Underwriters who once accepted “yes, we have MFA” now want evidence. Carriers who once offered broad coverage are writing narrow policies with exclusions that didn’t exist three years ago. This checklist is built from the actual questions underwriters ask, the evidence they request, and the coverage decisions that result. It’s organized around what matters to the underwriter’s decision, not around what’s easiest to produce.

The fundamental shift: Underwriters are no longer just assessing whether you have controls. They’re assessing whether your controls are actually enforced, whether they cover the scenarios that generate claims, and whether your organization will be a good-faith partner in the event of an incident. The difference between a clean application and a declined one is increasingly the difference between “we have that” and “here’s the evidence.”

Checklist sections
  1. How Underwriting Actually Works Now
  2. MFA
  3. EDR
  4. Backup & Recovery
  5. Privileged Access
  6. Email Security
  7. Vulnerability Management
  8. Network Segmentation
  9. Incident Response
  10. Security Awareness
  11. Vendor & Supply Chain
  12. Claim Denial Patterns
  13. Documentation Requirements
  14. The Renewal Conversation
Part 1

How Underwriting Actually Works Now

The application is a starting point, not a destination

Cyber insurance applications have grown substantially longer and more technical. Where a 2019 application might have been five pages, a current one from a major carrier can exceed twenty-five, with detailed questions about specific controls, architecture, and incident history. But the application is the floor, not the ceiling.

For any organization above $25M in revenue, most carriers will supplement the application with one or more of the following:

External attack surface scan

Before your renewal call, your carrier’s underwriting team has likely already run a passive scan of your internet-facing infrastructure. They know your open ports, your TLS configuration, your email authentication posture, and whether your remote access endpoints have known vulnerabilities. They know before you walk in.

Security ratings vendor data

Most large carriers subscribe to security ratings services (BitSight, SecurityScorecard, or similar). Your score and its trend over the last 12 months are visible to them. Arriving at an underwriting meeting with a poor security rating and no prepared explanation is one of the fastest ways to trigger an adverse coverage decision.

Supplemental technical questionnaire

For larger policies or organizations in high-risk industries, expect a detailed technical questionnaire covering architecture, access controls, backup methodology, and incident history, beyond what the standard application asks.

Direct conversation with your security leadership

At policy values above $10M, expect an underwriting call that includes your CISO or equivalent. Underwriters will probe answers that seem inconsistent or incomplete. The quality of that conversation matters.

What triggers a declination vs. increased premium vs. coverage limitation

Underwriters have three tools for handling risk they’re uncomfortable with: decline the application, accept but charge a higher premium, or accept but limit coverage through exclusions or sublimits. Understanding which outcome applies to which control gap changes how you prioritize your pre-renewal work.

Declination

Outright refusal or non-renewal

These cause outright refusal or non-renewal at most major carriers.

  • No MFA on email or remote access
  • No EDR or endpoint protection on managed devices
  • No documented and tested backup and recovery capability
  • Unsupported OS in production with known critical vulnerabilities
  • Undisclosed material incident in the last 36 months
Premium surcharge

Accepted, meaningfully higher cost

Accepted but priced above baseline.

  • MFA deployed but not enforced for all users
  • EDR present but not in active prevention mode
  • Backups not air-gapped or not recently tested
  • No documented IR plan
  • Security ratings score below carrier threshold (typically <600–650)
  • Revenue >$100M in high-risk vertical (healthcare, financial services, critical infrastructure)
Coverage limitation

Accepted, with exclusions or sublimits

Accepted but with scope restrictions.

  • No network segmentation (ransomware sublimit)
  • No email security gateway (social engineering coverage limitation)
  • Third-party software vulnerabilities at time of claim (war/systemic exclusion)
  • Backup compromise in a ransomware event (recovery cost limitation if backups weren’t isolated)

Knowing which category your control gaps fall into helps you make the right pre-renewal investment decisions. Spending $150K to fix a premium surcharge trigger that’s adding $30K/year is a poor investment. Spending $40K to fix a declination trigger is existential.

Part 2 · The Control Checklist

What follows is organized by how heavily underwriters weight each area, from most to least determinative. Within each section, items are broken into three tiers:

  • Required, absence causes declination or non-renewal
  • Expected, absence causes premium surcharge or adverse terms
  • Preferred, presence improves terms or demonstrates program maturity
Control 1

Multi-Factor Authentication

MFA is the single most weighted control in current cyber underwriting. It is the first question, the most scrutinized question, and the most common reason for adverse coverage decisions. Underwriters have learned, because the claims data tells them, that credential compromise without MFA is the leading initial access vector in insured losses.

Required Absence = declination
  • MFA enforced for all users accessing email (Microsoft 365, Google Workspace, or equivalent)
  • MFA enforced for all remote access (VPN, RDP, Citrix, remote desktop)
  • MFA enforced for all cloud management consoles (AWS, Azure, GCP)
  • MFA enforced for all privileged and administrative accounts
Expected Absence = premium surcharge
  • MFA enforced for all users, not just email and remote access, but all business applications with external access
  • Phishing-resistant MFA (hardware tokens, FIDO2/passkeys) for privileged accounts, SMS-based MFA noted as a risk factor by some carriers
  • MFA enforcement documented through a policy with no bypass exceptions
  • MFA coverage rate tracked and reported (not “we have MFA” but “96% of accounts are enrolled and enforced”)
Preferred Presence = improved terms
  • MFA deployment tracked through identity platform reporting with documented coverage rate
  • Conditional access policies that step up MFA based on risk signals (unusual location, new device, sensitive resource access)
  • Regular review cycle for MFA exceptions or bypass accounts

Documentation to have ready

Evidence of MFA enforcement, not policy documentation, but a screenshot or report from your identity platform showing enforcement status. Underwriters have learned to ask “show me the enforcement configuration” rather than accept “yes, we have MFA” at face value.

Control 2

Endpoint Detection and Response (EDR)

EDR is the second most weighted control. The claims data is clear: organizations with functional EDR in prevention mode detect and contain ransomware faster, with smaller blast radius and lower total loss. Underwriters price this directly.

Required Absence = declination
  • EDR solution deployed on all managed endpoints (servers and workstations)
  • EDR operating in prevention / blocking mode (not detection-only or audit mode)
  • EDR agent coverage ≥90% of managed endpoints
Expected Absence = premium surcharge
  • EDR coverage ≥98% of managed endpoints
  • EDR coverage includes servers, not just workstations, server compromise is the primary ransomware propagation path
  • EDR managed by a vendor with 24/7 SOC coverage, or internal team with equivalent capability
  • EDR alerts reviewed on a defined cadence with escalation procedure
Preferred Presence = improved terms
  • EDR with threat intelligence integration
  • Coverage tracked programmatically with alerts for agent gaps or non-reporting endpoints
  • EDR efficacy data available (detection rates, response times) from vendor reporting

Common misrepresentation that leads to claim denial

Listing an EDR solution on the application when it is deployed in detection-only mode or has significant coverage gaps. Underwriters and forensic investigators check EDR deployment status during claims. A claim filed for a ransomware event where EDR was in audit mode on the affected servers, after declaring full EDR coverage on the application, is a material misrepresentation. Coverage can be denied.

Control 3

Backup and Recovery

Backup coverage is the control that determines whether a ransomware claim results in a manageable recovery or a catastrophic one. Underwriters have gotten specific here because the claims data shows enormous variance in recovery costs between organizations with resilient backup architectures and those without.

Required Absence = declination
  • Backups exist for critical systems and data
  • Backup copies are isolated from the primary environment (offline, air-gapped, or immutable cloud storage)
  • Backups have been tested for successful restoration within the last 12 months
Expected Absence = premium surcharge
  • Backup isolation is technical, not procedural, an air gap that requires someone to remember to disconnect a drive is not an air gap for underwriting purposes
  • Recovery time objectives (RTOs) defined and tested for critical systems
  • Backups cover all critical systems including domain controllers, backup servers themselves, and cloud environments, not just file servers and databases
  • Backup monitoring with alerting on backup failures
Preferred Presence = improved terms
  • Immutable backup storage (write-once; cannot be deleted or encrypted by ransomware)
  • Offsite backup copies in a separate geographic location
  • Tabletop or functional exercise that includes backup restoration scenario within the last 12 months
  • Documented recovery runbook tested against actual backup data

The backup coverage trap

The most common backup-related claim complication: backups that were connected to the primary environment at the time of the ransomware event were encrypted along with everything else. Organizations that believed they had air-gapped backups often had backups that were “usually disconnected” or “connected only for the nightly sync.” Ransomware operators wait for the backup sync window. Immutable or consistently offline backups are the only reliable protection.

Control 4

Privileged Access Management

Privileged access is where ransomware operators go once they have initial access. Domain administrator, backup administrator, and cloud administrator credentials are the accounts that allow attackers to move laterally, disable defenses, and encrypt everything. Underwriters have added specific privileged access questions because the claims data shows it directly predicts incident severity.

Required Absence = declination
  • Privileged accounts are separate from standard user accounts (no “admin” accounts used for email and browsing)
  • Privileged accounts require MFA (covered in Control 1 but worth confirming specifically)
Expected Absence = premium surcharge
  • Privileged access management (PAM) solution in place for server and infrastructure access
  • Just-in-time (JIT) access for privileged functions, privilege is granted for a session, not permanent
  • Privileged session recording for sensitive administrative actions
  • Regular privileged account review, audit of who has admin access and removal of unnecessary privileges
Preferred Presence = improved terms
  • Vaulted credentials, privileged passwords managed by a PAM solution, not known to the individual
  • Privileged access requiring approval workflow for sensitive operations
  • Behavioral monitoring on privileged accounts with anomaly alerting

Documentation to have ready

List of privileged accounts with their purpose and owner. Evidence that privileged accounts are separate from standard accounts. If using a PAM solution, evidence of deployment scope.

Control 5

Email Security and Authentication

Email is the primary delivery mechanism for phishing, business email compromise (BEC), and malware. BEC losses, wire fraud, invoice fraud, and executive impersonation, are now the single largest category of insured cyber losses by dollar value. Email security controls are therefore scrutinized specifically for their BEC implications, not just phishing.

Required Absence = declination
  • DMARC configured on all owned email-sending domains
  • DMARC policy at enforcement level (policy=reject or policy=quarantine), policy=none is treated as no DMARC by most carriers
  • SPF configured on all email-sending domains
  • DKIM configured and signing all outbound email
Expected Absence = premium surcharge
  • Email security gateway beyond basic spam filtering, advanced threat protection, sandboxing, link rewriting
  • Anti-spoofing controls configured to prevent internal domain spoofing
  • BEC-specific detection, controls for impersonation of executives and finance personnel
  • Email security covering all domains, including parked and subsidiary domains (spoofing attacks often use look-alike or subsidiary domains)
Preferred Presence = improved terms
  • DMARC monitoring with alerting on policy failures and spoofing attempts
  • Email security gateway with quantitative effectiveness data (block rates, threat detection rates)
  • Payment verification procedure: out-of-band confirmation for wire transfers and payment instruction changes (a procedural control that directly addresses BEC)
  • User training specific to BEC scenarios (finance and executive teams specifically)

The BEC coverage question

Many organizations discover that their cyber policy has a social engineering or BEC sublimit significantly below their total policy limit, sometimes as low as $100K–$500K on a $5M policy. Ask specifically about BEC sublimits during the application conversation. The most expensive BEC losses frequently exceed the sublimit, leaving the organization with a multi-million-dollar uninsured loss.

Control 6

Vulnerability and Patch Management

Vulnerability management is evaluated both for process (do you have a program?) and for evidence (do you actually patch things?). External scan data from your attack surface is now part of the underwriting picture, carriers know before the meeting if you have unpatched critical vulnerabilities on internet-facing systems.

Required Absence = declination
  • Vulnerability scanning program in place with documented frequency
  • Defined remediation SLA for critical vulnerabilities (most underwriters expect <30 days for critical, <90 days for high)
  • No known exploited vulnerabilities (CISA KEV) on internet-facing systems
Expected Absence = premium surcharge
  • Vulnerability scanning covers all internet-facing assets and internal network
  • Patch management tracked with reporting on compliance vs. SLA
  • End-of-life software and hardware inventoried with documented remediation or compensating controls
  • Third-party software (vendor-managed) included in vulnerability tracking
Preferred Presence = improved terms
  • Continuous vulnerability scanning rather than periodic
  • Risk-based vulnerability prioritization (CVSS score plus exploitation context plus asset criticality)
  • Vulnerability metrics reported to security leadership on defined cadence
  • External attack surface management (ASM) covering shadow IT and unknown assets

What the external scan reveals

Before your renewal, run your own external attack surface scan on your public-facing infrastructure. Treat the results as what the underwriter will see. Open RDP on non-standard ports, end-of-life software with known CVEs, expired TLS certificates, and misconfigured email authentication are all visible and all noted in the underwriting file.

Control 7

Network Segmentation

Network segmentation directly predicts ransomware blast radius. An organization with flat network architecture, where a workstation can communicate freely with servers, domain controllers, and backup systems, gives ransomware operators the lateral movement they need to encrypt everything. Underwriters have responded by making segmentation a specific question and by applying sublimits or coverage restrictions where segmentation is absent.

Required Absence = coverage limitation
  • User workstations and servers on separate network segments
  • Domain controllers not directly accessible from user workstations
  • Backup systems on isolated network segment with restricted access
Expected Absence = premium surcharge
  • Network access control policies documented and enforced
  • OT/ICS networks (where applicable) isolated from IT networks
  • Remote access landing zones segmented from internal production networks
  • Firewall rules reviewed periodically with documented owner for each rule
Preferred Presence = improved terms
  • Micro-segmentation for high-value systems and critical applications
  • Zero-trust architecture principles applied to internal network access
  • Network access control (NAC) preventing unauthorized device connection
  • East-west traffic monitoring (internal network monitoring, not just perimeter)

Documentation to have ready

A network diagram showing segmentation. This doesn’t need to be exhaustively detailed, underwriters want to see that segments exist, not a full network topology. If you don’t have a current network diagram, that absence itself is a signal.

Control 8

Incident Response Plan and Exercising

Underwriters care about IR capability for two reasons: organizations with tested IR plans contain incidents faster (smaller loss), and organizations with documented IR plans are better claimants, the forensic investigation goes more smoothly, coverage decisions are faster, and the relationship with the carrier during a claim is better.

Required Absence = declination or surcharge
  • Documented incident response plan exists
  • IR plan includes contact information for legal counsel, forensic firm, and cyber insurance carrier (or broker)
  • IR plan has been reviewed within the last 24 months
Expected Absence = premium surcharge
  • IR plan includes specific playbooks for ransomware, business email compromise, and data breach scenarios
  • Tabletop exercise conducted within the last 12 months with documented outcomes
  • Retainer with a forensic incident response firm in place (not just a list of firms to call)
  • Carrier breach coach or breach counsel contact embedded in IR plan
Preferred Presence = improved terms
  • Annual IR tabletop with executive participation
  • Functional exercise (not just tabletop) testing actual technical response capability
  • IR plan integrated with business continuity plan and disaster recovery plan
  • Post-incident review process producing documented lessons learned

The retainer question

An increasing number of carriers require or strongly prefer pre-incident retainer agreements with approved forensic firms. The carrier’s panel of approved forensic firms, the vendors the carrier will pay to investigate your incident, should be on your IR plan before an incident occurs, not selected during one. Ask your broker which forensic firms are on your carrier’s approved panel.

Control 9

Security Awareness Training

Security awareness is weighted lower than the technical controls above but is evaluated specifically for its anti-BEC and anti-phishing implications. It’s also a claims factor, organizations with documented, recurring training programs are easier to defend in coverage disputes involving social engineering.

Required Baseline expectation
  • Security awareness training program in place with documented completion tracking
  • Training completed at least annually for all employees
Expected Absence = premium surcharge
  • Phishing simulation program with documented results
  • Training specific to finance and executive team members covering BEC scenarios
  • New employee training on security awareness within 30 days of hire
  • Training completion rate ≥90% of employee population
Preferred Presence = improved terms
  • Phishing simulation results tracked over time showing improvement
  • Role-specific training for high-risk populations (finance, HR, IT)
  • Just-in-time training triggered by phishing simulation failures
  • Training program reviewed and updated at least annually for current threat relevance
Control 10

Vendor and Supply Chain Risk

Third-party risk is an increasingly prominent underwriting question following a series of high-profile supply chain attacks that generated insured losses across many policyholders simultaneously. Carriers are specifically concerned about concentration risk, scenarios where a single vendor compromise creates losses across many of their policyholders.

Required Baseline expectation
  • Third-party vendor inventory exists with identification of vendors with access to sensitive data or critical systems
  • Material vendor agreements include security requirements and breach notification obligations
Expected Absence = premium surcharge
  • Vendor risk assessment process in place for new vendors with access to sensitive data
  • Critical vendors assessed within the last 12 months
  • Vendor access to internal systems managed through controlled mechanisms (not shared credentials)
  • Vendor offboarding process to revoke access when relationships end
Preferred Presence = improved terms
  • Continuous vendor security monitoring (security ratings, breach intelligence)
  • Contractual right to audit for vendors with access to sensitive data
  • Vendor concentration risk analysis, identification of single-vendor critical functions
  • Software bill of materials (SBOM) for critical software dependencies
Part 3

What Causes Claims to Be Denied

Understanding claim denial patterns is as important as understanding the controls that affect premium. A policy that doesn’t pay when you need it to is worse than no policy, it creates a false sense of security that delays investment in resilience.

Material misrepresentation

The most significant claim denial mechanism. If your application represented controls as in place that weren’t actually deployed, or minimized your incident history, and a claim is filed, the carrier’s forensic team will discover the discrepancy. Material misrepresentation can void the policy entirely, not just limit the claim.

The most common misrepresentation scenarios:

  • Declaring MFA “deployed for all users” when enforcement had significant gaps or bypass exceptions
  • Declaring EDR “deployed on all endpoints” when the coverage rate was materially below that
  • Not disclosing a prior incident that was known to leadership but classified internally as “not material”
  • Describing backup isolation as complete when backups were connected to the primary environment

The standard: Reasonable application of the facts you knew. You don’t need perfect technical accuracy. You do need honest representation of material facts as best you understood them.

The war exclusion

Geopolitical conflict has produced a category of cyber coverage disputes around the war exclusion, the policy clause that excludes losses from acts of war. Several high-profile cases (most notably the NotPetya litigation) turned on whether nation-state attribution triggered the war exclusion.

The current state: most carriers have moved to explicit “cyber war” exclusion language that attempts to be more specific than the traditional war exclusion. Read your policy language. Ask your broker specifically about nation-state exclusions and how they define “state-sponsored” attacks for exclusion purposes.

Systemic event exclusions

Following CrowdStrike and similar events, carriers have added or clarified systemic event exclusions, clauses that limit or exclude coverage when a loss is caused by a widespread third-party software or infrastructure failure affecting many policyholders simultaneously. The intent is to protect carriers from correlated losses that would exceed their aggregate capacity.

What this means practically: losses caused by a widespread failure of a cloud provider, a major security vendor, or a widely-deployed software component may face coverage limitations or exclusions even when your own security controls were not at fault. Understand whether your policy has systemic event exclusions and what they cover.

Failure to maintain controls post-application

Coverage can be voided or limited if your controls materially deteriorated between application and incident. If you passed underwriting with strong MFA enforcement and your IT team disabled MFA enforcement for a subset of users six months later without updating the carrier, the carrier may argue that the risk they priced is no longer the risk they insured.

Some carriers are beginning to include policy conditions that require notification of material security control changes between renewals. Read your policy conditions, not just your coverage sections.

Part 4

Documentation Requirements

The difference between a clean claim and a contested claim is frequently documentation quality. Assemble the following before you need them, during a claim is not the time to reconstruct your control evidence.

Identity & access Maintain

  • MFA enforcement configuration screenshots or policy exports (updated at each renewal)
  • Privileged account inventory with last review date
  • Access review documentation showing the last formal review cycle

Endpoint Maintain

  • EDR deployment coverage report, percentage covered, list of systems without coverage and justification
  • Anti-malware configuration and signature currency evidence

Backup Maintain

  • Backup completion logs for the last 90 days
  • Most recent restoration test results with date and scope
  • Evidence of backup isolation (immutable storage configuration, offline backup log)

Incident response Maintain

  • Current IR plan with version date and approval signatures
  • Most recent tabletop exercise documentation: scenario, participants, findings, action items
  • Forensic retainer agreement and carrier breach panel contact information

Vulnerability management Maintain

  • Most recent vulnerability scan results for internet-facing systems
  • Remediation SLA documentation
  • Open critical and high vulnerability report with remediation status

Email security Maintain

  • DMARC, DKIM, SPF configuration documentation for all sending domains
  • Email security gateway effectiveness report (block rates, threat category breakdown)

Training Maintain

  • Security awareness training completion report (by department, dated)
  • Phishing simulation results from last 12 months with trend data
Part 5

The Renewal Conversation

What changes at renewal

First-year applications are evaluated as snapshots. Renewal underwriting evaluates change, what has improved, what has deteriorated, and whether the risk profile is trending in a direction the carrier wants to continue insuring.

Prepare for renewal by assembling a narrative of what changed in your security program since the last application. Not just “we added MFA for remote access” but “at last renewal, MFA coverage was at 87% and was not enforced for VPN. We closed that gap in Q2 and are now at 99% with no bypass exceptions. Here is the documentation.”

Carriers want to see trajectory. A good trajectory on a mediocre baseline is often better underwriting news than a flat excellent baseline, because it suggests a security program that is being actively managed rather than one that passed underwriting once and is being maintained in place.

Premium drivers you can influence before renewal

In order of impact on premium:

  1. MFA coverage rate. Moving from 85% to 98%+ enforced is the single highest-ROI improvement for premium reduction.
  2. Security ratings score. Understand your score, understand the factors driving it down, and address the highest-weight items before renewal.
  3. EDR coverage and mode. Moving EDR from audit to prevention mode, or filling coverage gaps, directly affects premium.
  4. Documented and tested backup isolation. A restoration test result from the last 90 days is the most credible evidence of backup capability.
  5. IR plan currency and tabletop documentation. A recent tabletop with documented outcomes shows program maturity.
  6. External vulnerability posture. Remediating high-profile vulnerabilities visible in external scans before the renewal conversation removes a specific underwriter concern.
  7. DMARC at enforcement policy. Moving from policy=none to policy=quarantine or reject is a concrete, verifiable improvement with direct claims relevance.

Questions to ask your broker before renewal

  1. What is our security ratings score, and what are the primary factors driving it?
  2. Has our carrier added or modified any exclusions since the last renewal? Specifically: war exclusion, systemic event exclusion, ransomware sublimit?
  3. What is the BEC sublimit on our current policy, and does it reflect our actual exposure?
  4. Does our carrier have a pre-approved forensic panel, and do we have retainer agreements with firms on that panel?
  5. Has our carrier changed their appetite for our industry vertical or revenue band since the last renewal?

Continuous, insurer-ready evidence.

Draxis extracts the KRIs underwriters actually look at, MFA coverage rates, EDR deployment, backup integrity, patch compliance, directly from your existing security controls. Rather than assembling evidence at renewal time, Draxis maintains continuous measurement so your posture is documented in real time. The cyber insurance expert module translates that signal into insurer-ready documentation and identifies premium-driver gaps before the renewal conversation.

See the insurance module →

This document is for informational purposes only and does not constitute insurance, legal, or financial advice. Consult your broker and legal counsel for coverage decisions specific to your organization.