How the Market Has Changed
The cyber insurance market of 2019 was characterized by broad coverage, relatively low premiums, and limited underwriting rigor. Carriers were expanding into a new market and prioritizing premium volume over risk selection. The consequences became apparent in 2020 and 2021 as ransomware losses exploded and multiple carriers posted significant underwriting losses on their cyber books.
The market that emerged from that correction is fundamentally different. Carriers have invested in underwriting capabilities, hired technical staff, and developed detailed questionnaires that probe the specific security controls that claims data has shown to be predictive of loss severity. Organizations that cannot demonstrate these controls face a market that is unwilling to provide coverage at any reasonable price.
What Underwriters Are Now Requiring
Multi-Factor Authentication Documentation
Every major cyber carrier now requires evidence of MFA implementation across all remote access, email platforms, and privileged accounts as a condition of coverage. Some carriers require MFA on all user accounts. Organizations that cannot document MFA implementation face either coverage denial or significant premium surcharges.
Endpoint Detection and Response
Basic antivirus is no longer acceptable to most carriers. EDR with active monitoring, either through an internal security operations capability or a managed detection and response provider, is a standard requirement in the current market.
Tested Incident Response Plan
Carriers want evidence that organizations have a documented incident response plan and have tested it within the past 12 months. Untested plans are given limited weight. Documentation of a tabletop exercise or simulation is increasingly required at renewal.
Privileged Access Management
The role of privileged credentials in enabling ransomware operators to destroy backups, move laterally, and maximize impact has made PAM a priority focus for underwriters. Carriers want to see that administrative credentials are managed, vaulted, and not broadly shared.
Regular Backup Testing
Carriers have paid claims on organizations that believed they had functional backups but discovered during an incident that backups were incomplete, corrupted, or inaccessible. Documentation of backup procedures and test restoration results is increasingly required.
Patch Management Program
Evidence of a structured patch management program, particularly for internet-facing systems and critical internal infrastructure, is a standard underwriting requirement. Organizations without documented patching processes face scrutiny at every renewal.
Organizations should treat the insurance application as a security audit. The questions carriers ask reflect the controls that have the most significant impact on loss severity. If you cannot answer yes to those questions, you have identified your highest-priority security investments.
Getting the Right Coverage
Cyber insurance procurement deserves the same rigor as any significant business decision. Coverage limits, sublimits for specific loss types, retroactive dates, waiting periods for business interruption coverage, and policy exclusions all materially affect the value of coverage in an actual incident. Organizations should work with brokers who specialize in cyber insurance and should review policy language with legal counsel familiar with insurance terms before binding.
- Conduct a gap assessment against underwriting requirements before submitting applications
- Document your security controls thoroughly to support accurate representation on applications
- Understand what your policy covers and what it excludes before you need it
- Consider the interplay between your policy and any vendor or partner policies that may affect coverage
- Review coverage limits against your actual exposure, including business interruption potential