Cyber Insurance Controls Explained for IT Teams, MSPs, and CPAs

• Multi-Factor Authentication (MFA)

Do all users have MFA enabled for email, remote access, and admin accounts?

Definition: Multi-Factor Authentication (MFA) requires users to verify identity using two or more factors, something they know (password), have (phone or token), or are (biometrics).

Why insurers care: Insurers typically expect MFA to be enforced for email, remote access (VPN/RDP), cloud applications, and privileged or administrative accounts. MFA cyber insurance requirements:

• Email systems such as Microsoft 365 & Google Workspace
• Virtual Private Networks (VPN)s
• Cloud and Software-as-a-Service (SaaS) admin portals
• Common gaps insurers flag:
  • MFA enabled for some users, not all
  • MFA missing on privileged, admin or service accounts
  • MFA enforced but not monitored

• Endpoint Protection (EDR/Antivirus/Encryption)

Are all endpoints protected by centrally managed endpoint security?

Definition: Endpoint protection software monitors laptops, desktops, and servers for malware, ransomware, and suspicious behavior.

Why insurers care: Endpoints are the most common entry point for ransomware. Most insurers now expect centrally managed endpoint detection and response (EDR) or equivalent advanced endpoint protection, not standalone antivirus alone. What does good look like?

• Centralized management and inventory of devices
• Real-time monitoring & signature file updates for AV
• Automatic updates for supported software
• Ensure Remote Desktop Protocol (RDP) is disabled
• Local firewalls are enabled
• Encryption is enabled

• Patch & Vulnerability Management

Are systems patched regularly and vulnerabilities addressed?

Definition: Patch management ensures operating systems and software receive security updates that close known weaknesses.

Often appearing as an endorsement or policy condition related to patching obligations, Neglected Software Exploit Endorsement is a cyber insurance policy provision that allows limited coverage for losses caused by unpatched software vulnerabilities during a defined grace period. After the grace period expires, coinsurance may apply, reducing the insurer’s share of covered losses.

Failure to Maintain is a cyber insurance policy condition that allows insurers to limit or deny coverage if the insured organization fails to maintain the cybersecurity controls and practices represented during the application process. This clause is typically evaluated during renewal and at the time of a claim, not just at application.

Why insurers care: Unpatched systems are one of the fastest ways attackers gain access. Many insurers ask whether critical security patches are applied within defined timelines (often 14–30 days) and whether patching is documented.

• “Ad hoc”, manual, and inconsistent updates
• No visibility into patch status
• Unsupported operating systems

• Data Backup & Recovery

Are backups performed regularly, stored offline and immutable?

Definition: Backups are secure copies of business data stored separately from production systems.

Why insurers care: Ransomware without reliable backups becomes a business-ending event. Insurers may also ask whether backup restoration is tested periodically to confirm data can be recovered. Insurers want to see:

• Daily or frequent backups
• Offsite or immutable storage
• Periodic testing of restorations

• Employee Security Awareness Training

Are employees trained on phishing and cyber threats?

Definition: Security awareness training teaches employees how to recognize and avoid cyber threats.

Why insurers care: Humans are often the weakest link, but also the strongest defense when trained. Underwriters often ask whether training is conducted at least annually and whether participation can be documented.

• Evidence of training during onboarding and annually

• Access Control & Least Privilege

Are user permissions reviewed and restricted?

Definition: Least privilege means users only have access to what they need to do their job.

Why insurers care: Excess access increases damage during a breach. Insurers commonly ask whether user access and administrative privileges are reviewed periodically.

• Periodic (monthly, quarterly, annual) user access reviews
• Remove stale or unused accounts
• Inventory human, non-human, and service accounts & identities

• Network Segmentation

Do you segment your network to limit lateral movement between systems?

Definition: Network segmentation separates critical systems, user devices, and sensitive data into distinct network zones with controlled access between them.

Why insurers care: Insurers view network segmentation as a key control for reducing ransomware spread and breach impact. Segmented networks limit lateral movement, lower potential losses, and demonstrate mature cybersecurity risk management. Network segmentation is evaluated as a loss-containment control that limits ransomware spread and reduces potential claim severity.

• Avoid flat networks
• Avoid shared admin access
• Document network & segmentation strategy

• Internet Domain Security (TLS/SSL/BEC Protection)

Do you secure internet domains and email systems against spoofing and business email compromise (BEC)?

Definition: Internet domain security protects company domains and email systems by enforcing encrypted communications (TLS/SSL) and using email authentication standards to verify that messages are legitimate and not impersonated.

Business Email Compromise (BEC) is a form of fraud where attackers impersonate trusted email domains to redirect payments or obtain sensitive information.

• SPF (Sender Policy Framework): Specifies which mail servers are authorized to send email on behalf of a domain.
• DKIM (DomainKeys Identified Mail): Uses cryptographic signatures to verify that email content has not been altered in transit.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance): Builds on SPF and DKIM to instruct receiving systems how to handle unauthenticated emails and provides reporting on domain abuse.
  • Insurers increasingly expect DMARC to be set to an enforcement policy, not monitoring only.