Cyber Insurance Readiness Checklist for SMBs
The 12 controls underwriters check in 2025 ยท Evidence requirements ยท 90/60/30-day renewal timeline
From secureveryone.com ยท Free to use, no account required
The 12 controls underwriters check in 2025 ยท Evidence requirements ยท 90/60/30-day renewal timeline
From secureveryone.com ยท Free to use, no account required
| โ | Control | What to show the underwriter |
|---|---|---|
| 1 | MFA enforced on email, VPN, and all privileged accounts Microsoft 365, Google Workspace, VPN, cloud admin โ hardware key or authenticator app preferred over SMS. Break-glass accounts excluded from MFA are a leading decline reason. | Conditional Access / MFA policy screenshots User enrollment report Service account coverage list IMAP/POP disabled proof |
| 2 | EDR deployed on 100% of devices โ servers and workstations, all OS Behavioral detection, containment, rollback. Legacy antivirus does not qualify. Coverage gaps on Macs, Linux, or contractor devices get flagged in the policy. | EDR console coverage report Agents installed and healthy across all devices Policy configuration screenshots 30โ90 day alert metrics |
| 3 | Immutable / offline backups with quarterly tested restores Cloud sync (OneDrive, Dropbox) does not count. Object-locked cloud storage, air-gapped media, or vaulted storage with documented test restore results. | Backup topology diagram Immutability policy settings Last 3 months of successful job logs Quarterly test restore report |
| โ | Control | What to show the underwriter |
|---|---|---|
| 4 | Security awareness training โ quarterly minimum with phishing simulations. Monthly click-rate data and evidence of remedial training for repeat clickers. | Training completion rates (12 months) Phishing simulation results with click rate trend Incident reporting procedure training records |
| 5 | Email security โ SPF/DKIM/DMARC configured, anti-impersonation controls, external email banner/tagging. | Email security policy screenshots DMARC enforcement records Impersonation protection config |
| 6 | Patch management โ documented SLAs: critical within 48โ72h, high-risk within 7 days, all others within 30 days. Legacy OS in production gets flagged and may be excluded. | RMM patch compliance reports Vulnerability scan summaries with trend lines Change tickets showing remediation |
| 7 | Privileged access management โ separate admin accounts for privileged tasks, local admin rights removed from standard users, password vaulting for shared credentials and service accounts. | Privileged group membership reports Password vault configuration Service account inventory |
| 8 | Remote access hardening โ no open RDP exposed to the internet. VPN or ZTNA with MFA enforced. SMBv1 disabled. Geo-IP allow-listing in place. | External attack surface scan proving no open RDP VPN or ZTNA configuration documentation Firewall rule exports |
| โ | Control | What to show the underwriter |
|---|---|---|
| 9 | Written IR plan tested via tabletop exercise in the last 12 months โ clear roles, decision trees, pre-identified legal counsel and breach coach contacts. | Written IR playbook Tabletop exercise after-action report (within 12 months) Vendor panel list with pre-negotiated forensics contacts |
| 10 | Centralized logging with 24/7 monitoring / SOC โ evidence someone is watching the environment around the clock, not just during business hours. | SIEM or MDR onboarding documentation Dashboard screenshot showing ingest volume and active detections |
| 11 | Encryption at rest โ full-disk encryption on laptops and servers. Often assumed but carriers want confirmation it's enabled. | FDE status screenshots on all devices Policy confirming FDE requirement enforcement |
| 12 | Vendor / third-party risk management โ vendor inventory with criticality ratings, security posture reviews, contractual breach notification clauses. | Vendor inventory with criticality ratings Security review records Contract breach notification clauses |