Cyber insurance has changed — and most SMBs have not caught up
Three years ago, cyber insurance was a checkbox. You filled out a questionnaire, paid the premium, and moved on. Today, underwriters are technical, questionnaires are detailed, and carriers are denying claims when documented controls do not match what was stated on the application.
Premiums for SMBs have increased 40-60% since 2022. Coverage exclusions have expanded. And the renewal process now involves a level of scrutiny that many organizations are unprepared for — not because they lack controls, but because they cannot document what they have.
This checklist covers the 15 controls that cyber insurers consistently verify during underwriting and claims. For each control, it maps your current posture, the cost to close the gap if one exists, and the premium impact of the improvement.
Who this is for
- CFOs managing insurance costs who need to understand what drives premiums up or down
- Business owners facing renewal sticker shock who want to know what to fix first
- IT directors who need to prepare documentation for the underwriting process
- Organizations that have been denied coverage or had a claim rejected and need to understand what went wrong
The 15 controls insurers verify
These are not theoretical best practices — they are the controls that appear on the underwriting questionnaires from major cyber insurance carriers. Miss any of them and you face higher premiums, coverage exclusions, or outright denial.
1. Multi-factor authentication (MFA)
What insurers want: MFA enabled on all email accounts, all remote access, all admin accounts, and all cloud services. Not just available — enforced.
Why it matters: Stolen credentials are the number one attack vector. MFA blocks over 99% of automated credential attacks. Carriers know this, which is why MFA has become a hard requirement — not a recommendation — for most policies.
The gap most organizations have: MFA is enabled for email but not enforced for VPN access, admin consoles, or SaaS applications. Partial deployment is treated the same as no deployment by most underwriters.
Cost to close: $0-$5 per user/month depending on the MFA solution. Most organizations already have MFA capability through Microsoft 365 or Google Workspace — they just have not enforced it across all access points.
2. Endpoint detection and response (EDR)
What insurers want: A managed EDR solution deployed on 100% of endpoints — not traditional antivirus, not Windows Defender alone.
Why it matters: EDR provides the behavioral detection, automated response, and forensic telemetry that traditional antivirus cannot. When a claim is filed, the first question a carrier asks is “what does the EDR telemetry show?” If the answer is “we don’t have EDR,” the claim investigation gets adversarial.
Cost to close: $5-$15 per endpoint/month for a managed EDR solution with SOC monitoring.
3. Email security beyond default protections
What insurers want: Advanced email filtering, anti-phishing protection, and attachment sandboxing beyond what Microsoft or Google provides by default.
Why it matters: Business email compromise (BEC) is the most expensive attack type for SMBs, with average losses exceeding $125,000 per incident according to the FBI’s IC3 reports. Default email filtering catches bulk spam but misses targeted attacks.
4. Backup and recovery with offsite/air-gapped storage
What insurers want: Regular backups stored offsite or air-gapped from the production environment, with documented and tested recovery procedures.
Why it matters: Ransomware resilience is binary — either you can recover from backups or you pay the ransom. Carriers are increasingly requiring documented backup testing (not just that backups exist, but that they have been restored successfully within the past 90 days).
The gap most organizations have: Backups exist but have never been tested, or backup credentials are stored in the same Active Directory domain as production systems — meaning ransomware that compromises the domain also compromises the backups.
5. Patch management with defined timelines
What insurers want: A documented patching process with critical patches applied within 14-30 days and evidence of compliance.
Why it matters: Known vulnerabilities are the second most common attack vector after stolen credentials. An organization running unpatched systems that gets breached through a known vulnerability will face serious scrutiny during a claim.
6. Security awareness training
What insurers want: Annual security awareness training for all employees with phishing simulation testing at least quarterly.
Why it matters: Human error drives the majority of successful attacks. Organizations with active training programs have demonstrably lower phishing click rates and incident rates. Carriers view training as one of the highest-ROI controls.
Cost to close: $2-$5 per user/month for a managed security awareness platform with automated phishing simulations.
7. Privileged access management
What insurers want: Separate admin accounts from daily-use accounts. Admin access limited to the minimum necessary. Privileged actions logged and audited.
Why it matters: When an attacker gains admin credentials, they own the environment. Segregating admin access limits the blast radius of a compromise.
8. Network segmentation
What insurers want: Critical systems and sensitive data isolated from general user network traffic. Flat networks are a red flag.
Why it matters: In a flat network, a compromised workstation can reach every server, database, and backup system. Segmentation forces an attacker to move laterally through controlled chokepoints.
9. Incident response plan
What insurers want: A documented incident response plan that has been tested within the past 12 months. Assigned roles and pre-negotiated relationships with legal counsel and forensics firms.
Why it matters: Organizations without an IR plan take significantly longer to detect and contain incidents, which directly increases the cost of a claim. For a comprehensive incident response framework, see the Incident Response Playbook for SMBs.
10. Encryption at rest and in transit
What insurers want: Data encrypted on storage devices and during transmission. Full disk encryption on all endpoints. TLS enforced on all web applications and email.
Why it matters: Encryption is a regulatory safe harbor in many frameworks. A breach involving encrypted data may not trigger notification requirements — which reduces the claim cost dramatically.
11. Business continuity and disaster recovery plan
What insurers want: A documented BC/DR plan with defined recovery time objectives, tested at least annually.
Why it matters: Business interruption is the largest component of breach costs. A documented BC/DR plan with tested recovery procedures directly reduces the duration and cost of an incident. See the Business Continuity Plan Template for a structured starting point.
12. Logging and monitoring
What insurers want: Centralized logging for critical systems with monitoring and alerting for anomalous activity. Log retention of at least 90 days.
Why it matters: Without logs, there is no forensic evidence. Claims are harder to process and settlements take longer when the carrier cannot establish what happened, when, and what data was affected.
13. Vendor risk management
What insurers want: A process for assessing the security posture of third-party vendors with access to your systems or data.
Why it matters: Supply chain attacks are increasing, and carriers want to know that your risk extends only as far as you have assessed it.
14. DMARC, DKIM, and SPF email authentication
What insurers want: Email authentication records properly configured to prevent domain spoofing.
Why it matters: Domain spoofing is a key enabler of BEC attacks. Properly configured email authentication is a low-cost, high-impact control that carriers specifically check.
Cost to close: $0 — these are DNS record configurations that cost nothing to implement.
15. Documented security policies
What insurers want: Written policies covering acceptable use, data handling, remote work, and incident reporting. Policies reviewed annually and acknowledged by employees.
Why it matters: Policies establish the organizational standard. Without them, an insurer can argue that the organization had no defined security expectations, weakening the claim.
The relationship between controls and premiums
Cyber insurance pricing is not a single formula, but the relationship between controls and premiums is consistent across carriers:
- MFA, EDR, and backups are now hard requirements at most carriers. Without them, you may not get coverage at all — or only at punitive rates with high deductibles.
- Training, patching, and incident response plans are strong premium differentiators. Organizations that can document these controls typically see 15-25% lower premiums compared to those that cannot.
- The documentation matters as much as the control. An organization with MFA deployed but no evidence of enforcement will be treated the same as an organization without MFA during a claim dispute.
Common mistakes during renewal
- Answering the questionnaire aspirationally — stating that you “plan to implement” a control as if it is in place. If a claim is filed and the control was not active, the carrier has grounds to deny.
- Letting IT fill out the questionnaire alone — IT knows what is deployed but may not understand the insurance implications of how they describe it. The CFO and IT should complete the questionnaire together.
- Not updating coverage as the environment changes — adding cloud services, remote workers, or new data types without notifying the carrier can create coverage gaps.
- Ignoring sublimits and exclusions — a $1M policy with a $250K ransomware sublimit and a $100K social engineering sublimit provides far less protection than the headline number suggests.
Related resources
This checklist is one component of the CFO Playbook for IT Risk Analysis. Tools that complement your insurance readiness:
- Current-State Risk Scorecard — evaluate your posture across the eight domains that feed into the insurance controls
- IT Risk Quantification Model — quantify the financial exposure that insurance is supposed to transfer
- Compliance Readiness Scorecard — many insurance controls overlap with compliance requirements — score both at once
- 90-Day Cybersecurity Roadmap — a prioritized action plan for closing the most critical gaps before your next renewal
Renewal coming up?
Our team can assess your control posture against underwriting requirements and help you negotiate better terms.
Get Insurance-ReadyRelated Resources
Wire Transfer Verification Policy Template
A ready-to-implement wire transfer verification policy for CRE firms, title companies, and escrow agents. Download, customize, and distribute.
View resource →
Ransomware Cost Calculator
Estimate the total financial impact of a ransomware attack on your organization based on revenue, headcount, data type, and existing controls.
View resource →
Current-State Risk Scorecard
Evaluate your organization's IT risk posture across eight security domains with clear maturity scores and financial implications.
View resource →Ready to Get Started?
Contact us today for a complimentary assessment valued at up to $25,000.