Cyber insurance used to be relatively easy to obtain. A few years ago, many insurers issued policies based on little more than a short questionnaire and a signature. Premiums were low, underwriting was loose, and most businesses that applied got covered.
That era is over.
After years of absorbing catastrophic losses from ransomware attacks, business email compromise, and large-scale data breaches, the insurance industry has fundamentally changed how it evaluates cyber risk. Premiums have climbed sharply, coverage limits have tightened, and the list of security controls insurers require before issuing or renewing a policy has grown considerably. For many organizations, getting cyber insurance now feels less like buying a policy and more like passing an audit.
Why Insurers Changed the Rules
The numbers tell the story. Ransomware payments and recovery costs exploded in the early 2020s, with some individual claims running into the tens of millions of dollars. Insurers that had priced their products during a relatively quiet period found themselves paying out far more than they had collected in premiums. The market corrected — sharply.
Insurers responded by doing what any rational risk assessor would do: they started requiring proof that policyholders had meaningful security controls in place before agreeing to cover them. Organizations that couldn't demonstrate basic cyber hygiene were denied coverage, offered drastically reduced limits, or hit with exclusions that made their policies far less useful in practice.The message from the insurance industry was clear: they're no longer willing to be the safety net for organizations that haven't invested in their own security.
What are insurers requiring now? The specific requirements vary by carrier and policy, but several controls have become near-universal on cyber insurance applications and renewal questionnaires:
Multi-Factor Authentication (MFA)
MFA is arguably the single most scrutinized control in the cyber insurance underwriting process. Most insurers now require MFA not just for remote access and VPN connections, but for email, cloud applications, and any system with access to sensitive data. Some carriers specifically ask about MFA coverage for privileged and administrative accounts. An organization without broadly deployed MFA will struggle to find reasonable coverage, if they can find coverage at all.
Endpoint Detection and Response (EDR)
Traditional antivirus is no longer sufficient in the eyes of most underwriters. EDR solutions provide behavioral monitoring, threat detection, and rapid response capabilities that basic antivirus can't match. Many insurers now require EDR deployed across all endpoints as a condition of coverage, and some specify that it must be actively monitored either by internal staff or a managed security provider.
Tested Backup and Recovery Capabilities
Having backups is table stakes. What insurers increasingly want to see is evidence that those backups actually work. That means regular backup testing, offsite or air-gapped backup storage that ransomware can't reach, and documented recovery procedures with realistic recovery time objectives. Organizations that have never tested their ability to restore from a backup are carrying far more risk — and far more insurance scrutiny — than they may realize.
Security Awareness Training
Because phishing remains one of the most common entry points for attackers, insurers want to see that employees are regularly trained to recognize and report suspicious activity. This typically means formal, recurring security awareness training programs — not a one-time onboarding video. Some carriers are beginning to ask about simulated phishing programs that test whether training is actually changing employee behavior.
Incident Response Plans
A documented, tested incident response plan signals to insurers that an organization knows what it will do when *not if* something goes wrong. This includes knowing who is responsible for what, how the organization will communicate internally and externally, how systems will be isolated, and when law enforcement or legal counsel needs to be engaged. Without this documentation, organizations may face coverage disputes when a claim is filed.
Privileged Access Management and Least Privilege
Underwriters are paying increasing attention to how organizations manage accounts with elevated permissions. Uncontrolled privileged access has been a factor in some of the largest and most expensive breaches in recent years. Insurers want to see that administrative accounts are separated from standard user accounts, that their usage is logged and monitored, and that access is granted on a need-to-have basis.
The Gap Between What Businesses Have and What Insurers Expect
Here's the reality many organizations are facing: they assumed their existing security posture was adequate, submitted a renewal application, and discovered that their insurer now has requirements their environment doesn't meet. In some cases, this results in policy cancellation. In others, it means coverage is issued with significant exclusions — exactly the kinds of exclusions that would apply in a ransomware event.
This gap is particularly common in small and mid-sized businesses that haven't had a formal security review in several years. Tools that were considered solid a few years ago may no longer meet current underwriting standards. Policies and procedures that were never formally documented can't be demonstrated to an insurer. Backup solutions that were configured and forgotten may not function as expected when actually needed.
Compliance With Insurers Is Also Good Security Practice
It's worth noting that the controls cyber insurers require aren't arbitrary. They reflect a genuine consensus about what reduces cyber risk. MFA, EDR, tested backups, trained employees, and documented incident response procedures are the foundational elements of a defensible security program.
Organizations that pursue cyber insurance compliance as a driver for improving their security posture end up better protected, not just better insured. The two goals are aligned. Getting your environment to a place where an insurer is willing to cover it at reasonable rates is also getting it to a place where attacks are less likely to succeed, and less devastating when they do.
What to Do Before Your Next Renewal
If your cyber insurance renewal is approaching, don't wait until the application lands in your inbox to assess where you stand. The time to identify and close gaps is before you're under pressure to respond to an underwriter. Start with an honest inventory of the controls your insurer is likely to ask about. Where are you fully deployed? Where are there gaps? Where do you have the technology in place but lack the documentation to prove it? Each of those answers points to a specific action item. If you're not sure where to begin, a third-party security assessment can give you a clear picture of your current posture and a prioritized roadmap for getting where you need to be.
At InfoPathways, we work with businesses to assess, implement, and document the security controls that cyber insurers require — and that genuinely reduce risk. Whether you're preparing for a renewal, responding to new underwriting requirements, or building a security program from the ground up, our team can help you get there.
Contact InfoPathways today to schedule a security assessment and make sure your organization is ready for what insurers — and attackers — are looking for.