What This Guide Covers
What "Cyber Insurance Ready" Actually Means
"Cyber insurance readiness" isn't a buzzword — it's a specific set of documented security controls that underwriters check before binding coverage. Without them, your application gets declined. With them, you pay significantly less and get broader coverage.
For small businesses, the five controls insurers almost always require are the same five controls that stop the majority of ransomware and breach attacks. They're not bureaucracy — they're genuinely good security hygiene. This guide walks through each one, explains what counts as compliant, and shows you how to prove it to an underwriter.
The Insurer's Checklist
The 5 Controls Every SMB Needs to Qualify
Insurers call these the "minimum required controls" or MRCs. Here's what each one actually means in practice.
Multi-Factor Authentication (MFA)
Required on: remote access (VPN, RDP), admin/privilege accounts, email, and any cloud console (AWS, Azure, Google Cloud). Authenticator app or hardware key preferred — SMS-based MFA is increasingly rejected by insurers.
Required for: All remote access + admin accountsEndpoint Detection & Response (EDR)
Software that monitors every device (laptop, server, workstation) for suspicious behavior and can alert or isolate in real-time. Examples: SentinelOne, CrowdStrike, Microsoft Defender for Business. Basic antivirus does not qualify.
Must cover: All employee devices + serversImmutable/Verified Backups
Backups that ransomware cannot encrypt or delete. This means: air-gapped/offline backups, cloud backups with write-once/vault policy, or hardware with write-blocker. Your nightly backup to a mapped network drive? Not compliant.
Must be: 3-2-1 rule (3 copies, 2 media, 1 offsite)Written Incident Response Plan
A documented IRP that names who does what during a cyber incident: key contacts, isolation steps, communication templates, and recovery sequence. Must be dated and reviewed within the last 12 months. A generic template is fine — it just needs to exist.
Must be: Written, dated, and accessible to key staffEmail Filtering & Spam Protection
Advanced email filtering that blocks phishing, impersonation attempts, and malicious attachments before they reach user inboxes. Microsoft 365 / Google Workspace built-in filters often qualify if properly configured. Standalone spam filter software does not.
Must cover: All company email accounts⚡ Quick Readiness Checklist — Do You Have These in Place?
- MFA enforced on all remote access, admin accounts, and email (no SMS-only MFA)
- EDR deployed on all employee devices and servers — not just basic antivirus
- Immutable backups configured — write-once or air-gapped; tested in the last 90 days
- Incident Response Plan written, signed, dated, and distributed to key staff
- Email filtering enabled on all company email — no exceptions
- Patch management process documented — critical patches applied within 72 hours of release
- Security awareness training conducted for all employees in the last 12 months
- Vendor risk assessment completed for any third party with access to your data or systems
Why It Matters
Cyber Insurance: DIY vs. Partner vs. Traditional Broker
Getting cyber insurance isn't just about having a policy — it's about having the right controls and choosing the right platform to bind fast.
| Criteria | No Controls (DIY) | Traditional Broker | Corgi Insurance (YC-backed) |
|---|---|---|---|
| Time to first quote | N/A — declined without controls | 2–4 weeks | <10 minutes |
| Same-day binding | ✗ | ✗ | ✓ |
| Requires all 5 controls upfront | Must self-implement first | Usually requires full audit | AI-native — shows gaps vs. requires perfection |
| Cyber + Tech E&O + AI Liability | Cyber only | Usually separate policies | All in one |
| Premium discount for documented controls | ✗ | Up to 30% | Up to 60% |
| No broker middleman | ✗ | ✗ | ✓ — direct carrier access |
| Valuation / backing | N/A | Established but slow | $1.3B YC-backed |
Don't Guess — Know Where You Stand
Run CyberStackHub's free cyber insurance readiness assessment. In under 10 minutes, you'll know exactly which controls you have in place and which ones you need to address before applying.
Ready to Get Covered?
Once your controls are in place, get a cyber insurance quote in under 10 minutes — with same-day binding. CyberStackHub partners with Corgi Insurance, YC-backed at $1.3B valuation, to offer SMBs fast, AI-native cyber coverage with no broker middleman.
Get a quote in minutes · No broker middleman · YC-backed · $1.3B valuation
Common Questions
Frequently Asked Questions
Related Pages
Continue Learning
Cyber Insurance Requirements
The full breakdown of what cyber insurers require from small businesses in 2026 — with evidence documentation guides.
Read the guide →Cyber Insurance Pricing
How cyber insurance pricing works for small businesses — cost ranges, pricing factors, and how to reduce your premium.
See pricing guide →Cyber Insurance Partner
Get covered with Corgi Insurance — same-day binding, AI-native underwriting, no broker middleman. YC-backed, $1.3B valuation.
Get a quote →Cyber Insurance Risk Assessment
Use CyberStackHub's free tool to assess your current risk posture and see exactly what gaps to fix before applying.
Run assessment →