizational maturity that underwrites perceive as reduced risk.

The inverse is also true. Certain gaps are penalized disproportionately. Missing MFA on email in a small business can result in premiums two to three times higher than a comparable business that has it in place. The cost comparison for managed IT services is worth reading if you are trying to understand what professional IT support actually costs relative to this kind of exposure.

What happens if you misrepresent your controls?

This is where some small businesses get into serious trouble. Cyber insurance applications ask specific questions about specific controls. “Do you have MFA on all remote access?” is a yes/no question with real consequences.

Material misrepresentation — stating you have controls that are not actually in place — can void your coverage at the worst possible moment: during a claim. After a breach, carriers conduct forensic investigations. Those investigations often reveal that the controls the policyholder attested to on the application were absent, partial, or not functioning as described.

When that happens, the carrier has grounds to deny the claim and, in many cases, rescind the policy retroactively. You have spent money on premiums for coverage that does not exist.

This is not a theoretical risk. It is the reason cyber insurance attorneys stay busy.

The right approach: review the application before buying or renewing. Be honest about what you have. If you cannot attest to a required control, implement it before applying — or find a carrier with a different risk appetite and understand exactly what you are trading away.

How to prepare for a cyber insurance application or renewal

Step 1: Pull the application before you need it. Most small businesses look at their cyber insurance application for the first time when it arrives for renewal. By then, there is often no time to implement missing controls. Get the application early — some carriers make them available publicly — and treat it as a security roadmap.

Step 2: Audit your current controls honestly. Not where you think you are. Where you actually are. Do all staff have MFA enrolled on their email accounts? All of them, including the part-time bookkeeper and the owner? Is remote access behind VPN with MFA? When did you last restore from backup to verify it works?

Step 3: Close the gaps before you apply. The controls insurers require are good security practice regardless of insurance. MFA, EDR, tested backups, patching discipline — these are worth having because they reduce your actual risk, not just because a carrier requires them. The fact that insurance pricing rewards them is a secondary benefit.

Step 4: Document everything. Insurers increasingly ask not just whether you have controls but how they are managed. A written patching policy, training completion records, backup restore logs, and an incident response plan are all evidence that your security program is real and not just a verbal claim.

Step 5: Get an independent assessment before your renewal conversation. An IT assessment from a qualified provider identifies gaps before your carrier’s underwriter does. Coming to a renewal with documented evidence of improved controls is a materially better position than discovering gaps under pressure.

Helix Stax works with Hampton Roads small businesses on the cybersecurity compliance controls that cyber insurance underwriters look for — MFA deployment, EDR implementation, backup architecture, and incident response planning. If you are not sure where your gaps are before your next application or renewal, a free IT assessment takes about an hour and gives you an honest picture of where you stand.

No surprises at claim time is worth planning for now.