Cyber Insurance Requirements: What Insurers Expect Before They Quote

Table of Contents

Cyber Insurance Requirements: What Insurers Expect Before They Quote

A few years ago, getting cyber insurance meant answering a short questionnaire and waiting two days for a quote. That market is gone. After billions in ransomware payouts between 2020 and 2024, insurers rebuilt underwriting from the ground up. Today's applications ask for screenshots, configuration evidence, and proof of implemented controls — the same documentation required for CMMC certification. Defense contractors working toward compliance will find that CMMC certification satisfies many of the technical controls insurers now requirehots, configuration exports, and evidence of tested controls — not verbal attestations. Companies without the baseline controls are being declined outright. Those with documented, verified security programs qualify faster and pay meaningfully less.

This article covers what insurers now require before they'll quote, which controls affect eligibility versus pricing, what misrepresenting your posture actually costs you, and how HIPAA and CMMC obligations interact with underwriting requirements.

Why Requirements Tightened

Ransomware drove the shift. The volume and severity of claims between 2020 and 2022 forced insurers to rethink the model entirely. Premiums rose 73% in 2021 and over 50% in 2022. Carriers who had been writing policies based on self-reported checklists found that what organizations said they had and what they actually had were frequently different things.

The result: underwriting moved from questionnaire-based to evidence-based. Carriers now run external attack surface scans during the application process — roughly three out of four do, according to current broker reporting. Self-attestation is no longer the end of the conversation. And the consequences of misrepresentation are significant: in Travelers v. International Control Services (2022), a court rescinded a $1 million cyber policy after forensic review found that the insured had attested to full MFA implementation but only had it deployed on one firewall. Coverage voided retroactively.

The market softened on pricing from 2022 through 2025 as competition among carriers increased, but control requirements did not soften with it. As of 2026, underwriting scrutiny is tightening again. S&P Global projects 15 to 20 percent premium growth over the next 12 months, even for accounts with clean loss histories.

Controls That Determine Eligibility

Some controls are non-negotiable — missing them means a denial before pricing is even discussed. The list has stabilized across most carriers:

Multi-Factor Authentication

MFA on email, VPN, remote access, and all administrative accounts is a hard requirement at virtually every carrier. The Change Healthcare breach in 2024 — a $22 million ransom payment, $872 million in immediate response costs, and a single unprotected Citrix portal without MFA — has become the standard industry reference for why this isn't negotiable. Many insurers now ask about MFA coverage on a per-application basis rather than accepting a blanket yes. SMS-based MFA is increasingly scrutinized; phishing-resistant options (hardware keys, authenticator apps) are preferred.

Coalition's 2024 Cyber Threat Index found that 82% of claims involved organizations without MFA. Marsh McLennan's 2024 report found 41% of applications get denied on first submission, with missing MFA and inadequate endpoint protection as the top two reasons.

Endpoint Detection and Response (EDR)

Traditional antivirus doesn't qualify at most carriers. What's required is behavioral detection with active response and containment capability — CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, and similar platforms. Coverage must extend to all endpoints: servers, workstations, and laptops. Servers-only deployments are a common gotcha that delays or sinks quotes.

Some insurers now distinguish between unmanaged EDR (deployed but monitored internally) and managed EDR through an MDR provider, with better terms offered for the latter. If your EDR generates alerts that nobody reviews, it's treated as a control gap.

Immutable, Tested Backups

Backup architecture is scrutinized more closely than almost any other control, because attackers now specifically target backups before deploying ransomware. Coalition data shows 94% of organizations hit by ransomware saw threat actors target backup systems. Insurers want a 3-2-1 architecture — three copies, two media types, one offline or immutable — with documented, timed restore tests. An untested backup is treated as no backup for underwriting purposes.

Object lock, air-gapped copies, and vaulted storage all satisfy the immutability requirement. Cloud snapshots without immutability do not.

Documented Incident Response Plan

A written IR plan is required. An untested one is flagged. Carriers want evidence of tabletop exercises — documentation of when the last one ran, who participated, and what gaps were identified and closed. The first 72 hours of an incident determine most of what follows; insurers have figured out that organizations with practiced response plans generate significantly smaller claims.

Email Security and Security Awareness Training

Gateway or API-based email filtering is required. Annual one-time security awareness training is no longer sufficient — carriers want recurring training with phishing simulation results from the last 12 months. Business email compromise (BEC) and funds transfer fraud accounted for 60% of all claims in 2025 according to Coalition, which explains why email controls get this level of attention.

Patch Management

Documented SLAs for patching critical vulnerabilities — typically within 7 to 15 days — along with recurring vulnerability scans and evidence of remediation. RMM patch compliance reports and scan summaries with trend lines are the standard evidence format. End-of-life systems in production are a significant underwriting concern; they frequently appear as the entry point in post-breach forensic reports.

Privileged Access Management

Separation of day-to-day access from privileged access is increasingly a discrete underwriting question. Least-privilege access controls, just-in-time access for administrative functions, and MFA specifically on privileged accounts are what carriers are looking for. Network segmentation — preventing lateral movement once an attacker is inside the perimeter — is required by approximately 70% of carriers, per current broker data.

Controls That Affect Pricing, Not Just Eligibility

Beyond the eligibility threshold, documented controls move premiums in real ways. Broker benchmarking data shows that verified security posture can affect premiums by 20 to 40 percent in either direction at renewal. For a mid-market business paying $20,000 a year with mediocre controls, the swing between a favorable and unfavorable renewal can be $5,000 to $7,000 annually.

Controls that typically unlock premium credits: log retention of at least 12 months across firewall, authentication, endpoint, email, and cloud platforms; continuous monitoring with documented mean-time-to-detect metrics; third-party vendor risk management with tiered requirements and security attestations on file; and tabletop exercise cadence with documented remediation of action items. Providing a "proof pack" before submission — MFA coverage reports, EDR agent health exports, patch compliance summaries, last IR tabletop documentation — compresses underwriting cycles and signals maturity.

What Misrepresentation Actually Costs You

The NAIC reported that in 2024, 28,555 cyber insurance claims closed without payment compared to 9,941 that paid. Not all of those are outright denials — some are withdrawn claims or below-deductible incidents — but the ratio signals a clear pattern: insurers scrutinize claims closely, and gaps in security controls give them grounds to limit or deny coverage.

Misrepresentation is the most consequential risk. If you attest that MFA is enforced across all administrative access and forensic review after a breach finds a single account where it was disabled, your insurer can rescind the policy retroactively. The Travelers v. ICS case established this precedent clearly. Checking yes when the answer is "mostly" or "except for these accounts" creates more liability than the coverage gap you were trying to hide.

The practical implication: before signing an application, verify your controls actually match your attestations. Pull MFA coverage reports from your identity provider. Confirm EDR agent health across every endpoint. Locate your last IR plan and the date of the most recent tabletop.

Industry-Specific Considerations

Healthcare

The technical safeguards required under the HIPAA Security Rule — access controls, audit logging, encryption, contingency planning — map directly onto what cyber insurers require. If your HIPAA security program is well-documented and current, it serves double duty as underwriting evidence. The gap most healthcare organizations face is documentation: the controls exist but aren't recorded in a format that satisfies either an OCR audit or an insurance application. Healthcare-specific policies typically carry higher limits ($2M to $5M is common) given HIPAA's breach notification requirements and the cost of OCR investigations.

Defense Contractors

CMMC Level 2 requires the same layered security architecture that cyber insurers want: MFA, EDR, access control, logging, incident response, and a documented System Security Plan. A contractor who has completed CMMC readiness work — gap assessment, SSP, POA&M remediation — is well-positioned for cyber insurance underwriting because the documentation already exists. The SSP and the insurance application are asking many of the same questions. Where they diverge: CMMC requires GCC High for CUI workloads, while insurers care about the control implementation regardless of which cloud tenant it runs in.

Professional Services and Law Firms

Client confidentiality obligations and the sensitivity of data held — M&A details, litigation strategy, privileged communications — make law firms attractive targets and push underwriters to ask harder questions about access controls and data handling. Many carriers now ask specifically about matter management platforms, document storage controls, and whether client data is segregated. Third-party vendor risk management is particularly scrutinized given how many firms use external document review platforms and e-discovery services.

The Application Timeline

Start the application process 60 to 90 days before you need coverage. Applications with all controls in place and evidence ready take two to four weeks for underwriting approval. Applications requiring security improvements before a carrier will quote can take two to three months. Waiting until a contract or renewal deadline forces the issue creates pressure that leads to either rushed attestations or gaps in coverage.

A practical 90-day sequence: Days 0 to 30, inventory gaps — pull MFA coverage reports, confirm EDR agent health across every endpoint including servers, locate IR plan documentation, list critical vendors and their security attestations. Days 31 to 60, close the gaps — run a tabletop, remediate high-risk vulnerabilities, validate monitoring and alerting flows end-to-end. Days 61 to 90, package evidence and engage a broker with a proof pack ready before the application goes out.

How an MSP Affects Your Underwriting Position

A managed IT relationship changes the underwriting conversation in a few ways. MSPs typically deploy RMM platforms that generate the patch compliance reports and EDR coverage exports that underwriters want as evidence. Managed detection and response (MDR) through an MSP provides the 24/7 monitoring posture that some carriers now require for favorable terms. And an MSP that has formalized its security stack — standardized tooling, documented SLAs, incident response runbooks — can provide the kind of vendor attestation that satisfies third-party risk management requirements.

The caveat: a managed IT relationship doesn't automatically satisfy underwriting requirements. It depends on what the MSP actually does. An MSP that manages your network but doesn't deploy EDR, enforce MFA, or maintain backup isolation isn't moving your underwriting position. Before your next renewal, ask your provider specifically what evidence they can generate for your insurance application and what gaps remain your responsibility.

If recurring security gaps are creating coverage problems or premium pressure, contact Stratify IT to discuss what a managed security engagement looks like for your environment. Stratify IT does not sell cyber insurance, but we help clients build and document the security posture that determines what coverage they can get and what they pay for it.

Frequently Asked Questions

1. Does general liability insurance cover a ransomware attack or data breach?

No. Standard general liability policies exclude cyber incidents almost universally. The coverage gap is significant: GL policies are designed for bodily injury and property damage, and courts have consistently ruled that data and digital assets don't qualify as "property" under those definitions. If your business experiences a ransomware attack, breach notification costs, forensic investigation, and business interruption losses all land out of pocket without a standalone cyber policy.

2. What does cyber insurance actually pay for — and what does it typically exclude?

First-party coverage pays your direct costs: forensic investigation, data recovery, business interruption, ransom payments (where legal), and breach notification. Third-party coverage handles liability claims, regulatory defense, and fines. Common exclusions: incidents attributed to nation-states or acts of war (the NotPetya litigation established this as a genuine dispute), social engineering and funds transfer fraud (often requires a separate endorsement), pre-existing breaches, and infrastructure upgrades you should have made before the incident. Review sublimits carefully — a $2M policy with a $250K ransomware sublimit caps your ransomware coverage at $250K.

3. What is a retroactive date on a cyber policy, and why does it matter?

A retroactive date sets the earliest incident the policy will cover. A policy with a January 1, 2025 retroactive date won't cover an intrusion that began in December 2024, even if you discover it during the active policy period. This matters because many breaches — particularly data exfiltration — go undetected for months. When shopping policies, negotiate for the earliest retroactive date the carrier will offer, and pay attention to how "discovery" is defined in the policy language.

4. Does a cyber insurance claim get denied if controls slip after the policy is issued?

Yes. Policies require you to maintain the security controls you attested to during underwriting — not just at the time of application. If a covered incident occurs and forensic review finds that MFA was disabled on a VPN account three months after the policy was issued, the carrier has grounds to deny the claim or reduce the payout based on material change in risk. Some carriers conduct mid-term check-ins; others only find out at renewal or during a claim. Either way, the obligation to maintain controls is continuous, not one-time.

5. Is social engineering and funds transfer fraud covered under a standard cyber policy?

Not automatically. Business email compromise and funds transfer fraud — where an employee is tricked into wiring money to an attacker-controlled account — is one of the most common cyber losses but frequently excluded from base policies or subject to low sublimits. Coalition's 2025 data shows BEC and funds transfer fraud accounted for 60% of all claims. If your business handles wire transfers, payroll, or vendor payments, verify whether your policy covers social engineering fraud and at what limit, and add an endorsement if it doesn't.

6. What coverage limits should a small business carry?

Most small businesses start with $1M in coverage, but the right limit depends on revenue, data volume, and industry. A 25-person professional services firm with strong controls might pay $3,000 to $5,000 annually for $2M in coverage. Healthcare organizations and those handling payment card data typically need $2M to $5M given breach notification obligations and regulatory exposure. The practical floor for any business handling customer PII is $1M — below that, a single forensic and legal engagement can exhaust the policy before business interruption costs are addressed.

7. What is tail coverage and when do you need it?

Tail coverage — formally called an extended reporting period endorsement — extends your window to report a claim after your policy expires or is cancelled. Standard cyber policies are claims-made, meaning the incident must be reported while the policy is active. If you discover a breach six months after your policy lapsed, you're not covered without tail coverage. It's particularly relevant when switching carriers, closing a business, or if a key executive departs and coverage lapses during the transition.

8. How often should a business review its cyber insurance coverage?

Annually at minimum, and any time the business changes materially. A new acquisition, a shift to cloud infrastructure, a new line of business that handles different data types, or a significant headcount increase can all change your risk profile enough to warrant a coverage review mid-term. The practical trigger: if anything about your IT environment, data handling, or revenue has changed significantly since you last applied, your current limits and terms may no longer reflect your actual exposure. Start the renewal process 60 to 90 days before expiration to leave time for underwriting and any required remediation.

9. Can switching to a managed IT provider lower our cyber insurance premiums?

It can, depending on what the MSP actually deploys and documents. Carriers price posture, and an MSP that standardizes MFA enforcement, deploys EDR across all endpoints, maintains immutable backups, and generates the coverage reports underwriters want as evidence directly improves your underwriting position. Some carriers have formalized this through vetted MSP programs that offer streamlined underwriting and premium credits for clients of participating providers. The caveat: not every MSP delivers at this level. Before renewal, ask your provider what evidence they can generate for your application — MFA enrollment reports, EDR agent health exports, patch compliance summaries — and where the gaps remain your responsibility.

10. What evidence should we have ready before submitting a cyber insurance application?

Underwriters now want documentation, not just attestations. Prepare: MFA coverage reports from your identity provider showing enrollment by account type; EDR console exports showing agent health across all endpoints including servers; backup architecture diagram with immutability settings and the date of your last timed restore test; your incident response plan and the date of the last tabletop with a summary of action items closed; patch compliance reports showing remediation timelines for critical vulnerabilities; and any vendor security attestations for third parties with access to your systems. Having this packaged before submission compresses the underwriting cycle and signals control maturity to the carrier.