Getting cyber insurance is smart, but insurers are now checking that you have basic security controls in place. Here is what they are looking for and how to prepare.
Why Insurers Are Getting Stricter
Cyber insurance premiums have become less affordable, and underwriters are responding by demanding proof that businesses have fundamental security measures in place. If you are a small business in New York thinking about cyber coverage, you need to understand that just having insurance is not enough - you need to demonstrate that you are actively protecting your data.
This shift means that getting a policy approved often requires documented evidence of your security practices. Without it, you could face higher premiums, limited coverage, or even a denial.
The Non-Negotiable Controls
Most insurers now require documentation that your business has implemented multi-factor authentication (MFA) on critical accounts, especially email and cloud services like Microsoft 365. They want to see that your staff has received security awareness training within the past year. They also expect you to have a password policy in place, regular backup and disaster recovery testing, and endpoint protection running on all devices.
Beyond technical controls, insurers are looking for a written incident response plan. This does not need to be elaborate - it just needs to outline how your team would respond to a breach, who the key contacts are, and what you would do in the first 24 hours.
How to Build Your Compliance Portfolio
Start by documenting what security measures you already have. Create a spreadsheet listing which employees have MFA enabled, when your last security training happened, and which systems have backups configured. Take screenshots of your backup confirmations and security software dashboard.
For your incident response plan, write a simple one-page document covering: who to contact if there is a breach (including your IT provider), how you will preserve evidence, how you will communicate with affected customers, and your reporting timeline. Have this ready before you approach insurers - it shows you are serious about preparedness.