Insights & Resources

Cyber insurance used to be straightforward. Fill out a short application, answer a few questions about your antivirus software, and receive a policy. Premiums were modest, underwriting was light, and claims were relatively rare.

That era is over. The explosion of ransomware attacks, business email compromise, and data breaches over the past several years has fundamentally changed the cyber insurance market. Insurers have paid out billions in claims, and they have responded by dramatically tightening their underwriting requirements. Businesses that could easily obtain coverage three years ago are now being denied, non-renewed, or quoted premiums two to three times higher than before.

For small and mid-sized businesses, this shift creates a practical problem. Cyber insurance is increasingly required by clients, partners, and contracts. But qualifying for coverage now requires demonstrating specific security controls that many SMBs have not yet implemented.

Understanding what insurers require and why is essential for any business that needs cyber coverage.

Why the Market Has Hardened

The cyber insurance market has undergone what the industry calls “hardening,” a period of rising premiums, stricter terms, and more selective underwriting. Several factors drove this shift.

Ransomware losses escalated dramatically. Ransomware attacks against businesses of all sizes surged, with average ransom demands increasing from tens of thousands to hundreds of thousands of dollars. Recovery costs, including downtime, forensics, legal fees, and notification expenses, often exceeded the ransom itself by a factor of five to ten.

Business email compromise became epidemic. BEC attacks, where attackers impersonate executives or vendors to trick employees into transferring funds, generated billions in losses annually. These attacks are difficult to prevent with technology alone because they exploit human trust rather than technical vulnerabilities.

Systemic risk became visible. Events like the SolarWinds supply chain attack and the CrowdStrike outage demonstrated that a single vendor compromise could affect thousands of businesses simultaneously. Insurers realized that their portfolios contained correlated risk that could generate massive simultaneous claims.

Claims frequency and severity both increased. Insurers were paying more claims, and each claim was more expensive. The combined ratio (claims paid plus expenses divided by premiums collected) exceeded 100 percent for many cyber insurers, meaning they were losing money on the product.

The result: insurers raised prices, added exclusions, reduced coverage limits, and began requiring specific security controls as conditions of coverage.

The Security Controls Insurers Now Require

While requirements vary by insurer and policy type, a clear consensus has emerged around the baseline security controls that most cyber insurers now mandate. Failing to have these controls in place will result in denial of coverage, exclusion of certain claim types, or significantly higher premiums.

Multi-Factor Authentication (MFA)

MFA is the single most common requirement in cyber insurance applications. Insurers typically require MFA on:

• All remote access (VPN, remote desktop, cloud applications)
• All email accounts
• All privileged and administrative accounts
• Any system that accesses sensitive data

Some insurers now ask specifically about the type of MFA deployed. SMS-based MFA is considered weaker than app-based authenticators or hardware security keys, and some underwriters are beginning to differentiate in their requirements.

Why insurers care: The majority of ransomware and BEC attacks begin with compromised credentials. MFA blocks credential-based attacks even when passwords are stolen, making it the single most effective control for reducing claim frequency.

Endpoint Detection and Response (EDR)

Basic antivirus is no longer sufficient for most cyber insurance applications. Insurers increasingly require endpoint detection and response (EDR) solutions that provide:

• Behavioral threat detection (not just signature-based scanning)
• Real-time monitoring and alerting
• Automated response capabilities (isolation, quarantine)
• Centralized management and reporting

Some insurers specify that EDR must be deployed on all endpoints, including servers, not just workstations. Others ask whether the EDR solution is monitored by a security operations center (SOC) or managed detection and response (MDR) provider.

Why insurers care: EDR stops ransomware and malware that bypasses traditional antivirus. Businesses with EDR experience significantly fewer successful attacks and faster containment when incidents do occur.

Backup and Recovery

Insurers want to know that your business can recover from a ransomware attack without paying the ransom. Specific requirements typically include:

• Regular automated backups of critical data and systems
• Offsite or cloud-based backup storage (not just local backups)
• Backup testing and verification procedures
• Immutable or air-gapped backups that cannot be encrypted by ransomware
• Documented recovery time objectives (RTO) and recovery point objectives (RPO)

Why insurers care: Businesses with reliable, tested backups recover from ransomware faster and at lower cost. The insurer pays for recovery expenses rather than ransom payments, and the total claim amount is significantly lower.

Email Security

Beyond MFA on email accounts, insurers often require:

• Advanced email filtering with anti-phishing capabilities
• DMARC, DKIM, and SPF email authentication
• User awareness training focused on phishing and BEC
• Policies for verifying wire transfer and payment change requests

Why insurers care: Email is the primary attack vector for both ransomware delivery and business email compromise. Strong email security reduces the likelihood of the two most expensive categories of cyber claims.

Patch Management

Insurers ask about your process for applying security patches to operating systems, applications, and network devices. They want to see:

• A defined patching schedule (critical patches within 14-30 days)
• Coverage of all systems, including servers, workstations, and network devices
• Prioritization of internet-facing systems and known exploited vulnerabilities

Why insurers care: Unpatched vulnerabilities are the second most common entry point for attackers after compromised credentials. A consistent patching process eliminates a large percentage of exploitable attack surface.

Incident Response Plan

Most insurers now require a documented incident response plan that includes:

• Defined roles and responsibilities
• Communication procedures (internal, client, regulatory)
• Containment and eradication steps
• Evidence preservation procedures
• Contact information for legal counsel, forensics providers, and the insurance carrier

Some policies require that the insured use the carrier’s approved incident response vendors, so review this requirement before an incident occurs.

Why insurers care: Businesses with documented, tested incident response plans contain breaches faster and incur lower total costs. The difference between a well-managed incident and a chaotic one can be hundreds of thousands of dollars in claim costs.

Privileged Access Management

Insurers increasingly ask about how administrative and privileged accounts are managed:

• Are admin accounts separate from daily-use accounts?
• Is privileged access limited to the minimum number of users necessary?
• Are privileged sessions monitored or logged?
• Is just-in-time access used for administrative tasks?

Why insurers care: Compromised admin accounts cause the most damaging breaches because they provide unrestricted access to systems and data. Controls around privileged access limit the blast radius of any single compromise.

How to Prepare for Your Renewal

If your cyber insurance renewal is approaching, start preparing now. The application process has become significantly more detailed, and insurers verify the accuracy of your responses. Misrepresenting your security posture on an application can result in claim denial.

Step 1: Review last year’s application. Look at the questions you answered and verify that your responses are still accurate. If you claimed to have MFA deployed on all remote access but have since added new systems without MFA, update your controls before the renewal.

Step 2: Conduct a gap assessment. Compare your current security controls against the common insurer requirements listed above. Identify gaps and prioritize remediation based on what insurers are most likely to require.

Step 3: Document everything. Insurers want evidence, not just assertions. Document your MFA deployment, EDR coverage, backup procedures, patch management process, and incident response plan. Having this documentation ready streamlines the application process and strengthens your position if you ever need to file a claim.

Step 4: Engage your IT provider. If you work with a managed IT or cybersecurity provider, involve them in the renewal process. They can provide technical documentation, help complete the application accurately, and identify controls that need to be implemented or improved.

Step 5: Shop the market. Cyber insurance pricing varies significantly between carriers. Work with a broker who specializes in cyber coverage and can present your application to multiple insurers. The security improvements you make to qualify for coverage often result in better rates from carriers that recognize the reduced risk.

The Business Case for Compliance

The security controls that insurers require are not arbitrary. They represent the minimum baseline that the insurance industry, which has more data on breach causes and costs than almost anyone, has determined is necessary to manage cyber risk effectively.

Implementing these controls does more than qualify you for insurance. It materially reduces your likelihood of experiencing a breach, limits the damage if one occurs, and demonstrates to clients and partners that you take security seriously.

JayTec Solutions helps businesses implement the security controls that cyber insurers require, from MFA deployment and EDR implementation to backup configuration and incident response planning. Whether you are preparing for a renewal, applying for coverage for the first time, or responding to an insurer’s requirements, a structured approach ensures you qualify for the coverage your business needs at the best available rates.

Cyber insurance is not a substitute for security. It is a complement to it. The businesses that invest in both are the ones best positioned to survive the threats ahead.