Most organizations approach cyber insurance the same way they approach a pop quiz. They answer the questions as best they can and hope for the best. That approach is getting more expensive by the year. Over 40 percent of businesses that file a claim after an incident receive no payout.2 The gap between having a security control and being able to prove that control was fully enforced is where most claims get denied.
How to Use This Checklist
Work through each section with your IT team or managed service provider before your next application or renewal. For every control listed, the goal is not just to confirm it exists — it is to confirm you have documentation proving it was fully enforced at the time of any incident. That distinction is where coverage gets made or broken.
Control Area 1: Multi-Factor Authentication
MFA has become the single most important factor in cyber insurance underwriting. 99 percent of applications now include specific questions about MFA implementation.3 82 percent of denied claims involve organizations that lacked properly implemented MFA.4
- MFA enforced on all email accounts, not just some
- MFA enforced on all remote access and VPN connections
- MFA enforced on all cloud platforms and administrative accounts
- Documentation showing enforcement is active across all systems — not just available as an option
- Evidence that MFA cannot be bypassed by any user or administrator
Carriers do not ask whether MFA has been purchased or is available. They ask whether it is enforced everywhere it is required. One executive with MFA disabled for convenience is a claim denial waiting to happen.
Control Area 2: Endpoint Detection and Response
Traditional antivirus is no longer an acceptable baseline. Carriers now require EDR tools that monitor behavior in real time and can isolate a compromised device before an attacker moves laterally. Ransomware was linked to 75 percent of system-intrusion breaches in 2025.5
- EDR deployed on every endpoint, not just managed machines
- EDR actively monitored, not just installed
- Evidence that EDR was running and current at the time of any incident
- A named EDR platform that meets carrier requirements
Control Area 3: Data Backups
Backups are only worth what they can actually restore. Carriers have learned through expensive claims that many organizations had backups that were not current, had not been tested, or were connected to the same network as the compromised systems and got encrypted along with everything else.
- Backups performed regularly with documented frequency
- Backups stored offline or in an immutable format that cannot be encrypted by ransomware
- Backup restoration tested at least annually with documented results
- A defined recovery time objective — how long does a full restore actually take?
Control Area 4: Incident Response Plan
Carriers want documented evidence that your organization has thought through what happens when an incident occurs — before an incident occurs. An undocumented verbal understanding does not satisfy underwriters.
- A written incident response plan covering detection, containment, eradication, and recovery
- Defined roles and responsibilities — specifically who does what during an incident
- A contact list for internal escalation, legal counsel, and external IR resources
- Evidence the plan has been reviewed or tested within the past 12 months
- Documented tabletop exercise results — a significant positive signal to carriers
Control Area 5: Security Awareness Training
Human error was a factor in 68 percent of breaches globally in 2024.6 Carriers have responded by making documented security training a standard requirement, not a nice-to-have.
- Annual security awareness training completed by all employees
- Training that specifically includes phishing recognition
- Completion records showing who completed training and when
- Training conducted within the past 12 months
Control Area 6: Patch Management
Vulnerability exploitation surged 34 percent year-over-year in 2025, with attackers increasingly targeting unpatched systems.7
- A defined patch management policy with documented cadence
- Critical patches applied within a defined timeframe after release
- Evidence that patch status is monitored across all systems
- A process for handling end-of-life systems that can no longer receive patches
Control Area 7: Network Segmentation
A flat network — where a breach of one system means access to all systems — is an increasingly difficult underwriting position. Carriers want to see that your network is structured to limit the blast radius of a successful attack.
- Critical systems separated from general business networks
- Administrative and privileged access networks isolated
- Evidence that segmentation is actively enforced, not just diagrammed
- Remote access limited to necessary systems only
Control Area 8: Access Controls and Privileged Access
The principle of least privilege means users only have access to what they need to do their job — and nothing more. Excessive admin rights remain one of the most exploited gaps in SMB environments.
- Role-based access control implemented and documented
- Administrative accounts limited to people who genuinely require them
- Access reviews conducted at least annually and documented
- An offboarding process that revokes access immediately upon employee departure
The Most Important Thing on This Checklist
Documentation. Every control listed above is only as strong as your ability to prove it was fully enforced at the time of an incident. Carriers are not asking whether you have these controls today. They are asking whether you can prove they were in place, fully deployed, and working as intended when something went wrong.
Answer applications accurately. If a control is partially in place, say so. A slightly higher premium for honest disclosure is significantly less expensive than a denied claim after a major incident.