What Cyber Insurance Underwriters Now Require
Cyber insurance used to be a checkbox. You answered a short questionnaire, paid a modest premium, and moved on. That market is gone. After years of ransomware losses, underwriters have turned the application into a technical audit, and the controls they ask about are no longer aspirational — they are conditions of coverage. If you cannot evidence them, you either pay far more, accept sub-limits and coinsurance, or get declined outright.
This is what practitioners see on carrier questionnaires today, why each control is there, and how the documentation you keep affects both your premium and whether a claim actually pays.
The controls underwriters now demand
Carriers have converged on a common core. The specific wording varies by underwriter — Chubb, Beazley, Coalition, Travelers and the rest each have their own forms — but the substance is consistent.
- MFA everywhere. Not just the VPN. Underwriters want phishing-resistant multi-factor authentication on remote access, email (Microsoft 365 and Google Workspace), privileged and administrative accounts, and any internet-facing application. Missing MFA on privileged accounts is now the single most common reason for a declination.
- EDR/MDR with 24/7 monitoring. Legacy antivirus no longer satisfies the question. Carriers ask specifically for endpoint detection and response, and increasingly whether it is monitored around the clock by a human team rather than just installed. A managed detection and response service answers both the "deployed" and the "monitored" halves of that question.
- Immutable, tested backups. The question is no longer "do you back up?" but "are your backups immutable or offline, segmented from production credentials, and have you tested a restore?" Ransomware crews target backups first; underwriters know it.
- Privileged access management. Standing domain-admin rights and shared local-admin passwords are red flags. Carriers want least privilege, just-in-time elevation, and a vault for credentials.
- Email security. Advanced filtering, anti-phishing, and sender authentication (SPF, DKIM, DMARC) because email remains the primary intrusion vector.
- A written incident response plan. Not a slide — a documented, tested plan with named roles, escalation paths, and legal and carrier notification steps.
- A defined patching cadence. Underwriters want a stated timeline for critical vulnerabilities — commonly patch or mitigate within a set number of days — and evidence you meet it.
- Security awareness training. Regular training plus simulated phishing, with participation tracked.
Read that list again as a threat model and the logic is obvious: it maps almost exactly to how ransomware actors get in, move laterally, and destroy recovery options. Underwriters are not asking for best practice for its own sake — they are pricing the loss scenarios their actuaries actually pay out.
Why documentation and evidence change the price
Here is the part buyers underestimate: the answers on the application are only half of what matters. The evidence behind them determines your premium band and, more importantly, whether a claim pays.
Cyber policies are underwritten on warranties and representations. When you attest that MFA is enforced on all privileged accounts and it later turns out a service account was exempt — and that account was the entry point — the carrier can allege material misrepresentation and reduce or deny the claim. This has already been litigated. Insurers have contested payouts on exactly this basis, arguing the insured's application overstated its control posture.
So documentation does two jobs:
- At renewal, it lowers premium. Being able to hand an underwriter EDR coverage reports, DMARC enforcement records, restore-test logs, patch compliance percentages, and training completion rates moves you out of the "trust me" pile. Carriers reward defensible evidence with better terms and fewer exclusions.
- At claim time, it protects the payout. If you can show the control was actually operating as attested — with logs, tickets, and reports dated before the incident — you remove the carrier's easiest reason to deny.
The practical implication: treat the insurance application as an evidence exercise, not a survey. Every "yes" you give should have an artifact behind it that you could produce twelve months later.
Where organizations get caught
A few gaps show up repeatedly when we prepare clients for renewal.
- MFA "everywhere" has holes. Legacy protocols, service accounts, break-glass logins, and on-prem applications behind the VPN are common exemptions that quietly violate the attestation.
- Backups are not truly immutable. A backup reachable with production domain credentials is not protected from a domain-wide ransomware event, regardless of retention settings.
- The IR plan exists but was never tested. An untested plan is a document, not a capability, and tabletop exercises are increasingly asked about by name.
- Patching cadence is claimed, not measured. Stating a target means nothing without vulnerability data showing you hit it.
Each of these is survivable at application time and catastrophic at claim time.
How a managed program closes the gap
Most mid-market organizations do not have the staff to run 24/7 detection, maintain a privileged access vault, prove restore integrity monthly, and produce audit-ready evidence for a renewal — all at once. This is where a managed security program earns its cost by turning each questionnaire line into a running, evidenced service.
- Detection and response. Managed detection and response delivers the EDR/MDR control with human monitoring and generates the coverage and alerting evidence underwriters ask for.
- Recoverability. Managed backup and disaster recovery provides immutable, segmented backups with documented, tested restores — the difference between a bad week and a business-ending event.
- Privileged access. Privileged access management replaces standing admin rights with least-privilege, just-in-time elevation and a credential vault, directly answering the PAM questions on the form.
- Response readiness. A tested incident response plan with defined roles and carrier-notification steps satisfies the IR requirement and shortens real-world dwell time.
Run together, these controls do more than help you qualify. They lower the probability of the loss the policy exists to cover, which is the outcome both you and your underwriter actually want. The security industry's own data — the Verizon Data Breach Investigations Report and IBM's Cost of a Data Breach study among them — consistently ties these same controls to lower breach likelihood and lower breach cost.
The bottom line
Cyber insurance has become an annual attestation that your security program is real, operating, and documented. The controls are not exotic — MFA, EDR/MDR, immutable backups, PAM, email security, a tested IR plan, disciplined patching, and trained users. What has changed is that you now have to prove them, keep proving them, and be able to reproduce the proof after an incident.
If your next renewal is approaching and you want a control posture that qualifies cleanly and holds up at claim time, talk to intSignal's security team. We build and run these programs for clients specifically so the honest answer to every question on the application is "yes — and here is the evidence."