What do cyber insurers require?

Most cyber insurers ask whether your business has a few core safeguards in place before they offer coverage or renew a policy. Common examples include multi-factor authentication, often called MFA, for email and important accounts, antivirus or endpoint detection and response, called EDR, regular software patching, backups, and staff training.

They also often ask how you handle remote access, who has admin rights, whether you test backups, and whether you have a plan for incidents like fraud, ransomware, or stolen devices. Some carriers ask detailed questions on the application. Others may ask for proof later.

The key thing to know is this. Insurers are not looking for perfection. They usually want to see that you have reasonable controls, that you know what you have, and that someone is responsible for keeping those basics in shape.

Cyber insurance can help with costs after certain incidents, but coverage is tied to the answers on your application and the terms in the policy. If your business says a control is in place and it is not, that can create problems during a claim. This is one reason business owners should slow down and make sure answers are accurate.

For a small business, the issue is not only insurance. The same items insurers ask about are often the same basics a good managed IT provider, also called an MSP, will recommend anyway. They are practical steps that reduce avoidable problems and make recovery easier when something goes wrong.

Requirements also vary by industry and state. A medical office may have questions tied to HIPAA, the Health Insurance Portability and Accountability Act. A business that handles payment cards may be asked about PCI, the Payment Card Industry Data Security Standard. A company selling to larger organizations may also hear about SOC 2, a framework many customers use to review security controls.

Email security is one of the first areas insurers look at. They often want MFA on Microsoft 365, Google Workspace, and any cloud app with sensitive information. MFA means users need a second step to sign in, such as an app code or hardware key, not just a password.

They also ask about endpoint protection. An endpoint is a device such as a laptop, desktop, or server. EDR, endpoint detection and response, is a more advanced tool than basic antivirus. It helps detect suspicious activity on devices and gives an IT provider a way to investigate and respond.

Another common topic is patching. Patching means installing security and stability updates for operating systems, browsers, business software, firewalls, and other tools. Insurers may ask how quickly critical updates are applied and whether unsupported systems are still in use.

Backups are a major focus too. Many carriers want backups that are separated from day-to-day systems and tested regularly. You may hear the term 3-2-1 backup. That means keeping 3 copies of data, on 2 different types of media, with 1 copy kept off-site or otherwise separated. No honest provider promises zero downtime, an unhackable network, or guaranteed recovery, but insurers do want to see that recovery planning is real.

Access control matters as well. Insurers often ask who has administrator rights, whether former employees are removed quickly, and whether remote access is restricted and protected. They may also ask whether vendors or contractors can reach your systems and how that access is controlled.