Cyber Insurance Requirements Checklist: What Insurers Actually Require in 2026

Multi-factor authentication is the single most universally required control across all major cyber insurance carriers. The specific requirements have evolved beyond 'we have MFA' to specific coverage mandates.

What underwriters require: (1) MFA for all privileged and administrative access — domain admin, server admin, cloud IAM admin roles must authenticate with MFA, with no exceptions. (2) MFA for all remote access — VPN, RDP, Citrix, and any remote desktop protocol must require MFA before granting access. (3) MFA for email — Microsoft 365, Google Workspace, and other cloud email platforms must require MFA, especially for executives and finance roles (the primary BEC targets). (4) Phishing-resistant MFA preferred — carriers increasingly distinguish between SMS/TOTP MFA and phishing-resistant options (FIDO2/WebAuthn, hardware security keys). SMS-based MFA is increasingly noted as inadequate for privileged access.

The most common reason for coverage denial or premium loading: MFA not deployed for remote access (RDP exposed without MFA is a near-automatic coverage denial from most carriers) and email access without MFA.

EDR deployment is now a standard underwriting requirement across virtually all major carriers. The specific requirements: EDR must be deployed on all endpoints (servers, workstations, laptops), not just a subset. The agent must be actively managed (not just installed) with alerting configured to a monitored destination. Coverage on unmanaged endpoints is a common gap carriers look for.

What distinguishes premium vs. standard EDR credit: real-time response capability (not just detection), managed detection and response (MDR) service layered on the EDR platform, and integration with the organization's incident response process. Carriers view organizations with an MDR service as significantly lower risk than organizations with EDR deployed but no managed monitoring — because MDR provides the 24/7 detection capability that most in-house security teams cannot maintain.

Document your EDR coverage percentage (percentage of endpoints with active agent), your alert routing and response process, and your contract with an MDR provider if applicable. This documentation is often specifically requested in the underwriting questionnaire.

Backup integrity directly affects ransomware recovery outcomes, and carriers have learned to ask specific questions that distinguish meaningful backup programs from those that will fail under a ransomware attack.

What underwriters assess: (1) Offline or immutable backups — backups accessible from the same credentials as production systems will be compromised in a ransomware attack. Carriers require evidence of offline (tape, physical media) or cloud immutable (S3 Object Lock, Azure Blob immutability) backup copies. (2) Backup testing frequency — documented backup restoration tests, not just backup creation monitoring. Carriers increasingly require quarterly or annual restoration tests with documentation. (3) Backup coverage — critical systems (domain controllers, email, financial systems, ERP) must be backed up. Carriers look for gaps in coverage of high-value systems. (4) Recovery time objectives — documented RTOs and the testing evidence that supports them.

Organizations that cannot demonstrate immutable or offline backups face significant premium loading or coverage exclusions for ransomware incidents — the most common and costly claim type.

After MFA, PAM controls are the next most heavily weighted security factor in cyber insurance underwriting. The specific controls assessed: (1) Privileged account inventory — can you enumerate all privileged accounts (local admin, service accounts, domain admin, cloud IAM admin) in your environment? Carriers are suspicious of organizations that cannot answer this question. (2) Principle of least privilege — are privileged accounts used only for privileged tasks, or do admins use the same account for email and administration? (3) Service account credential management — are service account passwords regularly rotated and unique across systems? (4) Privileged Access Workstations — do administrators use dedicated hardened systems for privileged tasks?

For organizations with a PAM tool (CyberArk, BeyondTrust, Delinea), document it explicitly in your application. PAM tool deployment is one of the most significant factors for premium reduction because it demonstrates credential discipline that directly reduces attacker ability to leverage stolen credentials for lateral movement.

Beyond the technical controls, underwriters assess organizational maturity indicators that predict how well an organization will respond to and contain an incident.

Incident response: A documented IR plan is required by most carriers — specifically, one that has been tested (tabletop exercise with documented date) and includes specific roles, contact information for legal counsel and IR retainer, and regulatory notification procedures. Carriers look unfavorably on IR plans that have never been exercised. An IR retainer (pre-contracted relationship with an IR firm) is increasingly expected for mid-market and enterprise accounts.

Patch management: Carriers ask about your critical patch deployment SLA (how quickly do you apply CRITICAL CVEs?) and your process for internet-facing systems specifically. The most common pattern in ransomware claims involves exploitation of unpatched VPN or firewall vulnerabilities on internet-facing systems. A 30-day or less patch SLA for critical CVEs on internet-facing systems is the typical underwriting threshold.

Vendor and third-party risk: After high-profile supply chain attacks, carriers ask whether you conduct security assessments of critical third-party vendors, whether you have SLAs in your vendor contracts for security incident notification, and whether you monitor for vendor breaches via threat intelligence.

Cyber insurance underwriting is now a proxy for security program maturity assessment. Carriers have learned, through billions in claims, which controls most reduce ransomware outcomes — and their questionnaires reflect that knowledge. Organizations that treat the underwriting questionnaire as a security program gap analysis (rather than a compliance exercise) get both better coverage terms and a more defensible security posture. MFA, EDR, immutable backups, and a tested IR plan are not just insurance requirements — they are the minimum viable defense against the attacks that generate the most claims.