2026 Updated · SMB Guide

Cyber Insurance Readiness:
Are You Actually Coverable?

Most small businesses apply for cyber insurance and get declined — not because they're high-risk, but because they don't know what insurers actually require. Here's the exact checklist.

80%
of breaches involve compromised credentials (MFA blocks this)
2–4 weeks
to implement all 5 required controls from scratch
40–60%
lower premium for companies with documented controls

What "Cyber Insurance Ready" Actually Means

"Cyber insurance readiness" isn't a buzzword — it's a specific set of documented security controls that underwriters check before binding coverage. Without them, your application gets declined. With them, you pay significantly less and get broader coverage.

For small businesses, the five controls insurers almost always require are the same five controls that stop the majority of ransomware and breach attacks. They're not bureaucracy — they're genuinely good security hygiene. This guide walks through each one, explains what counts as compliant, and shows you how to prove it to an underwriter.

The 5 Controls Every SMB Needs to Qualify

Insurers call these the "minimum required controls" or MRCs. Here's what each one actually means in practice.

1
🔐

Multi-Factor Authentication (MFA)

Required on: remote access (VPN, RDP), admin/privilege accounts, email, and any cloud console (AWS, Azure, Google Cloud). Authenticator app or hardware key preferred — SMS-based MFA is increasingly rejected by insurers.

Required for: All remote access + admin accounts
2
🛡️

Endpoint Detection & Response (EDR)

Software that monitors every device (laptop, server, workstation) for suspicious behavior and can alert or isolate in real-time. Examples: SentinelOne, CrowdStrike, Microsoft Defender for Business. Basic antivirus does not qualify.

Must cover: All employee devices + servers
3
💾

Immutable/Verified Backups

Backups that ransomware cannot encrypt or delete. This means: air-gapped/offline backups, cloud backups with write-once/vault policy, or hardware with write-blocker. Your nightly backup to a mapped network drive? Not compliant.

Must be: 3-2-1 rule (3 copies, 2 media, 1 offsite)
4
📋

Written Incident Response Plan

A documented IRP that names who does what during a cyber incident: key contacts, isolation steps, communication templates, and recovery sequence. Must be dated and reviewed within the last 12 months. A generic template is fine — it just needs to exist.

Must be: Written, dated, and accessible to key staff
5
📧

Email Filtering & Spam Protection

Advanced email filtering that blocks phishing, impersonation attempts, and malicious attachments before they reach user inboxes. Microsoft 365 / Google Workspace built-in filters often qualify if properly configured. Standalone spam filter software does not.

Must cover: All company email accounts

⚡ Quick Readiness Checklist — Do You Have These in Place?

  • MFA enforced on all remote access, admin accounts, and email (no SMS-only MFA)
  • EDR deployed on all employee devices and servers — not just basic antivirus
  • Immutable backups configured — write-once or air-gapped; tested in the last 90 days
  • Incident Response Plan written, signed, dated, and distributed to key staff
  • Email filtering enabled on all company email — no exceptions
  • Patch management process documented — critical patches applied within 72 hours of release
  • Security awareness training conducted for all employees in the last 12 months
  • Vendor risk assessment completed for any third party with access to your data or systems

Cyber Insurance: DIY vs. Partner vs. Traditional Broker

Getting cyber insurance isn't just about having a policy — it's about having the right controls and choosing the right platform to bind fast.

Criteria No Controls (DIY) Traditional Broker Corgi Insurance (YC-backed)
Time to first quote N/A — declined without controls 2–4 weeks <10 minutes
Same-day binding
Requires all 5 controls upfront Must self-implement first Usually requires full audit AI-native — shows gaps vs. requires perfection
Cyber + Tech E&O + AI Liability Cyber only Usually separate policies All in one
Premium discount for documented controls Up to 30% Up to 60%
No broker middleman ✓ — direct carrier access
Valuation / backing N/A Established but slow $1.3B YC-backed

Don't Guess — Know Where You Stand

Run CyberStackHub's free cyber insurance readiness assessment. In under 10 minutes, you'll know exactly which controls you have in place and which ones you need to address before applying.

1 Answer 20 questions about your current security setup
2 Get a scored readiness report (0–100)
3 See exactly which controls are missing
Start Free Readiness Assessment →

Ready to Get Covered?

Once your controls are in place, get a cyber insurance quote in under 10 minutes — with same-day binding. CyberStackHub partners with Corgi Insurance, YC-backed at $1.3B valuation, to offer SMBs fast, AI-native cyber coverage with no broker middleman.

✓ Cyber Liability
✓ Tech E&O / Prof Liab
✓ AI Liability Coverage
✓ D&O Coverage
✓ Same-Day Binding
Book a Free Cyber Insurance Consultation →

Get a quote in minutes · No broker middleman · YC-backed · $1.3B valuation

Frequently Asked Questions

What do I need to qualify for cyber insurance as an SMB?
Most insurers require five controls: Multi-Factor Authentication (MFA), Endpoint Detection & Response (EDR), immutable/verified backups, a written Incident Response Plan (IRP), and email filtering/spam protection. Without all five, your application will be declined or you'll pay significantly higher premiums.
Why do most SMBs get denied cyber insurance coverage?
The most common reasons: no MFA on remote access or admin accounts, no EDR deployed, backups that aren't immutable (ransomware can encrypt them), no documented IRP, and no email security stack. Insurers see these gaps as unacceptable risk and either decline the application or charge 2–5x the standard premium.
How long does it take to become cyber insurance ready?
For most SMBs with basic IT infrastructure: 2–4 weeks to implement the five required controls and document them. With CyberStackHub's tools you can run a self-assessment in under 10 minutes, generate the required Incident Response Plan, and have documented evidence of each control — ready to submit to an insurer.
What is MFA and why do insurers require it?
MFA (Multi-Factor Authentication) requires a second verification step beyond your password — usually a text message, authenticator app, or hardware key. 80%+ of breaches involve compromised credentials. MFA blocks the most common attack vector, which is why every cyber insurer now makes it mandatory for coverage.
What counts as an acceptable backup for cyber insurance?
Insurers require immutable backups — meaning the backup cannot be overwritten or encrypted by ransomware. This typically means: air-gapped backups (disconnected from the network), cloud backups with versioned write-once policies, or hardware with write-blocker protection. A regular scheduled backup to a mapped network drive does NOT qualify.
Do I need a written Incident Response Plan for cyber insurance?
Yes. Every cyber insurer requires a written Incident Response Plan. This documents who does what during a breach: who is contacted, how systems are isolated, what communication goes out, and how recovery is sequenced. A generic template is fine for initial underwriting — but it must be documented and dated. CyberStackHub generates a customized IRP for your team.
How much does cyber insurance cost for an SMB?
For small businesses (under $10M revenue), cyber insurance typically runs $500–$3,000/year depending on industry, revenue, and your security posture. Companies with documented controls (MFA, EDR, backup, IRP) consistently pay 40–60% less than those without. YC-backed insurtech Corgi offers same-day binding with AI-native underwriting — no traditional broker middleman required.
What's the difference between a traditional insurance broker and an insurtech like Corgi?
Traditional brokers take 2–4 weeks, require a detailed application, and may decline you after the full review. Insurtech platforms like Corgi use AI-native underwriting to give you a quote in under 10 minutes. They don't require a full application upfront — they start with basic company info, and binding can happen same-day. Corgi is YC-backed with a $1.3B valuation and covers cyber, Tech E&O, AI Liability, D&O, and General Liability.

Continue Learning

📋

Cyber Insurance Requirements

The full breakdown of what cyber insurers require from small businesses in 2026 — with evidence documentation guides.

Read the guide →
🏷️

Cyber Insurance Pricing

How cyber insurance pricing works for small businesses — cost ranges, pricing factors, and how to reduce your premium.

See pricing guide →
🛡️

Cyber Insurance Partner

Get covered with Corgi Insurance — same-day binding, AI-native underwriting, no broker middleman. YC-backed, $1.3B valuation.

Get a quote →
📊

Cyber Insurance Risk Assessment

Use CyberStackHub's free tool to assess your current risk posture and see exactly what gaps to fix before applying.

Run assessment →