Is Your Business Truly Covered by Cyber Insurance?

What It Is

A second layer of verification required in addition to a password for all logins — email, remote access (VPN/RDP), cloud services, and all administrative accounts, with no exceptions.

Why Insurers Require It

Insurers have data showing that the majority of ransomware and data breach incidents involve compromised credentials. MFA breaks the attack chain even when passwords are stolen.

Claim Denial Risk

Claims have been denied on this basis alone. Some policies now void coverage entirely for ransomware events where MFA was absent on even a single system or access path.

What It Is

Advanced security software deployed on all workstations, servers, and laptops that monitors behavior in real time, detects anomalies, and can contain threats automatically — far beyond traditional antivirus.

Why Insurers Require It

EDR dramatically reduces dwell time — how long attackers go undetected — and limits breach scope. Insurers require it because it directly reduces claim magnitude.

Claim Denial Risk

If you claimed to have endpoint protection but only had basic antivirus, the insurer may argue your application was inaccurate. This distinction between antivirus and EDR is frequently litigated in claim disputes.

What It Is

Backups following the 3-2-1 rule (3 copies, 2 different media, 1 offsite or cloud), isolated from the production network, and with restoration tests documented at least quarterly.

Why Insurers Require It

Backups are the primary recovery mechanism for ransomware events. The 'tested' requirement is critical: backups that have never been restored are not verified backups.

Claim Denial Risk

If your backups were stored on the same network that was encrypted, or if they had never been tested and failed during recovery, insurers will argue your backup control was not functional.

What It Is

DMARC, DKIM, and SPF configured on your email domain, advanced filtering beyond basic spam, external email warning banners, and simulated phishing training conducted at least quarterly.

Why Insurers Require It

Over 90% of cyberattacks begin with email. Basic spam filtering is no longer sufficient. Phishing is the primary delivery mechanism for ransomware, credential theft, and business email compromise.

Claim Denial Risk

If a breach originated from a phishing email and you had no advanced email filtering or anti-spoofing protocols in place, insurers will view this as inadequate controls. BEC losses are increasingly excluded or sublimited.

What It Is

Administrator accounts separate from daily-use accounts, no shared admin credentials, least privilege enforced so users only access what their role requires, and privileged access logged and reviewed.

Why Insurers Require It

Limiting who has administrative access limits the blast radius of any attack. Over-privileged accounts consistently amplify breach scope and claim costs.

Claim Denial Risk

If the compromised account had broader access than the user's role required — or if administrator credentials were shared, reused, or unmonitored — insurers will cite this as a controls failure that increased the scope of the loss.

What It Is

A documented patch management process with critical patches applied within 14–30 days of release, internet-facing systems prioritized, and no end-of-life operating systems or software in production.

Why Insurers Require It

Unpatched vulnerabilities are one of the most common initial access vectors. Known, exploitable vulnerabilities that were not remediated in a timely manner represent negligence — and negligence is grounds for claim reduction or denial.

Claim Denial Risk

If a breach exploited a vulnerability that had a patch available for more than 30–90 days, insurers will question why it was not applied. This is particularly damaging for critical infrastructure vulnerabilities that were publicly disclosed.

What It Is

Finance, HR, and IT systems on separate network segments from general staff, guest Wi-Fi isolated from internal networks, firewall rules documented and reviewed annually, and remote access via VPN only.

Why Insurers Require It

A flat network — where all devices can communicate with all others — allows ransomware to spread to every system instantly. Segmentation directly limits breach scope and claim magnitude.

Claim Denial Risk

If ransomware spread from one compromised system to your entire network because there was no segmentation, and your application represented that you had network controls in place, this is a material misrepresentation.

What It Is

A written, tested plan that defines roles and responsibilities, pre-builds contact lists for insurer, legal counsel, forensics firm, and regulators, and has been tested via tabletop exercise at least annually.

Why Insurers Require It

Organizations without a plan respond slower, make costly mistakes (like wiping systems before forensics), and incur significantly higher breach costs. Response time is a direct driver of claim magnitude.

Claim Denial Risk

If your organization responded to a breach without a documented plan — notifying affected parties late, failing to preserve evidence, or making decisions that worsened the incident — insurers may argue the elevated cost was due to your failure to have adequate response procedures.

What It Is

Annual security awareness training completed and documented, quarterly simulated phishing campaigns with results tracked by employee, and new employees trained within their first 30 days.

Why Insurers Require It

Human error is involved in over 74% of breaches (Verizon DBIR). An untrained workforce represents a known, quantifiable risk that the business failed to mitigate.

Claim Denial Risk

If a breach was initiated by an employee falling for a phishing attack, and your organization had no documented training program, the insurer may argue that a basic, industry-standard control was absent.

What It Is

An inventory of all vendors with access to your data or systems, vendor agreements that include security requirements and breach notification obligations, and critical vendors required to carry their own cyber insurance.

Why Insurers Require It

Many breaches originate through third-party vendors with access to your systems or data. Supply chain attacks have increased dramatically — and the business that stores the data is liable even when the breach originates at a vendor.

Claim Denial Risk

If a breach originated through a vendor that had uncontrolled access to your systems — and you had no vendor review process, contract security requirements, or access logging in place — insurers may argue you failed to apply adequate due diligence.