Cyber insurance is no longer a simple purchase. Over the past several years, underwriters have significantly tightened their requirements. Organizations that had coverage with minimal scrutiny are now facing detailed questionnaires, technical verification, and in some cases coverage denials or substantial premium increases when they cannot demonstrate basic security controls.
If your organization is approaching a renewal or applying for coverage for the first time, understanding what insurers are evaluating -- and preparing for it -- is worth significant attention.
What Has Changed in Cyber Insurance Underwriting
Prior to 2020, cyber insurance underwriting was relatively straightforward. Insurers asked general questions about security practices and largely accepted self-reported answers.
The wave of large ransomware incidents that began in 2020 changed that calculus dramatically. Insurers absorbed major losses. The market responded with stricter requirements, higher premiums, and in some lines, withdrawal from coverage entirely.
Today, underwriters want to see specific, verifiable controls. Self-attestation is still the primary mechanism, but applications are more detailed and some insurers are beginning to verify responses through technical assessments or third-party data.
Controls That Are Now Effectively Required
The following controls appear consistently across major cyber insurance applications. Organizations that cannot demonstrate them face limited coverage options, higher premiums, or both.
Multi-factor authentication (MFA). MFA is now required on email, remote access, and administrative accounts at virtually every insurer. Gaps here -- particularly on administrative or privileged accounts -- will either result in exclusions or coverage denial. This is the single highest-priority control from an insurability standpoint.
Endpoint detection and response (EDR). Basic antivirus is no longer sufficient for most insurers. They want to see EDR deployed across endpoints -- tools capable of detecting and responding to modern threat behaviors, not just known malware signatures.
Privileged access management. Who has administrative access to your systems, how is that access controlled, and how is it monitored? Insurers are increasingly asking for specificity here.
Backup and recovery. Do you maintain offline or immutable backups? How often are they tested? Can you recover from a ransomware event without paying the ransom? Insurers want evidence that your recovery capability is real, not theoretical.
Incident response plan. Do you have a documented incident response plan? Has it been tested? Organizations that have not formalized incident response are demonstrably harder to insure against incident-related losses.
Security awareness training. Employee training -- particularly phishing simulation -- is on most applications now. The evidence insurers want to see is that training is conducted regularly, not that every employee passed a test.
Patch management. Are known vulnerabilities being addressed within reasonable timeframes? Insurers are increasingly checking against external vulnerability data, not just accepting self-reported patch practices.
What the Application Process Actually Looks Like
Cyber insurance applications vary by insurer and coverage tier. For most SMBs, the process involves a detailed questionnaire -- often 30 to 50 questions -- covering the controls above plus general questions about revenue, industry, employee count, and prior incidents.
Some applications are structured so that certain answers trigger automatic exclusions or pricing adjustments. An organization that answers "no" to MFA on privileged accounts may face an exclusion for credential-based attacks regardless of other controls in place.
Reading the application carefully matters. The questions are specific, and the answers have real consequences for the coverage you receive.
How to Prepare Before Renewal
The time to address gaps is before the application, not during it.
Conduct a readiness assessment. Walk through a representative cyber insurance application before your renewal date. Identify every question where your honest answer is "no" or "partial." Those are your gaps.
Prioritize high-impact controls. MFA, EDR, and backup controls have the highest impact on insurability. If you have limited time before renewal, address those first.
Document what you have. Insurers rely on your self-reported answers, but they increasingly want documentation that supports those answers: policy documents, vendor invoices, training records, backup test results. Prepare that documentation before the application, not after.
Understand your prior incidents. Applications ask about prior incidents, claims, and security events. Know what you need to disclose before you begin the application.
Work with your broker. A good cyber insurance broker understands what specific underwriters are looking for and can help you position your application accurately. They can also help you understand which markets are appropriate for your risk profile.
After You Get Coverage
Maintaining coverage requires maintaining controls. Policies typically include representations about your security posture that continue after the policy binds. A significant change in your security environment -- a major breach, a significant change in systems, or a substantial lapse in controls -- may have implications for coverage.
Read your policy carefully. Understand what changes require notification to your insurer. And maintain the controls you represented on your application.
Cyber Insurance Is Not a Security Strategy
A final point worth making explicit: cyber insurance transfers financial risk. It does not reduce operational risk. An organization that views insurance as a substitute for security controls is taking on unacceptable exposure -- and likely discovering that the coverage excludes or limits claims in exactly the scenarios that were not addressed.
Insurance and security work together. Insurance is most valuable when the likelihood of a significant incident is low and the coverage is there for scenarios that were not predictable. It is least valuable when you are relying on it because your security posture is weak.
For organizations preparing for a cyber insurance application or renewal, NightFortress provides readiness assessments scoped to current underwriting requirements. Learn more about our assessment offerings or contact us to talk through your current posture.