Cyber insurance has changed dramatically in the past five years. What used to be easy to obtain with minimal security requirements is now a rigorous underwriting process. Here’s what insurers are requiring — and what you need to have in place to get covered.
Why Requirements Have Tightened
The claims environment drove the change. Ransomware losses exploded in 2020–2022, causing insurers to post significant losses. Underwriters responded by tightening requirements, increasing premiums, and introducing sub-limits and coinsurance provisions for ransomware specifically. Getting favorable terms now requires demonstrating real security controls, not just checking boxes on a questionnaire.
Controls Now Required by Most Underwriters
Multi-factor authentication: MFA on email, remote access (VPN, RDP), and privileged admin accounts is now a hard requirement at most insurers. Absence of MFA on any of these may disqualify an application.
Endpoint detection and response (EDR): Standard antivirus is no longer sufficient. Most underwriters now require EDR coverage on all endpoints.
Tested backup and recovery: Insurers want to know your backup strategy, where backups are stored (offline or cloud-isolated), and when backups were last tested. Untested backups get less credit.
Privileged access management: Controls on admin credentials and privileged accounts, including just-in-time access and privileged session monitoring.
Incident response plan: A documented, tested incident response plan with defined roles and external IR retainer relationships.