For a long time, cyber insurance underwriting worked much like other business insurance — fill out a questionnaire, pay a premium, get covered. That's no longer true. Insurers have been burned by a wave of ransomware and business email compromise claims, and underwriting has responded by demanding specific, verifiable technical controls before issuing or renewing a policy at all. This article covers what changed, what's now commonly required, and why gaps in these controls create risk at two separate points: getting covered in the first place, and actually getting paid after an incident.
Underwriting has moved from a questionnaire to control verification
Historically, a cyber insurance application was largely a self-reported questionnaire — an organization described its security posture, and the insurer priced the policy accordingly with limited independent verification. Rising claims frequency and severity, especially from ransomware, changed that model. Insurers now routinely require specific, named technical controls as a condition of coverage, and increasingly ask for evidence — not just a checkbox — that those controls are actually in place.
This shift has made insurers a genuine external compliance auditor for many small businesses
Organizations with no regulatory obligation to implement MFA, EDR, or tested backups may still find themselves required to implement all three simply to obtain or renew coverage — cyber insurance has effectively become the most commonly-enforced control framework for businesses that have no HIPAA, PCI DSS, or SOC 2 obligation otherwise.
The controls insurers now commonly require
| Control | Why insurers require it |
|---|---|
| MFA everywhere — especially email, remote access, and privileged accounts | Credential-based attacks (phishing, credential stuffing) remain the most common initial access vector in claims data; unprotected email and remote access are the two highest-frequency entry points |
| Endpoint Detection and Response (EDR) | Signature-based antivirus alone is treated as insufficient to detect and contain modern ransomware and lateral movement techniques |
| Immutable or offline backup copies | Backups that an attacker with domain access can also encrypt or delete provide no real recovery guarantee — insurers now distinguish 'backups exist' from 'backups are actually recoverable during an active incident' |
| A documented, tested incident response plan | Response speed and coordination materially affect claim severity; an untested plan discovered mid-incident is a well-known driver of prolonged downtime |
| Email filtering / advanced threat protection | Email remains the dominant delivery mechanism for both phishing and malicious attachments that lead to claims |
Application gaps mean denied coverage — after-the-fact gaps mean denied claims
Insurers are increasingly explicit that these controls are conditions, not suggestions, and the consequence of a gap depends on when it's discovered.
- Discovered during underwriting: the application is declined, or coverage is offered with a significantly higher premium, a sublimit specifically for ransomware, or an exclusion tied to the missing control.
- Discovered after a claim: this is the more severe and increasingly common scenario. An insurer investigating a breach — which now routinely includes a forensic review of what controls were actually in place at the time of the incident — can find that a control claimed on the application (commonly MFA) was not actually enforced organization-wide, or was disabled for a specific account or legacy system.
Misrepresenting controls on an application can void a claim
If a post-incident forensic investigation finds that a control described as "in place" on the insurance application was not actually implemented — MFA enforced organization-wide but actually excluded for a service account or legacy application, for example — the insurer can deny the claim entirely on the basis of material misrepresentation, independent of the merits of the incident itself. This has become one of the most consequential and avoidable failure modes in cyber insurance: an organization believes it is covered, experiences an incident, and discovers during the claims process that a gap between what was claimed and what was actually configured voids the payout.
This risk makes an honest, verified inventory of actual control state — not the organization's belief about its control state — essential before submitting or renewing an application, not just before an incident.
Why this has made cyber insurance a genuine de facto framework
For small and mid-sized businesses with no HIPAA, PCI DSS, or other regulatory obligation, cyber insurance renewal has quietly become the most consistently enforced external check on baseline security controls. Unlike many voluntary frameworks, it comes with a real, recurring, financially-motivated verification point — the annual or biannual renewal cycle — and real consequences for gaps, both in premium cost and in claim outcomes. Treating renewal as a continuous control-verification exercise, rather than a one-time application filled out once and forgotten, is the practical implication of this shift.
Common mistakes
- Filling out the application based on intended policy rather than verified, current configuration. MFA "required by policy" but not technically enforced everywhere is exactly the gap that surfaces during a claims investigation.
- Treating backup existence as sufficient without verifying immutability or offline isolation. A backup an attacker can also encrypt does not meet what most underwriters now actually mean by "backup."
- Writing an incident response plan and never testing it. An untested plan often fails in ways only a tabletop exercise or real incident reveals — usually at the worst possible time.
- Renewing coverage without re-verifying controls since the last application. Environments change — new accounts, new legacy systems, new exceptions — and a control accurate a year ago may no longer be accurate at renewal.
FAQ
Does having cyber insurance mean we don't need to invest further in security? No — insurance transfers financial risk but does not prevent an incident, and increasingly requires the same baseline controls a strong security program would recommend anyway. It's best understood as a backstop layered on top of real controls, not a substitute for them.
What happens if we can't meet a required control by renewal time? Insurers may offer renewal with a higher premium, a coverage sublimit, or a specific exclusion tied to the gap, rather than declining outright — but the honest, disclosed path is materially safer than claiming a control that isn't actually in place.
Is MFA really required for every single account, including service accounts? Underwriting language increasingly pushes toward "everywhere," including privileged and service accounts where feasible, precisely because attackers specifically target the accounts least likely to have MFA enforced. See Multi-Factor Authentication: Methods and Best Practices for how to reason about coverage across account types.
Related reading
- Compliance Fundamentals
- Governance vs. Compliance
- Multi-Factor Authentication: Methods and Best Practices
- Ransomware Recovery Planning — the specific backup immutability requirement insurers verify
- Backup Strategy Guide
- Download: Compliance Checklist