Cyber Insurance Readiness Assessment: What Carriers Actually Require
Cyber insurance is no longer optional for small businesses. But applying for coverage without knowing what carriers require is like walking into a fire with no water β you'll get burned.
Insurance carriers don't just care about your size or industry. They care about your security controls. And they're ruthless about it: missing controls = higher premiums, coverage denials, or outright rejection.
The problem? Most small businesses don't know what carriers actually require. They guess, apply, get rejected, and waste weeks waiting for underwriting feedback.
This guide shows you exactly what cyber insurance carriers demand, how to assess your readiness before applying, and the gaps that most commonly block coverage.
What Insurance Carriers Actually Require
Cyber insurance underwriters evaluate these 6 mandatory controls:
1. Multi-Factor Authentication (MFA)
Required: On ALL critical accounts (email, admin portals, VPN, payment systems)
Why It Matters: MFA blocks 99.9% of account takeover attacks. Carriers know that breaches without MFA are preventable, so they treat unprotected accounts as uninsurable risk.
The Requirement:
- Authentication app (Google Authenticator, Microsoft Authenticator, Authy) or hardware key
- SMS is acceptable but less preferred
- All employees with system access, not just executives
Common Gap: Only admin accounts have MFA. Carriers require coverage for ALL critical accounts.
Assessment: Can you log into your email, payment processor, and admin panel right now with only a password? You're not carrier-ready.
2. Endpoint Protection (Antivirus/EDR)
Required: On ALL devices (laptops, desktops, servers)
Why It Matters: This is your first line of defense against malware, ransomware, and file-based attacks.
The Requirement:
- Paid, managed antivirus/EDR (not free Windows Defender alone)
- Real-time threat detection and response
- Centralized management and logging
- Automatic updates enforced
Common Gap: Outdated antivirus, no centralized management, free tools only
Tools Carriers Accept:
- CrowdStrike Falcon (enterprise-grade, expensive)
- Sentinel One (robust, ~$5-15/month per device)
- Cisco Secure Endpoint (~$3-8/month per device)
- Kaspersky/Bitdefender (business versions, ~$2-5/month per device)
Assessment: Do you have a managed antivirus with centralized monitoring? If you're relying on Windows Defender, you need to upgrade.
3. Automated Backup and Recovery
Required: Daily backups with tested recovery capability
Why It Matters: Ransomware is the #1 cyber claim. Backups are your ransom refusal plan β you don't pay because you can restore.
The Requirement:
- Automated daily backups (not manual)
- 3-2-1 rule: 3 copies, 2 storage types, 1 offsite
- Air-gapped backup (disconnected from network β ransomware can't reach it)
- Quarterly recovery testing (you must prove backups work)
Common Gap: Single backup location, no air-gap, never tested recovery
What Carriers Want to See:
- Backup software logs showing successful daily backups for the past 90 days
- Documentation of your 3-2-1 backup strategy
- Proof that you tested a recovery from backup within the past 6 months
Assessment: When's the last time you actually restored from backup to verify the data was good? If you can't answer, you're not carrier-ready.
4. Incident Response Plan
Required: Documented, tested plan for breach response
Why It Matters: When a breach happens (not if β when), speed is everything. Carriers want to know you have a playbook to detect, contain, and recover in hours, not weeks.
The Requirement:
- Written incident response plan (1-2 pages minimum)
- Defined roles and responsibilities (who's the incident commander?)
- Contact list for internal responders, incident response vendors, and legal counsel
- Clear escalation criteria (when do you call law enforcement? When do you notify customers?)
- Documented testing at least annually
Common Gap: No written plan, no assigned roles, no vendor relationships
What to Document:
- Detection: How will you know you've been breached? (SIEM, backup monitoring, vendor alerts)
- Containment: What's the first thing you do? (Disconnect from network, stop the attack)
- Investigation: Who investigates? (Internal IT, external forensics firm)
- Communication: Who gets notified and when? (Leadership, legal, customers, insurance carrier)
- Recovery: How do you get systems back online? (From backups? Fresh installs?)
Assessment: Do you have a written incident response plan? Have you tested it in the past 12 months? If not, carriers will see you as unprepared.
5. Data Encryption
Required: In transit (for payment/healthcare data) and at rest (for sensitive files)
Why It Matters: Even if attackers get your data, encryption makes it worthless to them.
The Requirement:
For Email & Web Traffic:
- HTTPS/TLS 1.2+ for all web applications
- Email encryption for sensitive communications
For Sensitive Data at Rest:
- Database encryption (MS SQL TDE, PostgreSQL PGCrypto, etc.)
- File-level encryption for shared drives and cloud storage
- Disk encryption for laptops/desktops (BitLocker, FileVault)
If You Handle Payment Card Data:
- PCI-DSS compliance (payment processor requirements)
If You Handle Healthcare Data:
- HIPAA encryption standards (256-bit encryption minimum)
Common Gap: HTTPS enabled but internal databases and file shares unencrypted
Quick Assessment:
- Are all web login pages HTTPS? β
- Are database records encrypted? ? (Most people don't know)
- Are shared drives encrypted? ? (Most people don't know)
6. Access Control & User Management
Required: Documented control over who accesses what
Why It Matters: Attackers compromise accounts through credential theft, phishing, and insider threats. Carriers want documented controls limiting access to only what employees need.
The Requirement:
- Written access control policy (who gets access to what)
- Role-based access (Admin, Finance, HR access separated)
- Off-boarding procedures (disabled accounts within 24 hours of departure)
- Privileged access management (PAM) for admin accounts if 50+ employees
- Periodic access reviews (at least annually)
Common Gap: No documented policy, orphaned accounts, excessive permissions
What Carriers Want to See:
- Documentation that you review who has access to critical systems at least quarterly
- Evidence that you disable accounts immediately when employees leave
- Separation between role types (finance team doesn't have admin access)
Assessment: Can you list everyone with admin access to your systems right now? If you can't answer quickly, you're not carrier-ready.
The Cyber Insurance Readiness Score
Use this self-assessment to estimate your readiness:
| Control | Have It? | Carriers will require |
|---------|----------|----------------------|
| MFA on critical accounts | β Yes β No | Mandatory |
| Managed endpoint protection | β Yes β No | Mandatory |
| Automated backups (3-2-1) | β Yes β No | Mandatory |
| Written incident response plan | β Yes β No | Mandatory |
| Data encryption (in transit) | β Yes β No | Mandatory |
| Access control documentation | β Yes β No | Mandatory |
Scoring:
- 6/6: You're carrier-ready. Expect standard premiums and quick underwriting.
- 4-5/6: You're close but missing controls. Expect higher premiums or coverage exclusions.
- 2-3/6: You're significantly underprepared. Expect denial or very expensive coverage.
- 0-1/6: Most carriers will pass. You need 6-12 months of remediation.
Common Insurance Readiness Gaps (and Why They Matter)
Gap #1: "We Have Antivirus, But It's Free"
The Problem: Windows Defender is not enough. Carriers want managed, enterprise-grade endpoint protection with centralized monitoring.
The Cost: You lose the antivirus requirement; carriers see you as uninsurable. Or they require expensive upgrades before coverage applies.
The Fix: Upgrade to managed endpoint protection. Costs $3-15/month per device. Budget $500-1,500/year for a 20-person company.
Gap #2: "We Back Up to the Cloud, So We're Good"
The Problem: If your backup is on the same cloud account, ransomware can reach it. You also have no air-gap.
The Requirement: Backup to a separate, disconnected storage location. Use cloud-to-cloud backup (Google Drive backups to S3), or local NAS with cloud sync but offline copies.
The Fix: Implement 3-2-1: production data + local NAS backup + offline S3 bucket. ~$1,000 setup, $50-100/month.
Gap #3: "We Have Good Passwords"
The Problem: Good passwords alone are not carrier-ready. MFA is the hard requirement. Passwords are secondary.
The Fix: Enable MFA on email, payment systems, admin portals, and any system with access to customer data. Free with most services (Google, Microsoft, AWS). Takes 2-4 hours to roll out.
Gap #4: "We've Never Been Breached, So We're Secure"
The Problem: Not being breached (yet) doesn't mean you're secure. You might have been breached and not know it. Carriers want evidence of security, not luck.
The Fix: Carriers require demonstrated security controls (MFA, backups, monitoring, incident response plan). Prove you have them.
Gap #5: "Our IT Person Says We're Secure"
The Problem: Carriers don't care what your IT person says. They want written documentation, centralized logs, and tested controls.
The Fix: Request your IT person provide:
- Screenshots of MFA enforcement on critical accounts
- Recent antivirus/EDR scan reports
- Backup logs from the last 30 days
- A written access control policy
- Proof of the last incident response plan test
If they can't provide this, you're not carrier-ready.
How to Assess Your Insurance Readiness
Step 1: Take the Free Assessment
Use CyberStackHub's cyber insurance readiness assessment to map your current controls against what carriers require. Takes 5 minutes, identifies gaps, and gives you a prioritized action plan.
Step 2: Build Your Readiness Document
Create a 1-page document for each control:
- MFA: List critical accounts with MFA enabled, screenshots of enforcement
- Endpoint Protection: Screenshot of centralized console showing all devices protected
- Backups: Recent backup logs, recovery test results, 3-2-1 diagram
- Incident Response: 1-page IR plan, test results from the past 12 months
- Encryption: List of encrypted systems, compliance certifications (PCI-DSS, HIPAA if applicable)
- Access Control: Recent access review (quarterly minimum), off-boarding checklist
Step 3: Share With Your Broker
When you're ready to apply for cyber insurance, provide these documents. Brokers will use them to negotiate with underwriters.
Step 4: Run the Assessment Quarterly
Security is not a one-time project. Re-assess your controls every quarter:
- Is MFA still enforced on all critical accounts?
- Are backups still running daily?
- Did we test recovery recently?
- Do we have a fresh incident response plan?
Carriers love seeing you continuously improve.
Cyber Insurance Readiness: Your Action Plan
Week 1: Take CyberStackHub's insurance readiness assessment and identify your top 3 gaps.
Week 2-3: Implement the top gap:
- If MFA: Enable on email, payment systems, admin portal. ~4 hours.
- If Backups: Set up 3-2-1 strategy. ~6-8 hours.
- If Endpoint Protection: Deploy managed antivirus. ~4-6 hours.
Week 4: Build your readiness document. Screenshot each control, document your approach.
Month 2: Work on the next gap. Repeat monthly until all 6 are covered.
Month 3+: Get quotes from 2-3 carriers. Your readiness documentation will speed up underwriting and help negotiate better rates.
Frequently Asked Questions
How much does cyber insurance cost?
For a 10-25 person business: $3K-8K/year
For a 25-50 person business: $8K-15K/year
For a 50-100 person business: $15K-30K/year
Premiums depend on industry, revenue, and security controls. Better controls = lower premiums.
Will cyber insurance cover a ransomware attack?
Yes, if you have ransomware coverage (most policies do). Cyber insurance covers:
- Ransom negotiation (don't pay the full demand)
- Forensics and incident response
- Business interruption losses
- Data recovery costs
- Regulatory fines
What it does NOT cover: Ransom payment itself (in most cases β check your policy).
How long does cyber insurance underwriting take?
2-4 weeks if you're well-prepared. 8-12 weeks if you have gaps and need remediation. Underwriters want to see documented controls before they approve coverage.
What should I ask a cyber insurance broker?
- Which carriers will insure a business of my size and industry?
- What controls do they require for my business?
- What's the typical premium for my profile?
- What exclusions should I watch out for?
- What claims have been denied in my industry, and why?
Can I get cyber insurance if I'm not fully ready?
Yes, but:
- Premiums will be higher (30-50% more expensive)
- Coverage may be limited (exclusions on certain types of breaches)
- Underwriting may require a timeline for remediation
It's better to spend 2-3 months fixing gaps than to overpay for limited coverage.
What's the difference between cyber liability and cyber insurance?
- Cyber liability: Covers claims from third parties (customers, regulators) suing you for a breach. Limited scope.
- Cyber insurance: Covers both first-party costs (your costs to respond) and third-party liability. Comprehensive coverage.
Buy comprehensive cyber insurance, not just liability.
How often does my insurance carrier audit my controls?
Typically once per year as part of renewal. Some carriers do on-demand audits if you have a claim. This is why documented controls matter β they want to see evidence.
Next Steps
Your cyber insurance readiness determines whether you get coverage, how much you pay, and what happens when you have a breach.
Start here: Take CyberStackHub's cyber insurance readiness assessment. It takes 5 minutes, identifies your specific gaps, and gives you a prioritized action plan to get carrier-ready.
Then work through the gaps methodically. Most small businesses can get fully ready in 2-3 months with focused effort.
Once you're ready, getting cyber insurance takes weeks, not months. And your premiums will reflect your strong security posture.
Take our free cybersecurity risk assessment
Score your security posture in 5 minutes β then get your personalized Cyber Pulse brief with live threats and compliance deadlines for your industry.