Cyber insurance underwriting has changed. The application used to be short. Now it reads more like a security review, and the controls you have in place shape whether you get an offer and what it costs. Knowing what underwriters look for helps you qualify and, often, improve your terms.
Multi-factor authentication
Multi-factor authentication, or MFA, generally requires a second step beyond a password to log in. It is one of the most common questions on a cyber application because it blocks many account-takeover attacks. Firms without it often find coverage harder to obtain on good terms, so this tends to be near the top of the list.
Tested backups
Underwriters generally ask not just whether you back up data, but whether backups are recent, separated from your main network, and actually tested for recovery. Backups that exist but have never been restored are a common weak point, and ransomware makes this control a priority.
Endpoint detection and response
EDR generally refers to tools that monitor devices for suspicious activity and can respond to threats. It has moved from a nice-to-have to a frequent underwriting question, because it helps catch incidents early. Firms that can point to EDR across their devices generally present a stronger picture.
Email security and training
A large share of cyber incidents start with email. Underwriters generally look for email filtering and controls, plus staff training that helps people spot phishing and fraud. Training matters because the person at the keyboard is often the first and last line of defense.
Why this helps your terms
These controls are not just a gate to get through. Underwriters generally view strong, verifiable security as lower risk, which can affect eligibility and pricing. Building and documenting these practices is worth doing for the protection itself, and the better terms are a bonus.
Answer the application carefully
Accuracy matters, because answers can affect both the offer and how a claim is handled. Marking a control as in place when it is only partly deployed can create problems later. Treat the application as a true picture of your firm, not a checklist to rush through. For where cyber losses fall outside other policies, see cyber exclusions in other policies.
Questions to ask your advisor
- Which controls does the application weigh most heavily for my firm?
- Do we have MFA across email, remote access, and key systems?
- Are our backups separated and tested for recovery?
- Do we have EDR and email security in place and documented?
- Are we answering every application question accurately?
Good security is the point, and better cyber terms follow from it. A short review helps you read the application before you apply, so you know where you stand and can close the gaps that matter before an underwriter asks.
Want guidance first? Compare your coverage. Already know what you need? Get a quote.