June 20, 2026
Cyber Insurance Requirements: The Checklist Insurers Actually Grade You On
A few years ago, cyber insurance applications asked for your revenue and industry. Today they ask whether you enforce MFA, how you back up, and when you last trained staff — and answering wrong means declined coverage, tripled premiums, or a denied claim after the incident. The application has quietly become a security audit.
Here's what underwriters actually look for, in rough order of how hard they weight it.
1. Multi-factor authentication — the dealbreaker
MFA on email, remote access, and administrative accounts is the closest thing to a universal requirement in the market. Several major carriers simply won't quote without it. Why: the majority of ransomware and business-email-compromise claims trace back to a single stolen password that MFA would have stopped.
If you do one thing before applying, it's this — and it's free.
2. Tested, separated backups
Underwriters don't ask whether you back up; they ask whether backups are off-site or offline (ransomware encrypts reachable backups first) and whether you've tested a restore. "Yes, nightly, off-site, restore tested quarterly" is the answer that prices well.
3. Email security and phishing training
Expect questions about spam filtering, staff security-awareness training, and sometimes phishing simulations. Training with records is the key phrase — an annual session nobody documented doesn't exist, as far as an underwriter (or a claims adjuster) is concerned.
4. Endpoint protection and patching
Modern antivirus/EDR on company devices and a patching cadence for operating systems and software. Small businesses lose points here for unsupported systems — the Windows 7 machine in the back office can single-handedly raise your premium.
5. Access control and offboarding
Individual accounts (no shared logins), least-privilege access, and prompt removal of departed employees. Some applications now ask directly: "Do former employees retain access to any systems?" You want to be able to answer no honestly — see below.
6. An incident response plan
Even a one-page plan — who to call, what to disconnect, where backups live, which carrier hotline to dial — satisfies most applications and dramatically improves actual outcomes. Claims data shows response speed drives loss size more than almost any other factor.
The honesty trap
Here's the part small businesses underestimate: the application is a warranty. If you attest to MFA you don't actually enforce, or backups you never test, the carrier can — and after large claims, will — investigate, rescind, or deny on misrepresentation grounds. Several high-profile claim denials have turned on exactly this.
The right order of operations is: implement the controls, then fill out the application. Not the reverse, and never the creative middle.
Turning the audit into an advantage
The controls above overlap almost perfectly with what actually prevents incidents — the insurance market has effectively standardized a minimum viable security program for small businesses. Treat the application as a free curriculum:
- MFA everywhere that matters (free, this week)
- Off-site backups with a tested restore (one afternoon)
- Documented annual training (an hour, recorded)
- Endpoint protection + retire unsupported systems
- Access cleanup + same-day offboarding
- A one-page incident plan
Businesses that walk in with these six answer every question confidently, price into the better tiers, and — not coincidentally — almost never need the policy. That's the version of cyber insurance worth having: the kind you qualify for easily and rarely use.
Know your security grade in 3 minutes
Answer 10 plain-English questions and CyberGrade scores your business A+ through F, with your top risks identified — free, no email required to start.
Get Your Free Security Grade