Cyber insurance isn’t just something you buy and forget — it’s a set of requirements your IT environment has to actually meet for the policy to pay out when you need it.
Most small business owners think of cyber insurance the way they think of any other insurance: pay the premium, file the claim if something goes wrong. But cyber insurance underwriters have spent the last several years watching the claims roll in, and they’ve responded the same way any insurer would — by getting specific about what they require before they’ll write a policy, and by scrutinizing claims carefully when they come in.
The result is that cyber insurance is now effectively a compliance requirement of its own — one with real teeth. Here’s what carriers actually require, and how your IT environment has to be configured to satisfy them.
The specific requirements vary by carrier and policy tier, but the controls that show up on virtually every underwriting questionnaire are consistent:
Multi-factor authentication (MFA). This is the single most commonly required control. Carriers want to see MFA on email, remote access (VPN, RDP), cloud applications, and privileged accounts. Some require it everywhere. A policy written without MFA in place often includes an exclusion for credential-based attacks — which is most attacks. See our MFA dictionary entry for what this looks like in practice.
Endpoint detection and response (EDR). Underwriters have largely stopped accepting traditional antivirus as sufficient. They want EDR — behavioral monitoring, not just signature matching. Some policies explicitly exclude ransomware coverage if the organization lacks EDR. Our EDR article explains the difference.
Tested backup and recovery. Not just "we have backups" — backups that are tested, that are isolated from the production environment, and that can actually restore your systems in a reasonable timeframe. WORM-compliant, air-gapped backups are the gold standard. Untested backups that fail at claim time are an underwriter’s dream — your nightmare.
Written incident response plan. Carriers want to know that when something happens, there’s a documented process for who does what, when, and in what order. Not a general cybersecurity policy — a specific incident response plan. See our article on what an incident response plan actually covers.
Security awareness training. Documented, recurring training with completion records. Many underwriters ask specifically about phishing simulation programs. See Security Awareness Training: The Compliance Requirement That Actually Works.
Patch management. Evidence that operating systems and software are kept current. Unpatched vulnerabilities are the initial access vector in a significant proportion of ransomware attacks — underwriters know this.
Privileged access management. Controls around who has administrative access to your systems, with logging that shows when those accounts were used. Some carriers ask specifically about service accounts and shared credentials.
Vendor and third-party risk management. Increasingly, underwriters want to know how you evaluate the security practices of your technology vendors. A documented vendor assessment process — not a comprehensive one, but a documented one — is becoming a standard question.
Cyber insurance claims get denied or reduced for predictable reasons:
Misrepresentation on the application. If you checked "yes" to MFA on your application and the claim investigation reveals MFA wasn’t actually enforced, the carrier has grounds to deny the entire claim — not just reduce it. The application is a warranty. The questions aren’t suggestions.
Exclusions for known vulnerabilities. Some policies exclude claims arising from vulnerabilities that were publicly known and unpatched at the time of the incident. If your systems haven’t been patched in six months and an attacker exploits a known CVE, coverage may not apply.
Backup failure. A carrier that paid to restore from backup is very interested in whether the backup actually worked. If you claimed you had tested backups and you didn’t — or if the backups failed because they weren’t isolated from the ransomware — expect scrutiny.
Late notification. Most policies require notification of a potential claim within a defined window — often 30–60 days of discovering an incident. Late notification is a common basis for coverage reduction.
The good news is that the controls cyber insurance carriers require are the same controls that make your business genuinely more secure — and the same controls that most compliance frameworks (HIPAA, GLBA, PCI-DSS, SOC 2) require. You’re not maintaining separate programs for security, compliance, and insurance. You’re building one environment that satisfies all three.
NerdSquad’s managed IT stack — EDR, MFA, WORM-protected backups, patch management, security awareness training, and incident response planning — is built to satisfy underwriter requirements as a baseline, not an afterthought. When a client goes through renewal, we can typically produce the documentation their broker needs without a scramble.
For the broader compliance and cybersecurity picture, see What is digital compliance? and How do you help businesses protect against cyber threats?