The Short Version
Cyber insurance underwriters spent several years paying claims without adequate controls documentation, and they’ve corrected course dramatically. Premiums have increased, coverage limits have decreased, and the list of required controls has grown. Many businesses discover their inadequate security posture only when a renewal is denied or a claim is rejected after a breach. This guide explains what underwriters actually evaluate, which controls are non-negotiable, and why some claims get denied even when coverage exists.
What Underwriters Actually Look For
The cyber insurance market fundamentally changed between 2020 and 2023. Loss ratios climbed above 70% for many carriers as ransomware claims exploded. The response was aggressive: mandatory security questionnaires expanded from 10-15 questions to 80-100+, technical controls began to be verified rather than self-attested, and exclusions multiplied.
Modern underwriting evaluates two dimensions: security posture (the controls you have in place) and exposure surface (the data you hold and the systems you operate). A law firm holding client confidential information has different exposure than a landscaping company, even at identical revenue. Both dimensions are assessed.
The Controls That Matter Most
Underwriters have converged on a core set of controls that appear on virtually every application. These are not suggestions — absence of these controls will either result in denial, significant premium increases, or coverage exclusions that eliminate the primary breach scenarios you’re trying to insure against.
Multi-factor authentication (MFA)
MFA is required, not preferred. Specifically, underwriters ask about MFA coverage across email, remote access (VPN/RDP), privileged accounts, and cloud services. A “yes” for email but “no” for remote access is not an acceptable answer — remote desktop exposure is one of the top ransomware delivery vectors. Some carriers now require phishing-resistant MFA for privileged accounts specifically.
Endpoint Detection and Response (EDR)
Traditional antivirus is no longer considered adequate by most underwriters. Endpoint Detection and Response (EDR) solutions — CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and similar — provide behavioral detection, threat hunting, and automated response capabilities that signature-based antivirus cannot match. Many applications now ask specifically about EDR coverage percentage across all endpoints.
Privileged Access Management (PAM)
Underwriters want to know how administrative credentials are managed. Are admin passwords unique? Are they rotated? Are they stored in a password manager or vault? Is privileged access used only for privileged tasks (i.e., admins have separate standard user accounts for daily work)? Shared admin passwords or administrators who also use admin credentials for email represent significant risk to underwriters.
Backup and recovery
Ransomware makes backups the decisive control for recovery cost. Underwriters ask about backup frequency, retention period, offsite or cloud storage, and critically — whether backups are tested. The specific question that gets businesses into trouble: “Are your backups stored in an environment that is inaccessible from your primary network?” Backups connected to the same network as production systems are routinely encrypted by ransomware.
MFA: The Non-Negotiable
It bears emphasizing: MFA is the single control that underwriters treat as a binary pass/fail gate. Some carriers will not provide a quote at all without confirmation of MFA on email and remote access, regardless of all other controls. The reasoning is actuarial — accounts without MFA are compromised orders of magnitude more frequently than those with it, and the claim frequency directly impacts carrier loss ratios.
For businesses still running some accounts without MFA: the time to fix this is before your renewal application, not after a breach. A claim filed by an organization that didn’t have MFA enabled on the compromised account may face coverage denial based on material misrepresentation if the application indicated MFA was in place — or simply because the policy exclusions cover “failure to maintain minimum security standards.”
Why Claims Get Denied Post-Breach
Coverage denial after a breach is more common than most businesses expect. The primary mechanisms:
- Material misrepresentation: If your application stated that MFA was enabled on all remote access and it wasn’t, the carrier may void the policy entirely — not just deny the specific claim. This is the nuclear scenario.
- Prior known incidents clause: If you had indicators of compromise before the policy effective date (even if you didn’t know it), some carriers can deny claims relating to that incident. This makes incident response documentation critical.
- War exclusions: Several major carriers have attempted to invoke war exclusions for nation-state attributed attacks. This is still being litigated, but it’s a real risk for businesses in critical industries.
- Failure to maintain security controls: Some policies require that you maintain the controls described in your application throughout the policy term. A lapse — say, letting EDR expire or disabling MFA for a contractor — can create a coverage gap.
How Premiums Are Calculated Now
Premiums in the current market are driven by several factors: revenue (as a proxy for breach cost), industry (healthcare and financial services carry higher premiums), data sensitivity (PII volume matters), incident history (prior claims or ransomware events), coverage limits and deductibles, and — increasingly — verified control scores.
Businesses with strong, documented security postures and clean claims history can negotiate meaningfully. Having a current security risk assessment, incident response plan, and documented training program provides leverage with underwriters. Some carriers offer credits of 10-25% for specific certifications (SOC 2, CMMC, Cyber Essentials).
What a Good Application Looks Like
The businesses that secure favorable cyber insurance terms share common characteristics: they can answer every question on the application accurately and specifically, they have documentation to support their answers, and they’ve had a security assessment or audit within the past 12 months. They also have an incident response plan that has been tested — table-top exercises count, and carriers increasingly ask for this.
Going into a renewal application blind — filling it out from memory without reviewing your actual controls — is how businesses end up with inaccurate applications and exposure they don’t know about. A pre-renewal security review closes this gap.
Check Cyber Insurance Readiness Assessment — Free
Answer the same questions your underwriter will ask and get an instant readiness score. The assessment covers MFA, EDR, backup isolation, PAM, and all the other controls carriers verify — with a gap analysis and remediation priority list before your next renewal.
Nicholas Salem is the CEO of Boston Managed IT, a managed services provider serving professional services firms and small businesses across Greater Boston. BMIT helps clients build and operate security programs that meet Massachusetts compliance requirements.
