by Mike Minkler
For years, cyber insurance felt like a safety net. You paid the premium, answered a few questions, and hoped you’d never need it.
That era is over.
Today, cyber insurers are rewriting the rules—fast. Losses tied to ransomware and Business Email Compromise (BEC) have pushed carriers to tighten underwriting standards, raise premiums, and deny coverage to organizations that can’t demonstrate basic security controls.
Small and mid-sized businesses are no longer flying under the radar.
Cyber Insurance Is No Longer Automatic
Cyber insurance providers are no longer selling “trust based” policies. Coverage now depends on an organization’s ability to prove that security controls are in place and enforced.
Applications and renewals increasingly include detailed technical questionnaires, and many carriers reserve the right to deny claims if post incident investigations reveal gaps between what was reported and what actually existed.
In practical terms, cyber insurance has become a compliance exercise. Organizations that fall short may face higher premiums, reduced coverage limits, larger deductibles, or outright declinations.
The Controls Insurers Expect to See
While requirements vary by carrier, several baseline controls now appear consistently across policies.
1. Multi Factor Authentication (MFA) on Critical Systems
Email, financial platforms, administrative portals, and remote access systems are all expected to be protected with MFA. Password only access is no longer considered acceptable risk.
For insurers, MFA is often the single most effective control for reducing ransomware and BEC related losses.
2. Endpoint Detection and Email Security
Traditional antivirus tools are no longer sufficient for insurance purposes. Insurers increasingly expect Endpoint Detection and Response (EDR) solutions that provide real-time visibility and rapid threat containment.
Email security is equally critical. Because many insurance claims originate from phishing or email-based fraud, layered email protection is now considered a baseline underwriting requirement. Without it, insurers may limit coverage or impose higher deductibles for social engineering losses.
3. Backups Must Be Structured—and Verified
Insurers are no longer satisfied with a simple “yes” to the question, Do you have backups?
They now expect a documented 3–2–1 backup strategy, off network or immutable copies, and regular testing to verify recoverability. This expectation increasingly includes cloud and SaaS platforms such as Microsoft 365.
Without tested backups, ransomware claims are far more likely to be challenged.
4. Incident Response Planning Is Becoming a Requirement
When an incident occurs, insurers want evidence that the organization knows how to respond.
A concise incident response plan should define who is contacted first, who has decision making authority, and when legal and insurance partners are engaged. The plan must be accessible and understood—not buried in a document no one remembers exists.
5. Zero Trust Principles Are Entering Insurance Language
Zero Trust is no longer just a framework—it’s becoming an underwriting expectation.
This includes least privilege access, conditional access policies, regular user access reviews, and improved network visibility. Broad, unchecked access is increasingly viewed as unnecessary risk.
The Bottom Line: Insurability Is Now a Security Outcome
The good news is that the controls insurers require are the same ones that materially reduce real-world incidents.
Strong authentication. Endpoint visibility. Verified backups. Clear response plans.
These are no longer optional. They are the baseline for remaining insurable—and resilient—in today’s threat landscape.
Mike Minkler is a Founding Partner at CMIT Solutions St. Louis, a Managed IT Service Provider. Contact Mike at 314.628.0811 or visit www.cmitstl.com.