Cyber Insurance Renewal Checklist: 12 Controls Insurers Actually Verify

Your cyber insurance renewal application has changed. Carriers no longer accept yes-or-no questionnaires about your security posture. They verify. They audit. And if what they find doesn’t match what you attested to, your claim gets denied or your policy gets non-renewed.

We published a broader guide to what carriers require in 2026 earlier this year. This post goes deeper: the 12 specific controls that underwriters check, what “passing” looks like for each one, and how a managed IT or security partner handles the evidence gathering that trips up most businesses.

Print this list. Bring it to your next leadership meeting. Work through it with your IT provider 90 days before your renewal date.

1. Multi-Factor Authentication (MFA)

What insurers look for: MFA enforced on every user account that can access company systems. That includes email, VPN, remote desktop, cloud applications, and all administrative consoles. Partial deployment counts as a failure during claims investigation.

What passes: Enrollment reports from your identity provider (Entra ID, Duo, or similar) showing 100% coverage. Conditional access policies that block authentication attempts without a second factor. Documentation of any exception accounts and the compensating controls applied to them.

How a managed provider handles it: Your IT team pulls enrollment reports directly from Entra ID or your MFA platform, identifies gaps in coverage, enforces conditional access policies across all systems, and documents exceptions with compensating controls. This isn’t a one-time setup. MFA coverage drifts as employees join, leave, or get new devices, so your provider should run enrollment audits quarterly and flag accounts that fall out of compliance before your renewal.

2. Endpoint Detection and Response (EDR)

What insurers look for: An EDR agent installed and active on every endpoint in your environment, including laptops, desktops, and servers. Carriers specifically look for next-generation platforms with behavioral analysis rather than signature-based antivirus. Many carriers name acceptable vendors by name. SentinelOne, CrowdStrike, and Microsoft Defender for Endpoint are the most commonly approved platforms.

What passes: A deployment report showing agent status across your entire device fleet. No gaps, no machines running legacy antivirus, no “pending install” entries that have been pending for six months.

How a managed provider handles it: Your security team deploys the EDR agent through your endpoint management platform, monitors agent health daily, and remediates any devices where the agent goes offline or gets disabled. They also generate the deployment reports your broker needs for the renewal application.

3. Backup Testing and Recovery Verification

What insurers look for: Proof that your backups work, not just that they exist. Carriers want evidence of regular recovery testing, including full restoration tests, not just backup job completion logs. If your backups have never been tested, the carrier has no reason to believe they’ll work when ransomware encrypts your production environment.

What passes: Documented recovery tests performed at least quarterly, including the date, scope (which systems were recovered), time to recovery, and outcome. If your last disaster recovery test revealed issues, carriers want to see what you fixed afterward.

How a managed provider handles it: Your provider schedules and executes recovery tests on a recurring cadence, documenting every test in a format that carriers accept. When tests reveal gaps (corrupted backups, recovery times that exceed your RTO), your provider remediates those issues and retests. The documentation package includes both the test results and the remediation actions taken.

4. Incident Response Plan

What insurers look for: A written incident response plan that names specific people, includes current contact information for your insurance carrier and legal counsel, covers ransomware scenarios explicitly, and has been tested through a tabletop exercise within the past 12 months. A plan that lives in a shared drive untouched since 2023 won’t satisfy an underwriter.

What passes: A dated plan with named roles, current contact lists, defined escalation procedures, and a tabletop exercise report from the past year showing who participated, what scenario was tested, what gaps were identified, and what changes were made. Infonaligy offers a free tabletop exercise template to help you get started.

How a managed provider handles it: Your security partner drafts or updates the plan, runs the tabletop exercise with your leadership team, and documents everything in the format carriers expect. They update the plan annually and after any real incident, so the document always reflects your current environment and team structure.

5. Privileged Access Management (PAM)

What insurers look for: Controls around accounts with elevated permissions. Domain admin accounts, global admin roles in Microsoft 365, root access to servers, and firewall management credentials should all have additional protections beyond standard MFA. Carriers check whether privileged accounts are inventoried, whether access is granted on a least-privilege basis, and whether shared admin credentials exist.

What passes: An inventory of all privileged accounts with documented business justification for each one. Evidence that admin access uses dedicated accounts separate from daily-use accounts. Logs showing privileged access reviews conducted at least quarterly. No shared passwords for administrative systems.

How a managed provider handles it: Your provider maintains a privileged access inventory, enforces separate admin accounts, configures just-in-time access where supported (Entra ID Privileged Identity Management, for example), and runs quarterly access reviews. When an employee with privileged access leaves, your provider revokes that access immediately and documents the revocation.

6. Email Security

What insurers look for: Email is the primary attack vector for business email compromise and phishing, which together account for the majority of cyber insurance claims among SMBs. Carriers want to see dedicated email security tools beyond the default protections in Microsoft 365 or Google Workspace. They look for advanced threat protection, DMARC/DKIM/SPF records properly configured, and impersonation protection for executives and finance staff.

What passes: Deployment of an enterprise email security platform such as Proofpoint, Mimecast, or Microsoft Defender for Office 365 Plan 2. DMARC policy set to quarantine or reject (not just monitoring). Documentation showing impersonation protection rules for C-suite and finance team email addresses.

How a managed provider handles it: Your provider deploys and configures the email security platform, sets up DMARC/DKIM/SPF records, creates impersonation protection rules for key personnel, and monitors quarantine queues for false positives. They also provide monthly reports on blocked threats that demonstrate the platform is working.

7. Patch Management

What insurers look for: A documented, automated patching process with evidence that critical vulnerabilities are remediated quickly. Carriers learned from claims data that unpatched systems are one of the most common breach entry points. They expect CVSS 9.0+ vulnerabilities patched within 72 hours and all other patches deployed within 30 days.

What passes: Patch compliance reports showing deployment schedules, success rates across your fleet, and specific remediation timelines for critical vulnerabilities. Carriers want to see a trend, not a snapshot. Three to six months of patch compliance data tells a much stronger story than a single report pulled the week before renewal.

How a managed provider handles it: Your managed IT provider runs automated patching through your endpoint management platform, monitors for failed deployments, and handles exceptions (machines that can’t be patched during business hours, legacy systems that require manual updates). They maintain rolling patch compliance reports that your broker can include in the renewal application.

8. Security Awareness Training

What insurers look for: Ongoing employee training with regular phishing simulations. Annual compliance videos don’t satisfy carriers anymore. They want evidence of a continuous program with measurable results: completion rates, phishing simulation click rates over time, and remedial training for employees who repeatedly fail simulations.

What passes: Twelve months of security awareness training records showing completion rates above 90%, phishing simulation results demonstrating improvement over time, and documentation of additional training for repeat offenders. A trend line that shows your 25% click rate in January dropped to 6% by December is exactly what carriers want to see.

How a managed provider handles it: Your provider runs the training platform, schedules monthly phishing simulations, tracks completion and failure rates, enrolls repeat offenders in targeted remediation training, and generates the reports your broker needs. The program runs continuously without requiring your leadership team to manage it.

9. Network Segmentation

What insurers look for: Evidence that your network is segmented so a breach in one area doesn’t give an attacker free movement across everything. Carriers check whether guest Wi-Fi is isolated from production, whether IoT devices sit on their own VLAN, whether sensitive systems (finance, HR, medical records) are separated from general-purpose workstations, and whether firewall rules enforce these boundaries.

What passes: A network diagram showing segmentation zones with firewall rules between them. Documentation of VLAN configurations. Evidence that segmentation was tested (can a device on the guest network reach your file server? It shouldn’t). Carriers increasingly ask for next-generation firewalls from vendors like Fortinet or Palo Alto Networks that can enforce application-aware policies between segments.

How a managed provider handles it: Your provider designs the segmentation architecture, configures VLANs and firewall rules, documents the network topology, and tests segmentation boundaries. When new devices or systems are added to the network, they’re placed in the correct segment from day one rather than dropped onto a flat network.

10. Encryption

What insurers look for: Data encrypted both at rest and in transit. For endpoints, that means full-disk encryption enabled on every laptop and desktop (BitLocker on Windows, FileVault on Mac). For data in transit, that means TLS enforced on all web-facing services and VPN required for remote access to internal systems. Carriers also check whether backup data is encrypted.

What passes: A BitLocker/FileVault compliance report showing encryption enabled on 100% of devices. TLS certificate inventory for web services. VPN configuration showing encryption standards (IKEv2, AES-256). Backup encryption settings documented.

How a managed provider handles it: Your provider enforces full-disk encryption through device management policies, monitors compliance, manages TLS certificates, and ensures backup encryption is enabled. When a new device is provisioned, encryption is enabled before the device is handed to the employee, not after.

11. Vulnerability Scanning

What insurers look for: Regular vulnerability scans of your internal and external environment with documented remediation of findings. Carriers want to see that you’re proactively identifying weaknesses rather than waiting for an attacker to find them first. A vulnerability assessment report from two years ago doesn’t count.

What passes: Quarterly vulnerability scan reports (at minimum) covering both internal systems and external-facing assets. A remediation log showing how critical and high findings were addressed and on what timeline. Evidence that rescans confirmed the fixes worked.

How a managed provider handles it: Your provider runs scheduled vulnerability scans, prioritizes findings by severity and exploitability, remediates or coordinates remediation of critical issues, and retests to confirm fixes. The scan reports and remediation logs become part of your renewal evidence package.

12. Logging and Monitoring

What insurers look for: Centralized log collection and active monitoring. This is the control that ties everything else together. Carriers want to see that logs from your firewalls, email gateway, identity systems, endpoints, and cloud platforms are being collected in a SIEM (Security Information and Event Management) platform, and that a SOC team is actively reviewing alerts. EDR without SOC monitoring is a gap that carriers flag consistently.

What passes: SIEM configuration showing all critical log sources connected. SOC engagement documentation with defined response SLAs. Alert response logs demonstrating that threats were detected and acted upon, not just logged. Carriers specifically ask for mean time to detect (MTTD) and mean time to respond (MTTR) metrics.

How a managed provider handles it: Your provider deploys and configures the SIEM platform, connects all log sources, monitors alerts through their SOC 24/7, and produces the response metrics carriers require. When an alert fires at 2 AM, a human analyst investigates it, not an automated rule that files it away until Monday morning.

Your Printable Checklist

Use this to track your readiness before renewal. For each control, confirm whether it’s in place, whether you have the documentation, and who owns it.

If any row has an unchecked box, that’s a conversation to have with your IT provider before your renewal date. If your provider can’t produce the documentation for a given control within 24 hours of you asking, that’s a red flag worth investigating. Our MSP evaluation checklist covers what to ask and what good answers look like.

Start 90 Days Before Renewal

The businesses that get through renewal with stable premiums and full coverage are the ones that treat this checklist as a quarterly exercise, not an annual scramble. Work through each control with your IT provider. Build the evidence package over time so that when your broker sends the renewal application, every question has a documented answer behind it.

If you’re in a regulated industry like healthcare (HIPAA), defense (CMMC), or financial services, many of these controls overlap with your compliance requirements. A law firm that addressed security gaps found that the same controls that satisfied their carrier also closed their compliance gaps.