Cyber Insurance Requirements: What Insurers Now Demand Before They Write a Policy
Underwriters stopped taking IT security posture on faith. Here is what the questionnaire actually checks, and the hardware and software that gets an organization to "yes."
By Uniqcli Team · · 6 min read

Compliance
Cyber insurance requirements are now a technical audit, not a form
Five years ago, a cyber insurance application was a one-page attestation: check a few boxes, sign, bind coverage. That era is over. Premiums have climbed sharply and carriers have tightened underwriting in response to a steady run of ransomware payouts, and the application itself has turned into a technical control review. Insurers now ask specific, verifiable questions about multi-factor authentication coverage, endpoint detection, backup architecture, and patch cadence — and a wrong or unverifiable answer can mean a declined policy, a sublimit on ransomware payouts, or a claim denial after an incident. This guide maps the questions on a typical underwriting questionnaire to the IT controls behind them, so a buyer preparing for renewal or a first policy knows what to have in place before the broker calls. None of this is legal or insurance advice — it is a technical readiness checklist to bring into that conversation.
Why underwriting got stricter
Ransomware claims are concentrated in a small number of root causes: exposed remote access without MFA, unpatched internet-facing software, and backups that were reachable — and therefore encrypted — by the same attacker who hit production. Carriers that paid out on those claims now underwrite specifically against them, because the controls that prevent the loss are cheaper for everyone than the claim.
The practical effect is that questionnaires have gone from broad ('do you have a firewall?') to specific and falsifiable ('is MFA enforced on all remote access, including VPN and RDP, for 100% of users?'). Some carriers now run external scans of an applicant's public IP ranges before quoting, checking for open RDP, expired certificates, and known-vulnerable software versions — independent of what the questionnaire says.
That shift matters for procurement because the gap between 'we have a security tool' and 'we have it deployed everywhere, configured correctly, and can show it' is where claims get denied. Insurers increasingly reserve the right to deny or reduce a payout if the incident exploited a control the applicant attested to having but hadn't actually deployed.
What the questionnaire actually checks
Multi-factor authentication everywhere is the single most consistent requirement across carriers — not just for email and VPN, but for privileged accounts, remote desktop, and any cloud admin console. Partial MFA coverage is a common reason applications get kicked back for revision rather than approved with a caveat.
Endpoint detection and response (EDR) with active monitoring, not legacy signature-based antivirus, is the second near-universal ask. Carriers distinguish between a tool that's installed and one that's monitored 24/7 by a SOC or managed detection service, because an EDR alert nobody reads doesn't stop an intrusion.
Backup architecture gets its own line of questions: are backups immutable or air-gapped, tested for restore on a schedule, and isolated from the credentials that manage production? A backup an attacker with domain admin can also delete or encrypt does not satisfy this control even if it exists.
Patch and vulnerability management rounds out the core four: a defined cadence for critical patches (commonly 30 days or less for internet-facing systems, 90 for internal), plus evidence of a vulnerability scanning program. Email filtering, security awareness training, and an incident response plan with a named point of contact are frequently required but weighted less heavily than the top four.
Translating requirements into a hardware and software checklist
Most of these controls trace back to specific, purchasable infrastructure rather than policy alone. MFA everywhere means hardware security keys or an authenticator app tied to identity management, plus a VPN or SASE gateway that enforces it at the network edge rather than relying on individual application settings.
EDR with monitoring means endpoint agents deployed across every workstation, server, and virtual machine — not just the subset an org remembers to license — paired with either an in-house SOC or a managed detection and response contract that reads alerts around the clock.
Immutable backup means storage that supports write-once-read-many (WORM) retention or an air-gapped replication target, sized for the retention window the carrier expects (commonly 30-90 days minimum), separate from the domain credentials used in daily operations.
Patch cadence means centralized patch management tooling with reporting, not manual per-device updates, plus network segmentation so a compromised endpoint can't reach backup infrastructure or domain controllers directly. Uniqcli sources and stages this stack — endpoints, gateways, backup appliances, segmentation hardware — screened for supply-chain provenance, and helps an IT team assemble the specific configuration a given questionnaire is asking about.
Where organizations get caught out at renewal
Renewal, not the first application, is where gaps surface most often. An organization grows, adds a branch office or acquires another entity, and the new endpoints never get the EDR agent or MFA enforcement the original policy was underwritten against. The questionnaire asks for current coverage percentage, and 87% is a materially different answer than 100%.
The other common gap is documentation. Carriers increasingly ask for evidence — screenshots of MFA enforcement policies, backup test logs, patch compliance reports — not just a yes/no attestation. An IT team that has the controls but no record of them is functionally in the same position at claim time as one that never had the controls at all.
Cyber insurance readiness checklist
What underwriters typically verify before binding or renewing a policy.
- MFA enforced on 100% of remote access, VPN, and privileged accounts
- EDR deployed on every endpoint and server, with active 24/7 monitoring
- Backups immutable or air-gapped, isolated from production credentials
- Backup restores tested on a documented, recurring schedule
- Critical patches applied within a defined window (commonly 30 days)
- Network segmentation isolating backup and domain infrastructure
- Email filtering and phishing-resistant authentication in place
- Written incident response plan with a named internal contact
- Security awareness training completed on a recurring cadence
- Documentation and logs available as evidence, not just attestation
Frequently asked
What are the minimum cyber insurance requirements for MFA?
Most carriers now require MFA on all remote access (VPN, RDP), all privileged/admin accounts, and cloud administrative consoles, not just email. Partial deployment — MFA on email but not VPN, for example — is a common reason applications are returned for revision rather than approved.
Do cyber insurers require EDR or is antivirus enough?
Signature-based antivirus alone rarely satisfies current underwriting. Carriers ask for endpoint detection and response (EDR) with active monitoring — either an internal SOC or a managed detection and response service — because unmonitored alerts don't prevent an intrusion from progressing.
What backup setup satisfies cyber insurance requirements?
Backups need to be immutable or air-gapped and isolated from the credentials used to manage production systems, so an attacker with domain access can't also delete or encrypt them. Carriers commonly also ask for evidence of scheduled restore testing, not just that backups run.
Can a cyber insurance claim be denied over missing IT controls?
Yes. If an incident exploited a control the application attested to having — MFA, EDR, isolated backups — but that control wasn't actually deployed or was only partially deployed, carriers can deny or reduce the payout. This is why documentation and evidence matter as much as the tools themselves.
How often do cyber insurance requirements get reassessed?
At every renewal, typically annually, and coverage gaps most often appear here rather than at initial signup — new offices, acquisitions, or growth that outpaces control rollout can drop an organization from full to partial compliance without anyone noticing until the questionnaire asks.
Related resources
Go deeper
Cybersecurity capabilities
How Uniqcli sources and stages the endpoint, network, and monitoring stack behind these controls.
Learn moreSecurity & continuity solutions
Segmentation, backup architecture, and resilience planning for organizations closing insurer gaps.
Learn moreBrowse the catalog
Endpoint security, backup appliances, and network hardware sourced and screened for procurement.
Learn moreClose the gaps before your next renewal
Get a quote on the endpoint, backup, and network hardware your cyber insurance questionnaire is asking about.