Back to articles
Cyber Insurance

Cyber Insurance: What Underwriters Look For

Cyber insurance premiums have increased significantly, and underwriters are more rigorous than ever. Understanding what they evaluate helps you secure better coverage at competitive rates.

20 October 20248 min read
Cyber Insurance: What Underwriters Look For

Cyber insurance claims have driven premiums up 50-100% in recent years. Underwriters now require evidence of specific controls before offering coverage.

Critical Controls Underwriters Require

1. Multi-Factor Authentication (MFA)

MFA is now non-negotiable for most policies. Underwriters specifically look for:

  • MFA on all remote access (VPN, RDP, cloud applications)
  • MFA for privileged accounts and administrative access
  • MFA for email access, especially Microsoft 365 and Google Workspace
  • Phishing-resistant MFA methods preferred over SMS

Lack of MFA on remote access or email is often grounds for declined coverage or significant premium loading.

2. Endpoint Detection and Response (EDR)

Traditional antivirus is no longer sufficient. Underwriters expect:

  • EDR deployed across all endpoints
  • 24/7 monitoring capability (internal or managed)
  • Automated response and isolation features
  • Coverage of servers, not just workstations

3. Backup and Recovery

Ransomware concerns drive detailed backup questions:

  • Offline or immutable backup copies
  • Regular backup testing and restoration drills
  • Backup segregation from production networks
  • Defined Recovery Time Objectives (RTOs)
  • Backup encryption and access controls

4. Patch Management

Timely patching demonstrates security maturity:

  • Critical patches applied within 14-30 days
  • Documented patch management process
  • Vulnerability scanning and prioritisation
  • Legacy system management strategy

5. Email Security

Email remains the primary attack vector:

  • Advanced email filtering and sandboxing
  • DMARC, DKIM, and SPF implementation
  • Phishing simulation and training programmes
  • External email warning banners

Governance and Process Controls

  • Incident Response Plan: Documented, tested, and current
  • Security Awareness Training: Regular, tracked, and measured
  • Access Management: Least privilege, regular reviews, prompt offboarding
  • Third-Party Risk: Vendor assessment and monitoring
  • Business Continuity: Plans tested within the last 12 months

Factors Affecting Premiums

Premium Reducers

  • ISO 27001 or SOC 2 certification
  • Regular penetration testing
  • Managed Detection and Response (MDR) services
  • Security awareness programme with metrics
  • Clean claims history

Premium Increasers

  • Previous cyber incidents or claims
  • High-risk industry (healthcare, financial services)
  • Large volumes of sensitive data
  • Legacy systems without compensating controls
  • Gaps in critical controls

Engage with your broker early. They can advise which controls to prioritise and help present your security posture favourably to underwriters.

Common Coverage Exclusions

Understand what's typically not covered:

  • Known vulnerabilities left unpatched
  • Incidents resulting from failure to implement required controls
  • War and nation-state attacks (increasingly contested)
  • Contractual penalties and regulatory fines (varies by jurisdiction)
  • Reputational damage beyond defined limits

Conclusion

Cyber insurance underwriting has matured significantly. Underwriters now expect evidence of specific controls, not just policy statements. Organisations that invest in security fundamentals—MFA, EDR, backups, and patch management—will find better coverage options at more competitive rates.

View the insurance application process as a security assessment opportunity. The controls underwriters require are the same ones that reduce your actual risk of a successful attack.

Share this article