The Cyber Insurance Playbook: Mandatory Security Requirements
Obtaining a cyber insurance policy is no longer a simple check-the-box exercises. A few years ago, underwriters asked three or four high-level questions before issuing a policy. Today, insurance questionnaires span dozens of pages, requesting granular proof of technical controls, network architectures, and employee security habits.
If your organization lacks key controls, underwriters will not simply increase your premium—they will deny coverage outright.
To help you prepare for your next renewal, this playbook details the “Big Three” mandatory controls underwriters expect, the secondary requirements gaining traction, and how to put your organization in the best position to secure coverage.
The “Big Three” Mandatory Controls
If you do not have these three controls active, your policy renewal will likely be blocked. Underwriters view these as the minimum baseline required to stop the vast majority of automated threat campaigns.
1. Multi-Factor Authentication (MFA)
Underwriters expect MFA to be enforced everywhere. Simply having MFA on your primary email accounts is no longer enough. You must show that MFA is enforced for:
- Remote Access: All VPN connections, virtual desktops, and remote access gateways.
- Email & Collaboration: All user logins to Microsoft 365, Google Workspace, and email applications.
- Administrative Access: All administrator accounts on servers, networks, active directories, and cloud management consoles.
- Critical SaaS Applications: Any business tool housing sensitive customer or employee data (e.g., Salesforce, HubSpot, accounting portals).
Note: Default push notifications are increasingly flagged due to “MFA Fatigue” attacks. Underwriters favor number matching or hardware tokens.
2. Isolated, Immutable, or Air-Gapped Backups
Ransomware attackers do not just encrypt production servers; they actively hunt for and delete backups first to force a ransom payment. Insurance carriers want to know that your recovery path is secure. You must prove:
- Separation: Backups must be housed on a separate network segment or active directory domain from your production environment.
- Immutability: Backups must use technology that prevents modification or deletion for a set retention period (WORM—Write Once, Read Many).
- Testing: You must document that backup restoration is tested at least semi-annually.
3. Managed Endpoint Detection & Response (EDR / MDR)
Standard, signature-based antivirus software is no longer considered adequate by insurance underwriters. Attackers easily bypass traditional AV using fileless malware and living-off-the-land techniques. Underwriters expect:
- EDR Deployment: Agent-based monitoring that tracks file execution, process activity, and network connections in real time.
- 24/7 Security Operations (MDR): EDR alerts must be routed to an active Security Operations Center (SOC) capable of isolating compromised endpoints immediately, even on weekends and holidays.
The “Next Wave” of Underwriter Expectations
As threat actors adapt, underwriters are introducing secondary requirements. Having these in place will improve your risk rating and can lower your annual premium:
| Security Control | Underwriter Expectation | Why it Matters |
|---|---|---|
| Security Awareness Training | Mandatory training for all employees with unannounced monthly phishing simulations. | Reduces the likelihood of employee credential theft (social engineering). |
| Vulnerability Scanning | Continuous internal and external scans with documented remediation of critical findings within 14–30 days. | Closes public-facing security gaps before attackers exploit them. |
| Incident Response Plan (IRP) | A written plan detailing communication trees and containment steps, tested via annual tabletop exercises. | Minimizes business interruption and containment costs if a breach occurs. |
| Vendor Due Diligence | Formal security evaluations of critical SaaS tools, software vendors, and third-party MSPs. | Manages supply-chain risks and vendor-hosted data liability. |
[!TIP] Evaluate Your Eligibility Instantly: Use our free Cyber Insurance Eligibility Estimator to calculate your insurability score out of 100, identify critical baseline gaps, and receive a prioritized remediation checklist.
Action Plan for Your Next Renewal
Do not wait until your policy is 30 days from expiration to look at your renewal questionnaire. Follow this timeline to secure the best rates:
- Request the Questionnaire Early (90 Days Out): Ask your broker for the current cyber insurance questionnaire three months before expiration. Requirements change annually, and you need time to audit your configurations.
- Conduct an Internal Gap Audit: Map the questionnaire directly against your current IT controls. Work with your internal team or your managed service provider (MSP) to verify that what you write on the form matches what is active on the network. Note: Misrepresenting your controls on an insurance application can void your coverage during a claim.
- Bring in Executive Governance: If you have gaps—such as missing MFA on legacy servers or untracked vendor connections—bring in a Fractional CISO to design and execute a fast remediation plan.
By presenting underwriters with a documented, framework-aligned security posture, you demonstrate that your organization is a “good risk,” giving your broker the leverage needed to negotiate better terms and lower premiums.
Need help audit-proofing your security posture for your next cyber insurance renewal? Schedule a consultation with a THOR advisor.