Renewal premiums are up 50–100% year-over-year since 2022. Carriers who once wrote policies based on a five-page questionnaire now require evidence — screenshots, logs, test results — and they’re walking away from accounts that can’t produce it.
The Change Healthcare, CDK, and MOVEit incidents changed everything. Carriers paid out billions in ransomware and Business Email Compromise claims. Now they audit. Sub-limits are appearing on policies for companies without verified controls. Some carriers are declining renewals outright.
If your policy renews in the next 90 days, this post tells you exactly what underwriters are checking — and what you need to have ready before the application goes out.
Why 2025 Is Different From Every Other Year
Three events reshaped the cyber insurance market in a way no prior year did:
- Change Healthcare (Feb 2024): The largest healthcare cybersecurity incident in U.S. history. Carrier loss estimates exceeded $1.5B. Insurers went back and audited every healthcare renewal with new scrutiny.
- CDK Global (June 2024): Two ransomware attacks within six weeks crippled 15,000 auto dealerships. Carriers quietly added dealership-specific exclusions and evidence requirements.
- MOVEit (2023–ongoing): Over 2,700 organizations affected globally. Many discovered their cyber policies didn’t cover supply-chain attacks the way they assumed.
The implication: carriers are no longer pricing cyber risk based on what you said you had. They’re pricing it based on what you can prove you have — and they’re still adjusting the price based on what they find.
Coverage is conditional on controls. The day you need your policy is the day you’ll wish you read this.
Download the Cyber Insurance Readiness Checklist
12 controls ranked by underwriting impact, with evidence requirements and a 90/60/30-day renewal timeline.
No spam. Unsubscribe anytime.
The 8 Controls Underwriters Now Require — With Exactly What They Want to See
Every major carrier (Coalition, At-Bay, Cowbell, Corvus, Travelers) uses a similar control baseline. Here are the eight items that appear on every renewal application, with the evidence you need to produce.
1. Phishing-Resistant MFA on Email, VPN, Admin, and RMM Tools
What underwriters ask:
- “Do you enforce MFA on all email accounts (Microsoft 365, Google Workspace)?”
- “Do you require MFA for VPN and all remote access?”
- “Do you require MFA on all privileged and administrative accounts?”
- “Is MFA enforced on your RMM/PSA tools?”
What “passes” in 2025: Hardware key (FIDO2/WebAuthn) or authenticator app on 100% of covered accounts. Conditional access policies that block legacy authentication. RMM tools (ConnectWise, Datto, Syncro, AnyDesk) behind MFA — no exceptions. Number matching or FIDO2 for privileged accounts to resist push-bombing.
Evidence to collect: MFA enrollment report export from your identity provider (Entra ID, Google Admin, Okta). Screenshot of conditional access policy with MFA enforced. List of all accounts not enrolled in MFA, with documented compensating controls.
How to pass the question: Don’t say “MFA enabled.” Say “MFA enforced on 100% of accounts, with phishing-resistant methods on all privileged access.” Be specific about scope.
2. EDR — Not Antivirus, Not MDR-lite. Real Endpoint Detection and Response
What underwriters ask:
- “Do you deploy EDR on all workstations and servers?”
- “What is your endpoint detection and response coverage percentage?”
- “Do you have 24/7 monitoring with the ability to isolate endpoints?”
What “passes” in 2025: EDR agent deployed on 100% of enrolled devices (laptops, workstations, servers). Centralized console showing coverage report. Automated isolation capability enabled. 24/7 monitoring via internal SOC, MDR provider, or managed services partner.
What fails: Consumer-grade antivirus, Windows Defender alone (for servers or businesses above 10 employees), or EDR installed on 80% of devices with “the rest are contractors.”
Evidence to collect: EDR console screenshot showing all enrolled devices and policy status. Alert response log from the last 30 days showing someone acted on it. Policy screenshot confirming tamper protection and behavioral monitoring are enabled.
3. Immutable, Offline, Tested Backups — the 3-2-1-1-0 Rule
What underwriters ask:
- “Do you maintain immutable backups that cannot be overwritten or deleted?”
- “How often do you test your backup restore capability?”
- “Is your backup environment protected by MFA separate from your production environment?”
What “passes” in 2025: 3 copies of production data. On 2 different media types. With 1 stored offline or immutable (air-gapped, object-locked cloud storage, vaulted tape). With 0 errors on quarterly tested restores. Backup admin accounts use separate credentials from production.
What fails: OneDrive sync as backup, standard NAS on the same network as production, backups that haven’t been tested and documented in writing.
Evidence to collect: Backup job success logs for the last 90 days. Documented restore test results (date, what was restored, how long it took, result). Screenshot of immutability settings or air-gap confirmation. MFA proof for backup admin console.
4. Privileged Access Management / Least Privilege
What underwriters ask:
- “Do you maintain separate privileged accounts for administration?”
- “Are local admin rights removed from standard user accounts?”
- “Do you use just-in-time elevation for privileged tasks?”
What “passes” in 2025: No shared admin credentials across IT staff. Standard users have zero permanent domain admin rights. Privileged access is granted via jump server, PAM tool, or break-glass procedure — never persistent. Quarterly review of admin account inventory.
Evidence to collect: Admin account inventory with role descriptions. PAM or jump-server configuration screenshot. Least privilege policy document (even 1 page counts).
5. Email Security Gateway — Anti-BEC and DMARC Enforcement
What underwriters ask:
- “Do you have an email security gateway with anti-phishing and anti-impersonation controls?”
- “Is DMARC configured and enforced on your domain?”
- “Do you flag external emails coming into your organization?”
What “passes” in 2025: Email security gateway (Proofpoint, Google Workspace, Mimecast, Abnormal Security) with link sandboxing, attachment detonation, and BEC detection. DMARC reject or quarantine policy on your primary domains. External email banner/tagging enabled in your email platform.
Evidence to collect: Email security portal screenshot showing protection rules active. DMARC DNS record with policy evidence (use dmarcchecker.io). Proof of external email banner configuration.
6. Vulnerability and Patch Management — With KEV Catalog Tracking
What underwriters ask:
- “Do you have documented patch SLAs for critical and high-severity vulnerabilities?”
- “What is your patch cadence for internet-facing systems?”
- “Are end-of-life systems still in production?”
What “passes” in 2025: Automated patch management with written SLAs: Critical vulnerabilities: 7–14 days. High-risk vulnerabilities: 30 days. All others: 90 days. KEV (Known Exploited Vulnerabilities) catalog tracked as priority items. No internet-facing systems running unpatched for more than 30 days. End-of-life operating systems removed or isolated.
Evidence to collect: Patch compliance report from your RMM or patch management tool. KEV tracking log showing which CVEs are being monitored. Written patch policy document (even a 1-page summary). Exception log for any systems currently out of SLA.
7. Incident Response Plan — Written and Tested in the Last 12 Months
What underwriters ask:
- “Do you have a documented incident response plan?”
- “When was your last tabletop exercise or IR plan test?”
- “Who are your breach coach and legal contacts?”
What “passes” in 2025: Written IR plan with: roles, call tree (including broker and carrier hotlines), severity levels, ransomware playbook, communications template. Tabletop exercise run within the last 12 months with documented findings. Pre-identified breach coach / legal counsel.
What fails: A 3-page Word document labeled “Incident Response” that hasn’t been opened since 2021. A 100-page document that your team has never actually used.
Evidence to collect: IR plan PDF with version date and owner. Tabletop exercise summary: date, attendees, scenario, action items identified, status of each. Contact list for breach coach, legal, and carrier incident reporting line.
8. Security Awareness Training — With Real Phishing Simulation Data
What underwriters ask:
- “Do you conduct security awareness training?”
- “What is your completion rate and click rate on phishing simulations?”
- “How often do you run phishing simulations?”
What “passes” in 2025: Quarterly live or interactive training sessions. Monthly or quarterly phishing simulations with measurable click rates. Documented remediation for repeat clickers. Training records showing per-employee completion and score.
Why it matters to underwriters: Marsh McLennan’s research links documented security awareness training and phishing simulations to lower breach-based claim probability. Carriers use your training records as a proxy for your overall security culture.
How SecurEveryone maps to this requirement: Our Business tier ($900, unlimited users) includes quarterly live sessions with real phishing simulations, documented completion records, and click-rate benchmarks you can hand directly to your underwriter. Book before your next renewal →
What Gets You Declined or Sub-Limited
These are the eight most common reasons applications get declined or receive reduced sub-limits. None of them are subtle — underwriters see these on virtually every declination.
| Red Flag | Why It Kills Your Renewal |
|---|---|
| Open RDP exposed to the internet | Primary entry point for ransomware — carriers actively scan for it |
| End-of-life Windows (Server 2012, Windows 7) in production | Unpatchable, exploited in every major ransomware campaign |
| No MFA on Microsoft 365 | The single most common declination trigger — 82% of Coalition denied claims involved this |
| No EDR on servers | Ransomware groups move to servers once they have a workstation foothold |
| Backups on the same network as production | If an attacker reaches your domain, they can reach and encrypt your backups |
| No IR plan or IR plan not tested in 12 months | Carriers want evidence you can actually execute the plan, not just possess it |
| Undisclosed prior incident | Failure to disclose a prior breach is grounds for voiding coverage after a claim |
| Incomplete attestation | Signing a control attestation you can’t immediately prove is visible to underwriters |
The Application Questionnaire Decoded — What Carriers Are Actually Asking
Cyber insurance applications now run 10–15 pages and ask for evidence, not promises. Here’s how the questions map to controls:
“Do you require MFA for remote access and email?”
→ Underwriters want: MFA enrollment report showing 100% coverage on O365 and VPN. They check this against dark web scans and technical hygiene tools.
“Do you use EDR on all endpoints?”
→ Underwriters want: EDR coverage report showing all enrolled devices, policy version, and alert response logs. Coalition and At-Bay run external scans of your public-facing infrastructure.
“Describe your backup strategy and testing cadence.”
→ Underwriters want: Backup job logs + restore test results with dates. Not “we back up nightly” — they want documentation.
“What is your patch SLA for critical vulnerabilities?”
→ Underwriters want: Written patch policy with defined timelines, evidence it’s being followed, and a log of the last scan.
“When was your last incident response tabletop exercise?”
→ Underwriters want: Dated tabletop summary with attendees, scenario used, and action items tracked to completion.
“Provide your security awareness training completion rates for the last 12 months.”
→ Underwriters want: Per-employee training records showing who was trained, when, and what they scored on phishing simulations.
Coalition and At-Bay actively scan your external attack surface before quoting. When they ask a question, they’ve already seen the answer.
Premium Drivers — What’s Actually Affecting Your Rate
Three factors determine your cyber insurance premium more than any others:
1. Industry vertical
Healthcare, construction, manufacturing, and legal face the highest premiums — not because they’re less secure, but because attack patterns in those sectors result in larger claims.
2. Claims history
A single prior incident — even a small BEC wire transfer — can increase your premium by 30–50% or trigger a coverage review. Full disclosure on the application is always better than a claim denial after the fact.
3. Controls maturity — and the documentation to prove it
The gap between companies that pay 20% more and companies that get declined is documentation. Carriers that can verify controls quickly (MFA reports, EDR coverage, restore test records) quote faster and at better rates.
Security training as a premium lever: Several carriers — including Cowbell and Travelers — explicitly factor documented training completion into pricing models. A company with quarterly live training records and measured phishing benchmarks presents a better risk profile than one with annual video attestations. Documented training isn’t just a checkbox — it can move the needle on your quote.
The 30-Day Renewal Prep Checklist — Start Here
Don’t let your renewal catch you off guard. The companies that move fastest through underwriting are the ones that had their documentation ready before the application went out.
Days 1–3: Pull your evidence pack
- MFA enrollment report (export from Entra ID, Google Admin, or Okta)
- EDR coverage report (screenshot from your EDR console)
- Backup job logs + restore test results
- Last 12 months of training and phishing simulation records
- Current IR plan with version date
Days 4–10: Close your gaps
- Enforce MFA on any accounts still missing it
- Confirm EDR coverage is 100% of enrolled devices
- Run and document a restore test from your immutable backup
- Update your IR plan if it hasn’t been touched in 12 months
Days 11–20: Document everything
- Write a patch policy if you don’t have one (1 page is enough)
- Run a tabletop exercise and capture the summary
- Pull phishing simulation click-rate data for the last 12 months
Days 21–30: Submit with confidence
- Compile everything into a single “Cyber Insurance Evidence — [Date]” folder
- Brief your broker on your control posture and any open gaps
- Submit your application with documentation ready
Need the full checklist? Download the Cyber Insurance Readiness Checklist — the 12 controls ranked by underwriting impact, evidence requirements for each, and the 90/60/30-day renewal timeline.
Frequently Asked Questions
What exactly counts as “phishing-resistant MFA” for insurance purposes?
Phishing-resistant MFA means authentication methods that cannot be intercepted or replayed in real time. This includes FIDO2/WebAuthn hardware keys and authentication apps using time-based one-time passwords (TOTP). Push notification MFA (the kind that sends you “approve this login” on your phone) is acceptable but considered lower-resistance than FIDO2. Number matching is a recommended mitigation that significantly reduces push-bombing risk.
Does EDR actually reduce my cyber insurance premium?
EDR reduces your premium and your declination risk more than it reduces your premium directly. Most carriers require EDR before quoting — it’s not a discount lever, it’s a gate. Companies without EDR get declined. Companies with documented EDR and 24/7 monitoring demonstrate lower breach impact, which translates to better pricing. Several carriers offer enhanced coverage terms for companies that can demonstrate active monitoring.
How often do I need to test backup restores to satisfy underwriters?
Quarterly tested restores is the standard most carriers expect. Each test should document: what was restored, how long it took, and confirmation the data was intact. Store results with dates — a test you ran but didn’t document is a test you can’t prove happened.
Can I get approved with an older incident on my record?
Yes, but it requires full disclosure on the application. Failure to disclose a prior incident is grounds for voiding coverage after a claim. Several carriers write SMBs with prior incident history if the root cause was remediated and documented. Work with your broker to disclose proactively and present your remediation story clearly.
Does security awareness training lower cyber insurance rates?
Documented training with measurable completion rates and phishing simulation data is factored into pricing by several carriers including Cowbell and Travelers. Live training with interactive simulations produces better underwriting evidence than video-only training.
Renewal in 60 days? Start here.
The checklist maps every control underwriters verify — with evidence requirements and a renewal countdown plan.
No spam. Unsubscribe anytime.
Train your team before renewal. The Business tier at $900 gives you unlimited-user live training, quarterly phishing simulations, and documented completion records — the exact evidence underwriters want to see.
For more on what underwriters want, read our related post on 2025 SMB cyber insurance requirements. If you’re in healthcare or insurance, see how SecurEveryone maps to your industry-specific obligations: Medical Practices, Insurance Agencies.
Free Checklist
What if your renewal is in 30 days?
Download our free Cyber Insurance Readiness Checklist — the 12 controls ranked by underwriting impact, evidence requirements for each, and the 90/60/30-day renewal timeline.
Download the Checklist →
Get your free pocket guide
Enter your work email and we'll send the SMB Phishing Defense Pocket Guide — 6 red flags + 5-step incident response playbook.
Check your inbox!
Your pocket guide is on its way.
No spam. Unsubscribe anytime. Unsubscribe