Cyber Insurance Requirements: The Security Controls Insurers Now Demand

The Market Shift That Changed Everything

From 2019 to 2021, the US cyber insurance market experienced a loss ratio crisis. Claims — driven primarily by ransomware — outpaced premiums at an unsustainable rate. Insurers responded by raising rates (premiums increased an average of 79% in 2021 alone, according to the Council of Insurance Agents and Brokers), tightening exclusions, and — most consequentially — imposing specific minimum security requirements as a condition of coverage.

The result is that cyber insurance in 2025 is not just a financial product but a de facto security audit. What insurers require applicants to demonstrate has become one of the most practical guides to baseline cybersecurity controls for US businesses of every size.

The Core Controls Insurers Require

While specific requirements vary by carrier and policy limit, a consistent set of controls has emerged as table stakes for any meaningful cyber coverage in the US market. Organizations that cannot demonstrate these controls are either declined, offered sublimited coverage for ransomware events, or quoted premiums that reflect the elevated risk.

Multi-Factor Authentication (MFA)

MFA on email, remote access (VPN, RDP), and privileged administrative accounts is now a near-universal requirement. Many carriers further specify that MFA must be phishing-resistant — meaning hardware tokens or passkeys, not SMS codes — for privileged users. A 2023 Microsoft study found that MFA blocks more than 99.9% of automated credential-stuffing attacks; insurers have taken note.

Endpoint Detection and Response (EDR)

Traditional antivirus is no longer considered adequate. Insurers increasingly require EDR solutions — tools that monitor endpoint behavior in real time rather than relying solely on known malware signatures. EDR provides the telemetry needed for rapid incident detection and the forensic trail required when filing a claim.

Privileged Access Management (PAM)

Attackers who compromise a single workstation and can escalate to domain administrator access can encrypt an entire network. PAM solutions limit this lateral movement by vaulting and rotating privileged credentials, enforcing just-in-time access, and logging all privileged sessions. Larger policies (over USD 5 million in coverage) almost universally require PAM documentation.

Immutable or Offline Backups

Ransomware groups routinely target backup infrastructure before deploying encryption, because destroying backups eliminates the victim's primary alternative to paying. Insurers require applicants to demonstrate that backups are stored in a manner that ransomware cannot reach — either offline (air-gapped), or immutable storage in the cloud (such as AWS S3 Object Lock or Azure Immutable Blob Storage). The 3-2-1 backup rule is frequently cited: three copies, two different media types, one offsite.

Incident Response Planning

A documented, tested incident response plan is a standard requirement. Insurers are not looking for perfection — they are looking for evidence that the organization has thought through who makes decisions during an incident, who the notification contacts are, and what the recovery sequence is. Organizations that have conducted tabletop exercises in the past 12 months receive favorable treatment.

Email Security Controls

Phishing remains the leading initial access vector for ransomware and business email compromise (BEC). Insurers increasingly require applicants to demonstrate deployment of email filtering, anti-phishing tools, and email authentication protocols including SPF, DKIM, and DMARC. Without DMARC enforcement, domains are trivially spoofable — a fact insurers are well aware of given BEC claim volumes.

Patch Management and Vulnerability Scanning

Unpatched vulnerabilities are the second-most-common initial access vector. Insurers ask about patch management cadence for operating systems, applications, and network devices, as well as whether the organization conducts regular vulnerability scanning. A credible answer requires documented processes, not just assurances.

What Insurers Are Looking For Beyond the Checklist

Savvy underwriters look beyond the binary control checklist at the maturity and consistency of the security program. Several indicators carry significant weight during underwriting review.

• Security awareness training: Is it conducted at least annually? Are phishing simulations run? High click rates on simulations translate directly to higher claims experience.
• Third-party and vendor risk management: Can the applicant enumerate its critical vendors and describe how their security posture is assessed? Supply-chain attacks have made vendor risk a first-order underwriting concern.
• Network segmentation: Are operational technology (OT) and IT networks separated? Are guest Wi-Fi networks isolated from corporate infrastructure? Flat networks dramatically increase blast radius.
• CISO or designated security leader: Organizations with a named security leader — whether an in-house CISO or a virtual CISO (vCISO) — signal a governance structure that reduces moral hazard from the insurer's perspective.

The Coverage Gap Problem

A growing risk for US businesses is the gap between what they believe their policy covers and what it actually covers. Cyber policies increasingly exclude or sublimit coverage for:

• Ransomware events where MFA was not in place at time of loss
• Nation-state attacks (war exclusions, which are actively litigated following the NotPetya attribution dispute)
• Business interruption beyond a specified waiting period
• Costs associated with regulatory fines and penalties
• Social engineering and funds-transfer fraud above a sublimit

The only reliable way to know what a policy actually covers is to have legal counsel and a broker review the policy language before an incident — not after.

Aligning Security Investment with Insurance Outcomes

For many US businesses, the cyber insurance renewal process has become an accidental forcing function for security improvement. The economic incentive is direct: implementing the controls insurers require often reduces premiums enough to offset a meaningful portion of the implementation cost.

GR IT Services works with US organizations to assess current control maturity against insurer expectations, identify gaps, and build a remediation roadmap that improves both security posture and insurability. To discuss your organization's situation, contact us at inquiry@gritservices.io.