Free Download

Cyber Insurance Readiness Checklist for SMBs

The 12 controls insurers actually check in 2025 — with evidence requirements, carrier benchmarks, and a 90/60/30-day renewal prep timeline.

12 controls ranked by underwriting impact
Evidence documentation guide
90 / 60 / 30 day prep timeline
📋
Cyber Insurance Readiness Checklist
SMB Edition · 2025

Check your inbox!

Your checklist is on its way.

No spam. Unsubscribe anytime.

What's Inside

Everything you need to pass underwriting

This checklist maps directly to what carriers actually review — not generic security advice.

🔐
12 controls ranked by impact: Tier 1 non-negotiables through Tier 3 documentation items
📁
Evidence requirements for each control — exactly what screenshots and exports to collect
⚠️
Red flags that trigger declinations, surcharges, or exclusions (so you know what to fix first)
📅
90 / 60 / 30 day renewal countdown with specific tasks, not vague guidance

The 12 Controls

What underwriters check in 2025

Every carrier has its own application, but the underlying controls are remarkably consistent.

Tier 1 — Non-negotiable These three controls determine whether you get a quote at all
  • MFA enforced on email, VPN, and all privileged accounts
    Microsoft 365, Google Workspace, VPN, cloud admin — hardware key or authenticator app preferred over SMS. Break-glass accounts excluded from MFA are a leading decline reason.
  • EDR deployed on 100% of devices — servers and workstations, all OS
    Behavioral detection, containment, rollback. Legacy antivirus (even "next-gen" marketed) does not qualify. Coverage gaps on Macs, Linux, or contractor devices get flagged in the policy.
  • Immutable / offline backups with quarterly tested restores
    Cloud sync (OneDrive, Dropbox) does not count. Object-locked cloud storage, air-gapped media, or vaulted storage — with documented test restore results. Backups that can't be proven to work are assumed to be broken.
Tier 2 — Required, slightly more flexibility These get checked on every application; gaps can trigger conditions or sublimits
  • Security awareness training — quarterly minimum with phishing simulations. Monthly click-rate data and evidence of remediation for repeat clickers. Annual video-only training satisfies documentation minimum but doesn't demonstrate active culture.
  • Email security — SPF/DKIM/DMARC configured, anti-impersonation controls, external email banner/tagging. Phishing drives the majority of breach events — carriers want to see documented controls, not assumptions.
  • Patch management — documented SLAs: critical within 48–72 hours, high-risk within 7 days, all others within 30 days. Legacy OS (Server 2012, etc.) still in production gets flagged and may be excluded from coverage.
  • Privileged access management — separate admin accounts for privileged tasks, local admin rights removed from standard users, password vaulting for shared credentials and service accounts. Excessive domain admin accounts and long-lived service credentials are common red flags.
  • Remote access hardening — no open RDP exposed to the internet. All remote access routed through VPN or ZTNA with MFA enforced. SMBv1 disabled. Geo-IP allow-listing in place. External attack surface scan showing no open RDP is required by most carriers.
Tier 3 — Documentation-heavy Proof-of-work items that separate smooth renewals from scrambling
  • Written IR plan tested via tabletop exercise in the last 12 months. Clear roles, decision trees for common scenarios, pre-identified legal counsel and breach coach contacts. A 100-page document nobody reads doesn't help — carriers want evidence of practical readiness.
  • Centralized logging with 24/7 monitoring / SOC — carriers want evidence someone is watching the environment around the clock, not just during business hours. SIEM or MDR onboarding documentation, dashboard screenshots showing ingest volume and active detections.
  • Encryption at rest — full-disk encryption on laptops and servers. Often assumed to be in place, but carriers want confirmation it's enabled. FDE status screenshots required by most carriers.
  • Vendor / third-party risk management — vendor inventory with criticality ratings, security posture reviews, contractual breach notification clauses. Your MSP's security posture is increasingly treated as your own. Carriers want to see those relationships are managed.

Renewal Prep

Don't let your renewal catch you off guard

Start 90 days out. The companies that move fastest through underwriting are the ones who had their documentation ready before the application went out.

90 Days Out

Gap Assessment

  • Pull 12 months of training and simulation records
  • Run self-assessment against all 12 controls
  • Schedule IR tabletop exercise if not done in last 12 months
  • Audit EDR coverage gaps (new hires, contractors, Macs, Linux)
  • Begin compiling evidence folder
60 Days Out

Close the Gaps

  • Run and document test restore from immutable backups
  • Confirm MFA enrollment: 100% of accounts
  • Review patch compliance — resolve all outstanding critical/high
  • Clean up legacy OS still in production
  • Finalize evidence pack for submission
30 Days Out

Submit with Confidence

  • Submit application with documentation ready
  • Brief broker on your security posture and any open gaps
  • Confirm IR plan was tested within 12 months
  • Resolve any remaining items in evidence pack

Download the full checklist

The printable PDF with all 12 controls, evidence requirements, carrier red flags, and renewal timeline in one document you can use today.

Check your inbox — link arrives within minutes. No spam, ever.

Related Resources

Keep building your security posture

🛡️

IR Plan Builder

Free, in-browser. Creates a documented IR playbook in under 30 minutes — mapped to what underwriters want to see.

Build your IR plan →
🎯

Phishing Simulation Test

Run a live phishing simulation against your team. Get real-world click-rate data before your next renewal.

Run a test →
📊

Security Scorecard

Quick-read benchmark of your team's overall cybersecurity posture. 3 minutes, no email required.

Take the scorecard →