Cyber Insurance Requirements Small Businesses Should Know

How the Cyber Insurance Landscape Has Changed

Just a few years ago, getting cyber insurance was relatively straightforward. Answer a short questionnaire, pay a modest premium, and receive coverage. That era is over. Following a wave of high-profile ransomware incidents and mounting insurer losses, underwriters have dramatically tightened their requirements. Policies that were easy to obtain in 2019 are now subject to rigorous technical scrutiny — and many businesses are discovering at renewal time that they no longer qualify for coverage, or that their premiums have increased substantially.

For small businesses, understanding what insurers now require isn't just important for getting coverage — it's a useful benchmark for the baseline security controls your organization should have in place regardless.

What Most Policies Now Require

Multi-Factor Authentication (MFA)

MFA is the single most commonly required control across cyber insurance applications. Most insurers now require it for email access, remote access (VPN, RDP), and administrative access to critical systems. Some policies require MFA for all user accounts without exception. Businesses that cannot demonstrate MFA deployment — or that have large numbers of exemptions — are increasingly being declined or offered reduced coverage at higher premiums.

This is a non-negotiable for virtually every insurer in today's market. If your organization doesn't have MFA enabled for Microsoft 365, remote access, and other critical applications, that must be addressed before you can obtain meaningful coverage.

Endpoint Detection and Response (EDR)

Traditional antivirus is no longer sufficient from an underwriting perspective. Insurers now ask specifically whether you're running an EDR solution — a more advanced endpoint security tool that monitors for behavioral anomalies rather than relying solely on known malware signatures. If you're still running basic antivirus (Windows Defender in its default configuration, for example, without centralized management), you may face coverage limitations.

Offline, Tested Backups

Backup questions on insurance applications have become significantly more detailed. Insurers want to know whether you have offline or air-gapped backups (not accessible from your main network), how frequently backups run, and critically — whether you test your restore process. A backup that has never been tested is considered an unverified asset. Many applications now ask specifically about backup testing frequency.

Email Security and Anti-Phishing Controls

Given that phishing is the dominant attack vector, insurers are increasingly interested in the email security controls you have in place. This includes spam filtering, anti-phishing tools, and whether you have configured email authentication standards (SPF, DKIM, DMARC) for your domain. DMARC in particular prevents attackers from spoofing your domain to send phishing emails that appear to come from your organization.

Security Awareness Training

Employee training is appearing on more insurance applications as insurers recognize that the human element is a primary risk factor. Specifically, many now ask whether you conduct regular security awareness training and whether you run simulated phishing exercises. Companies that can demonstrate an active training program are viewed more favorably from an underwriting perspective.

Privileged Access Management

Insurers are increasingly asking about how administrative and privileged access is managed. Do administrators use separate accounts for privileged tasks? Are administrative accounts protected with MFA? Is remote desktop access restricted to necessary users only? These questions are designed to assess whether attackers who breach your environment would be able to quickly escalate privileges and cause widespread damage.

Incident Response Planning

Larger policies often ask whether you have a documented incident response plan. An incident response plan outlines what your organization will do in the first hours and days following a cyber incident — who to contact, how to contain the threat, how to communicate with stakeholders. Organizations with documented plans and practiced response procedures are demonstrably better positioned to limit losses.

The Application Process

Modern cyber insurance applications often include extensive technical questionnaires that go well beyond yes/no questions. Some insurers conduct external scans of your IT infrastructure as part of underwriting. Being able to substantiate your answers — and demonstrating that your controls are actively managed, not just nominally present — matters.

Working Backwards from Insurance Requirements

If you're uncertain where to start with your security program, cyber insurance requirements provide a reasonable baseline. Satisfying the requirements for a mid-market policy essentially means implementing the foundational controls that security professionals have recommended for years. Use the application process as a checklist — and address the gaps before you apply, rather than discovering them through a coverage denial.