Why US insurers scrutinise security controls
The US cyber insurance market is highly regulated with complex state-by-state breach notification laws, industry-specific compliance regimes (HIPAA, PCI DSS, NYDFS), and a patchwork of requirements that varies significantly by state and industry. Insurers have become highly selective because claim severity in the US is exceptionally high.
The average cost of a data breach in the US is $5.09 million β the highest in the world. Insurers are therefore extremely rigorous in underwriting. You don't need to be Fortune 500, but you must demonstrate that you have the fundamentals in place.
Essential controls (required by virtually all US insurers)
These are table stakes in the US market. If you're missing any of these, expect a declined application or prohibitive premium penalties.
Multi-Factor Authentication (MFA)
This is the #1 requirement without exception. No MFA = no coverage. MFA must be implemented on:
- All remote access (VPN, RDP, Citrix)
- Email accounts (especially admin and service accounts)
- Cloud platforms (Microsoft 365, AWS, Salesforce, Google Workspace)
- Admin consoles and privileged access
- Backup systems and recovery consoles
MFA implementation alone can reduce premiums by 15β25%. If you haven't deployed it, this is your first priority.
Endpoint Detection and Response (EDR)
Basic antivirus is no longer sufficient. US insurers now demand EDR β continuous monitoring, threat hunting, and response capabilities on all endpoints. Enterprise detection and response solutions like Microsoft Defender for Endpoint, CrowdStrike, SentinelOne, or Fortinet are standard expectations even for mid-market firms.
Email security
Email remains the primary attack vector for ransomware and phishing. Insurers require:
- Spam filtering and advanced anti-phishing tools
- DMARC, DKIM, and SPF enforcement
- Secure email gateway or cloud-based protection (Microsoft Defender for Office 365, Proofpoint, Mimecast, etc.)
Backup and recovery procedures
Insurers mandate the 3-2-1 rule: 3 copies of your data, on 2 different media types, with at least 1 copy offsite and offline. Critical requirement: you must have tested and documented a restore from these backups. Untested backups don't count. Immutable or air-gapped backups score additional credit.
Patch management
A documented patching process is essential. Carriers expect critical patches deployed within 30 days (often faster for remotely exploitable vulnerabilities). Show your patch management policy and recent deployment schedule.
Security awareness training
Annual training is insufficient. Insurers expect regular, documented training at least quarterly. Bonus points for phishing simulations, tracking employee click-through rates, and remedial training for repeat offenders.
US-specific regulatory requirements
Beyond baseline controls, US carriers assess compliance with state and federal regulations:
State breach notification laws
All 50 states have data breach notification statutes. Insurers examine:
- Your breach response procedures and timeline
- Familiarity with specific state timelines (e.g., California requires notice "without unreasonable delay", New York requires "as soon as practicable")
- Your ability to handle notification costs (legal, forensics, credit monitoring)
California (CCPA/CPRA) compliance
If you handle California resident data, compliance with the California Consumer Privacy Act and Privacy Rights Act is mandatory. Insurers ask about:
- Data inventory and classification
- Consumer request processes (access, deletion, opt-out)
- Vendor contracts with data processing agreements
- Breach notification timeline (72 hours for sensitive data)
New York NYDFS cybersecurity requirements (23 NYCRR 500)
If you're a licensed financial services firm or serve NY customers, NYDFS rules apply. Insurers specifically ask about:
- Encryption of nonpublic information
- MFA on administrative access (required by rule)
- Incident notification timeline (72 hours)
- Cybersecurity policy and risk assessments
HIPAA compliance (healthcare)
Healthcare providers and business associates face strict requirements. Insurers demand documentation of:
- Technical safeguards: encryption, access controls, audit logging
- Administrative safeguards: workforce training, access reviews, incident response
- Physical safeguards: facility security, workstation security
- Business associate agreements with all vendors
- Breach notification procedures (60-day timeline)
PCI DSS compliance (payment processors & retailers)
Companies handling payment card data must comply with PCI DSS standards. Insurers require evidence of:
- Network segmentation (cardholder data isolated)
- Encryption of card data in transit and at rest
- Regular vulnerability scanning and penetration testing
- Access control and monitoring
- Compliance validation (SAQ, ROC, or P2PE)
Important controls (expected by most US carriers)
You're unlikely to be outright declined without these, but they're strongly expected and will significantly improve your premium.
Privileged Access Management (PAM)
Separate admin accounts from regular user accounts. Implement just-in-time (JIT) access so administrators don't stay logged in to privileged accounts all day. Log and audit all privileged access. This is a major control for US carriers.
Network segmentation
Don't put everything on a flat network. Separate IT from OT (operational technology), isolate critical systems, and restrict lateral movement. Network segmentation is critical for ransomware containment.
Incident response plan
You must have a documented incident response plan covering:
- Roles and responsibilities (incident commander, communications lead, containment team)
- Internal escalation and notification procedures
- External notifications (law enforcement, regulators, insurance carrier)
- Customer and stakeholder communication plans
- Recovery time objectives and estimated downtime
Best practice: test your plan annually via tabletop exercises.
Vulnerability scanning and assessment
Regular vulnerability scans (internal and external) are standard. Quarterly minimum. Many US insurers will run their own external scans during underwriting to verify your claims.
Encryption
Data in transit (TLS/SSL, VPN) and at rest (full-disk encryption on laptops, encrypted databases). This is especially critical for HIPAA and PCI DSS compliance.
Logging and monitoring
Collect logs from critical systems. SIEM (Security Information and Event Management) or simpler cloud-based log aggregation. Retain logs for at least 90 days (1+ year preferred for forensics and compliance).
Advanced controls (significant premium reduction)
If you implement these, you'll qualify for better rates:
- 24/7 Security Operations Centre (SOC) or Managed Detection and Response (MDR) β Continuous monitoring and threat hunting
- Zero trust architecture β "Never trust, always verify" approach to network access
- Third-party risk management β Formal vendor assessment and monitoring programme
- Cyber risk quantification β Quantify your cyber risk in financial terms
- Regular penetration testing β Annual or biannual third-party assessments
- Data Loss Prevention (DLP) β Prevent sensitive data exfiltration
- Identity governance β Regular access reviews and automated offboarding
What to expect during the US application process
Step 1: Preliminary proposal form
A detailed questionnaire covering your business, employees, revenue, industry, location(s), and security posture. Be honest and comprehensive. Understatement or misrepresentation will void your policy later.
Step 2: Supplemental applications
Depending on your industry and risk, expect targeted questions about:
- Ransomware-specific controls and prevention measures
- Regulatory compliance (HIPAA, NYDFS, state privacy laws)
- Payment card security (PCI DSS)
- Data breach history and incident response experience
- Business continuity and disaster recovery capabilities
Step 3: External vulnerability scan
Most US carriers will perform an external scan of your perimeter during underwriting. They're checking for:
- Exposed services and open ports
- Outdated or misconfigured SSL certificates
- Missing security headers
- Known vulnerabilities
Step 4: Underwriter interview (mid-market and enterprise)
Larger accounts typically receive a call with the underwriter to discuss your security programme in detail. Be prepared to discuss your controls, incident history, and risk management approach.
Timeline
- Small businesses: 1β3 weeks
- Mid-market: 4β8 weeks
- Enterprise: 8β12 weeks (especially regulated industries)
Common reasons for declined applications in the US
- No MFA in place
- No EDR deployed
- End-of-life software in production (e.g., Windows Server 2003)
- No evidence of backup testing or recovery procedures
- Previous data breaches not disclosed to insurers
- No security awareness training or documentation
- Flat network with no segmentation
- No incident response plan
- Multiple claims or incidents in the past 3 years
- Regulatory non-compliance (HIPAA violations, state privacy law breaches)
- Poor claims history with this or other carriers
Cyber insurance requirements checklist for the US
Below is your complete checklist for US underwriting. Use this to benchmark your current posture and plan improvements.
| Control | Description | Priority |
|---|---|---|
| Multi-factor authentication | MFA on all remote access, email, cloud services, admin accounts | Essential |
| Endpoint detection and response (EDR) | Advanced endpoint protection with continuous monitoring | Essential |
| Email security | DMARC/DKIM/SPF, anti-phishing, spam filtering | Essential |
| Backup and recovery (3-2-1) | Tested, documented backups with offline/immutable copy | Essential |
| Patch management | Critical patches within 30 days, documented process | Essential |
| Security awareness training | Quarterly+, documented, with phishing simulations | Essential |
| State breach notification readiness | Documented procedures for all 50 states | Important |
| Privileged access management (PAM) | Separate admin accounts, JIT access, logging | Important |
| Network segmentation | IT/OT separation, restrict lateral movement | Important |
| Incident response plan | Documented, tested annually via tabletop | Important |
| Vulnerability scanning | Internal and external scans (quarterly+) | Important |
| Encryption | Data at rest (disk, database) and in transit (TLS/VPN) | Important |
| Logging and monitoring | SIEM or log aggregation, 90+ day retention | Important |
| HIPAA compliance (if healthcare) | Technical, administrative, physical safeguards documented | Important |
| PCI DSS compliance (if payment processor) | Network segmentation, encryption, access controls | Important |
| NYDFS compliance (if serving NY) | Encryption, MFA, 72-hour breach notification | Important |
| 24/7 SOC or MDR | Continuous threat hunting and response | Advanced |
| Zero trust architecture | "Never trust, always verify" approach | Advanced |
| Penetration testing | Annual or biannual third-party assessments | Advanced |
| Third-party risk management | Vendor assessment and continuous monitoring | Advanced |
Next steps
Ready to apply for cyber insurance in the US? Get matched with a specialist broker who understands US regulatory requirements, state-specific considerations, and carrier expectations.
Ready to get covered in the US?
Tell us about your business and we'll match you with a specialist US cyber insurance broker.
Get a Quote βLast updated: April 2026