What Your Cyber Insurance Application Is Really Asking For
If you’ve applied for cyber insurance recently — or tried to renew — you’ve probably noticed the applications are getting longer and more technical every year. Five years ago, carriers asked if you had antivirus. Now they want to know about your MFA deployment, endpoint detection and response, backup architecture, and incident response plans.
This isn’t busywork. Carriers are losing money on ransomware claims, and they’re getting specific about what they’ll cover.
Here’s what those questions actually mean, and what you need in place to answer them honestly.
Multi-Factor Authentication (MFA)
What they’re asking: Is MFA enforced on email, remote access, and administrative accounts?
What you actually need: Every user in your organization should have MFA enabled on Microsoft 365 (or whatever email platform you use), on VPN or remote desktop connections, and on any admin-level accounts. “Available but optional” doesn’t count — carriers want it enforced.
This is the single most common reason applications get rejected or premiums spike. If you do nothing else, do this.
Endpoint Detection and Response (EDR)
What they’re asking: Do you have security software on every endpoint that can detect, investigate, and respond to threats — not just block known viruses?
What you actually need: Traditional antivirus isn’t enough anymore. Carriers want EDR or managed detection and response (MDR) — software that monitors endpoint behavior, flags anomalies, and can isolate compromised machines. Most policies now specifically ask whether you have 24/7 monitoring with human analysts.
Backup and Recovery
What they’re asking: Do you have backups that would survive a ransomware attack? Can you actually restore from them?
What you actually need: Backups that are isolated from your production network (so ransomware can’t encrypt them too), tested regularly, and retained long enough to recover from an attack that might not be discovered for weeks. “We back up to an external hard drive” doesn’t cut it. Cloud-based backup with versioning and verified restores is the standard.
Security Awareness Training
What they’re asking: Do you train employees to recognize phishing and social engineering?
What you actually need: Regular training (not just once a year) with phishing simulations that actually test whether employees click. Carriers want to see measurable results — click rates, completion rates, improvement over time. A one-time lunch-and-learn doesn’t satisfy this.
Patch Management
What they’re asking: Do you keep operating systems and applications updated with security patches?
What you actually need: A process (ideally automated) that applies critical security patches within a reasonable timeframe — typically 30 days for critical vulnerabilities, sooner for actively exploited ones. “We click ‘update’ when the popup appears” is not a patch management program.
Incident Response Plan
What they’re asking: If you get breached, do you know what to do?
What you actually need: A written plan that covers who to contact (your IT provider, your insurance carrier, legal counsel), how to contain the incident, how to communicate with affected parties, and how to recover. It doesn’t need to be 50 pages — but it needs to exist, and key people need to know where it is.
Email Security
What they’re asking: Do you have protections against phishing, business email compromise, and malicious attachments?
What you actually need: At minimum, SPF, DKIM, and DMARC configured on your domain (these prevent email spoofing). Better: advanced email filtering that scans attachments and links before they reach inboxes. Many carriers also ask about policies for wire transfers and payment changes — requiring verbal confirmation for any financial instruction received by email.
The bottom line
None of this is exotic technology. These are foundational controls that every business should have regardless of insurance requirements. The insurance application is just forcing the conversation.
If you’re missing controls and need help getting ready for your renewal, we put together a checklist that maps each common application question to what you specifically need in place.