Two years ago, getting a cyber insurance policy was almost as easy as filling out a questionnaire and writing a check. That era is decisively over.
After paying out billions in ransomware claims between 2020 and 2024, insurance carriers overhauled their underwriting requirements. Premiums have increased 50-100% for many businesses, and the technical controls required to qualify for a policy — or to avoid having a claim denied — have become significantly more stringent.
If your business carries cyber insurance (or plans to), understanding these requirements isn't optional. A denied claim after a breach can be more devastating than the breach itself.
What Carriers Now Require
Multi-Factor Authentication (MFA) — Everywhere
MFA is no longer a recommendation. It's a hard requirement for virtually every carrier. And they don't mean MFA on just your email — they mean MFA on every remote access point, every cloud service, every administrative console, and every privileged account.
Carriers specifically ask about:
- Email systems (Microsoft 365, Google Workspace)
- VPN and remote access portals
- Remote Desktop Protocol (RDP) — many carriers won't issue a policy if RDP is exposed to the internet at all
- Administrative/privileged accounts on servers, network equipment, and cloud platforms
- Backup systems and management consoles
If a breach occurs and the investigation reveals that MFA was not enabled on the compromised system, the carrier may deny the claim — even if MFA was enabled elsewhere.
Endpoint Detection and Response (EDR)
Traditional antivirus is no longer sufficient. Carriers now require Endpoint Detection and Response on all endpoints — workstations, servers, and laptops. EDR provides real-time behavioral monitoring, automated threat response, and forensic telemetry that carriers need for claims investigation.
Some carriers go further, requiring that EDR be monitored by a 24/7 Security Operations Center (SOC) or Managed Detection and Response (MDR) provider. An EDR agent that alerts but has no one watching it doesn't satisfy the intent of the requirement.
Backup and Recovery Capabilities
Carriers want to know that you can recover from an attack without paying a ransom. Specific questions typically include:
- Are backups performed at least daily?
- Are backup copies stored off-site or in the cloud?
- Are backups immutable (protected from modification or deletion)?
- Are backup restorations tested regularly?
- What are your Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)?
An untested backup is, for underwriting purposes, no backup at all. If you can't demonstrate that you've successfully restored from backup within the last 90 days, expect questions.
Incident Response Plan
Most carriers now require a documented incident response plan that has been reviewed (and ideally tested) within the past 12 months. The plan should cover:
- Roles and responsibilities during an incident
- Communication protocols (internal, external, legal, law enforcement)
- Containment and eradication procedures
- Evidence preservation for forensic investigation
- Recovery and restoration procedures
- Post-incident review process
Some carriers offer premium discounts for organizations that conduct annual tabletop exercises — simulated incident scenarios that test the response plan with key stakeholders.
Patch Management
Carriers increasingly ask about your patch management practices. Key questions include:
- How quickly are critical patches applied after release?
- Is patching automated or manual?
- Are there systems running unsupported/end-of-life operating systems?
Running Windows Server 2012 or Windows 10 past its end-of-life date may not just increase your premium — it may void your coverage for incidents involving those systems.
Security Awareness Training
Employee error remains the leading cause of successful cyber attacks. Carriers recognize this and increasingly require evidence of a Security Awareness Training program that includes:
- Regular training sessions (at least quarterly)
- Phishing simulations with measurable results
- Documentation of completion rates and test scores
How to Avoid Claim Denials
Having a policy doesn't guarantee a payout. Claims are denied when the investigation reveals that the insured failed to maintain the security controls they attested to in their application. Common denial triggers include:
- MFA was attested but not fully deployed — e.g., MFA was on email but not on the VPN that was breached
- EDR was installed but not monitored — the tool generated alerts but no one acted on them
- Backups existed but were encrypted by the ransomware — because they weren't immutable or air-gapped
- The incident response was ad hoc — no plan was followed, evidence was destroyed, and recovery took weeks
- Known vulnerabilities were unpatched — a critical patch was available for months before the exploit
The common thread: what you attest on your insurance application must match your actual security posture. If there's a gap, the claims adjuster will find it during the forensic investigation.
How Layer27 Helps You Qualify and Stay Compliant
Our managed services tiers are designed to satisfy — and exceed — every major cyber insurance requirement:
- Protect Pro includes MFA enforcement, EDR with 24/7 MDR monitoring, Security Awareness Training, patch management, and incident response planning
- Backup-as-a-Service (BaaS) provides immutable, air-gapped backups with tested recovery and documented RTOs/RPOs
- Disaster Recovery-as-a-Service (DRaaS) satisfies business continuity requirements that some carriers evaluate
- Compliance services help you accurately complete insurance applications and maintain the attestations you make
We also provide the documentation and evidence that carriers need during renewals and claims — patch compliance reports, training completion rates, backup test logs, and incident response plan review records.
Don't wait for a claim denial to find out your security posture doesn't match your insurance application. Contact Layer27 for a cyber insurance readiness assessment.