Cyber Insurance Requirements: The Complete Checklist (2026)

Why insurers scrutinise your security controls

Cyber insurance isn't just about paying out when things go wrong. Insurers are betting their money on your ability to prevent breaches in the first place. A business with zero security controls looks like a very expensive claim waiting to happen. That's why the underwriting process has become more rigorous over the past few years.

The good news: you don't need to be a Fortune 500 company with a dedicated security team. You just need to demonstrate that you've got the fundamentals in place.

Essential controls (required by virtually all insurers)

These are table stakes. If you're missing any of these, expect a declined application or a massive premium penalty.

Multi-Factor Authentication (MFA)

This is the #1 requirement. No MFA = no coverage (or coverage so expensive it's worthless). Insurers want MFA on:

All remote access (VPN, RDP)
Email accounts (especially admin/service accounts)
Admin consoles and privileged access
Cloud services (Microsoft 365, AWS, Salesforce, etc.)
Backup systems

This alone can reduce your premiums by 15-25%. If you've been putting it off, make this your first priority.

Endpoint Detection and Response (EDR)

Gone are the days when basic antivirus was enough. Insurers now expect EDR — continuous monitoring and response on all endpoints (laptops, desktops, servers). This means real-time threat detection, not just signature-based AV.

Solutions like Microsoft Defender for Endpoint, CrowdStrike, or SentinelOne are standard expectations for SMB to mid-market businesses.

Email security

Ransomware and phishing come through email. You need:

Spam filtering and anti-phishing tools
DMARC, DKIM, and SPF enforcement
Secure email gateway or equivalent cloud-based protection

Backup and recovery

Insurers want the 3-2-1 rule: 3 copies of your data, on 2 different media types, with 1 copy offsite and offline. And here's the critical bit: you must have tested a restore from these backups. Backups that have never been tested are backups that won't work when you need them.

Immutable or air-gapped backups score extra points.

Patch management

You need a documented process for patching. The standard expectation: critical patches deployed within 30 days (often faster for remotely exploitable vulnerabilities). Show your policy and patch schedule.

Security awareness training

Annual training isn't enough. Insurers expect regular training (at least quarterly) with documented attendance. Bonus points for phishing simulations and tracking which employees fall for them.

Important controls (expected by most insurers)

You're unlikely to be flat-out denied without these, but they're strongly expected and will improve your premium.

Privileged Access Management (PAM)

Separate admin accounts from regular user accounts. Implement just-in-time (JIT) access — admins don't stay logged in to privileged accounts all day. Log and monitor all privileged access.

Network segmentation

Don't put everything on the same flat network. Separate your IT network from OT (operational technology), isolate critical systems, and limit lateral movement. Segmentation makes ransomware containment faster and cheaper.

Incident response plan

You need a documented plan (not just in someone's head) that covers:

Who to call (internal and external)
How to contain the incident
Communication procedures (internally and to customers)
Roles and responsibilities
How long you think recovery will take

Ideally, test it annually via tabletop exercises.

Vulnerability scanning

Regular scans of your external perimeter and internal network. Quarterly minimum. Insurers may even run their own external scans during underwriting.

Encryption

Data in transit (TLS/SSL) and at rest. Full-disk encryption on laptops. Encrypt sensitive databases.

Logging and monitoring

Collect logs from critical systems. SIEM (Security Information and Event Management) or a simpler alternative like cloud-based log aggregation. Retain logs for at least 90 days (preferably 1 year).

Advanced controls (reduce premiums significantly)

If you've got these, you'll qualify for better rates:

24/7 Security Operations Centre (SOC) or Managed Detection and Response (MDR) — Continuous threat hunting and response
Zero trust architecture — "Never trust, always verify" approach to network access
Third-party risk management — Formal programme to assess and monitor vendors
Cyber risk quantification — Quantify your risk in financial terms (helps with board conversations too)
Regular penetration testing — Annual or biannual third-party pen tests
Data Loss Prevention (DLP) — Prevent sensitive data from leaving your network
Identity governance — Regular access reviews, automated offboarding

What happens during the application process

Expect this timeline:

Step 1: Proposal form

A questionnaire about your business, industry, revenue, number of employees, and security posture. Be honest. Underselling your controls or lying about security measures will void your policy later.

Step 2: Supplemental applications

Depending on your industry and risk profile, you may get asked about ransomware-specific measures, privacy compliance, payment card security, or healthcare regulations.

Step 3: External scan

Insurers often scan your perimeter to confirm your claims. They're looking for exposed services, outdated SSL certificates, and missing security headers.

Step 4: Underwriter call (for larger accounts)

Mid-market and enterprise accounts often get a phone call with underwriting. Be prepared to discuss your security programme in detail.

Timeline

Small businesses: 1-3 weeks
Mid-market/enterprise: 4-8 weeks

Common reasons for declined applications

No MFA in place
End-of-life software running in production (e.g., Windows Server 2003)
No evidence of backup testing
Previous incidents that weren't reported to insurers
No security awareness training or documentation
Completely flat network with no segmentation
No incident response plan
Claims history with multiple breaches
High-risk industry with weak controls (e.g., healthcare with no encryption)

Cyber insurance requirements checklist

Below is a summary of what you need. Use this to benchmark your current state and plan improvements.

Control	Description	Priority
Multi-factor authentication	MFA on remote access, email, admin accounts, cloud services	Essential
Endpoint detection and response	EDR (not just AV) on all endpoints	Essential
Email security	Spam filtering, anti-phishing, DMARC/DKIM/SPF	Essential
Backup and recovery	3-2-1 rule with tested restores, offline/immutable backup	Essential
Patch management	Critical patches within 30 days, documented process	Essential
Security awareness training	Regular (quarterly+), documented, with phishing simulations	Essential
Privileged access management	Separate admin accounts, JIT access, logging	Important
Network segmentation	Separate IT/OT, limit lateral movement	Important
Incident response plan	Documented, tested annually via tabletop	Important
Vulnerability scanning	Regular internal and external scans (quarterly+)	Important
Encryption	Data at rest and in transit	Important
Logging and monitoring	SIEM or log aggregation, 90+ day retention	Important
24/7 SOC or MDR	Continuous threat hunting and response	Advanced
Zero trust architecture	"Never trust, always verify" approach	Advanced
Third-party risk management	Formal vendor assessment and monitoring	Advanced
Cyber risk quantification	Financial quantification of risk	Advanced
Penetration testing	Annual or biannual third-party pen tests	Advanced
Data loss prevention	Prevent sensitive data exfiltration	Advanced
Identity governance	Regular access reviews, automated offboarding	Advanced

Next steps

Got questions? Get matched with a specialist cyber insurance broker who can assess your controls, recommend improvements, and find you the best coverage at the right price.

Ready to get covered?

Tell us about your business and we'll match you with a specialist broker.

Get a Quote →

Last updated: March 2026

Cyber Insurance Requirements: What You Need to Qualify