What cyber insurers actually look for

Cyber insurance underwriting changed substantially over the past four years. After the ransomware surge of 2020 to 2022, carriers who had been writing policies with minimal scrutiny tightened their criteria hard. Premiums rose, coverage terms got more specific, and the process started demanding actual evidence of security controls instead of self-attestation.

If you're preparing for renewal, going through a first-time application, or trying to understand why your premium is what it is, here's what underwriters are actually evaluating, not just what the application asks.

If you want a control-by-control worksheet to prepare with, pair this with our cyber insurance readiness checklist.

The application is a filter, not the evaluation

The questions on a cyber insurance application, "Do you have MFA?" "Do you have an incident response plan?", are designed to screen out the worst risks, not to assess the quality of your program. Everyone checks yes. The real underwriting happens in three other places.

External scanning

Most carriers subscribe to security ratings platforms (Bitsight, SecurityScorecard, or similar) and pull an external scan of your environment before quoting. They're looking at patching cadence on internet-facing systems, open ports and services that shouldn't be exposed, email authentication configuration (SPF, DKIM, DMARC), SSL certificate health, and evidence of past breaches in your IP ranges. This scan happens whether you know about it or not.

Supplemental questionnaires for higher limits

If you're seeking $5M or more in coverage, expect detailed technical follow-up from the underwriter or a broker security review. These go deeper than the initial application and ask about specific controls like endpoint detection and response, privileged access management, and backup integrity testing.

Post-bind audits

Some carriers include contractual rights to audit your controls after binding coverage, particularly at higher limits. A material misrepresentation on your application, intentional or not, can result in claim denial.

The controls that affect pricing and terms

Across most major carriers, these are the controls that move the needle.

Multi-factor authentication

MFA enforcement for remote access and privileged accounts is close to mandatory now for most carriers above certain revenue thresholds. The question isn't "do you have MFA" but "how broadly is it enforced." Email access, VPN, and admin accounts without MFA are underwriting red flags. Some carriers explicitly exclude ransomware claims in policies where MFA wasn't enforced on the compromised access vector.

Email security (SPF, DKIM, DMARC)

Business email compromise is one of the most frequent cyber insurance claims. Carriers look at whether your domain is configured to reject or quarantine spoofed mail. A domain without a DMARC policy at enforcement level (p=reject or p=quarantine) suggests higher BEC exposure, and that shows up in pricing.

Endpoint detection and response

Traditional antivirus is not equivalent to EDR in underwriting. Carriers want EDR deployed across a high percentage of endpoints, with most setting informal thresholds around 90 to 95% coverage. Managed detection and response on top of EDR can favorably affect terms for some carriers.

Privileged access management

How you control and monitor privileged credentials is one of the most scrutinized areas at higher limits. Shared admin accounts, no privileged access workstations, and no regular review of privileged assignments are all concerns. Password vaulting for privileged accounts and just-in-time access provisioning are strong positive signals.

Backup architecture and testing

Ransomware claims dominate cyber insurance losses. Carriers evaluate whether your backups are segregated from production (offline or air-gapped), how recently they've been tested for restore, and what your recovery time objective is. Backups that live on the same network as production and haven't been tested for restore in the past 12 months are a significant pricing factor.

Incident response plan

A documented, tested IR plan matters for two reasons. It signals program maturity, and a tested plan reduces claim severity through faster response, clearer escalation, and less chaos. Carriers know this. Tabletop exercises in the past 12 months are worth noting on your application.

What carriers pay on, and what they deny

Knowing what carriers actually see in claims helps you understand what they're pricing for.

Ransomware and business email compromise account for the majority of claims by frequency. Ransomware drives larger individual losses. BEC drives higher claim volume at lower severity. Data breach notification costs, the cost of investigating, notifying affected individuals, and providing credit monitoring, generate a significant share of claims in regulated industries like healthcare, financial services, and legal.

The claims carriers commonly challenge or deny fall into three buckets.

War exclusions

Following the NotPetya litigation and the court decisions that followed, most carriers have added or tightened war and nation-state exclusions. If your claim involves an attack attributable to a nation-state actor, expect the carrier to evaluate whether the exclusion applies. This is an evolving area legally, and the language varies significantly across policies.

Prior acts and known conditions

If you knew about a vulnerability or incident before your policy period began and failed to disclose it, coverage for claims arising from that condition may be excluded. The retroactive date on your policy matters.

Misrepresentation

If you certified that MFA was enforced on all privileged accounts and it wasn't, and a claim arises from compromised privileged credentials, the carrier has grounds to contest coverage. This happens. Review your application responses carefully before submission and at every renewal.

How to present your program

Most applicants submit a completed form and wait. That's the baseline. If you want favorable terms, particularly at higher limits or in a renewal following a loss, you need to do more than fill out the form.

Prepare a security program summary: a one-to-two page overview covering your control framework, key control metrics (MFA enrollment rate, EDR coverage rate, patch compliance), your incident response program, and your security governance structure. This gives the underwriter context the form doesn't provide.

If you've made material improvements since your last renewal, document them explicitly. Carriers have no way to know you deployed EDR six months ago, moved to a modern identity provider with adaptive MFA, or ran a tabletop last quarter unless you tell them. That documentation directly affects your renewal quote.

Be ready to discuss your most significant risk areas honestly. If your backup architecture has a known gap you're working to address, saying so and showing a remediation plan beats hoping the underwriter doesn't notice. Getting caught in a misrepresentation at claim time is far worse than a premium adjustment at renewal. Knowing where your program stands before you sit down is exactly where continuous KRI measurement earns its keep.

Reading your policy

The premium is only half the equation. What the policy covers and excludes matters as much as what you pay.

Read the ransomware and extortion provisions carefully. Some policies exclude payment of ransom without prior carrier notification. Some require you to engage the carrier's preferred incident response vendor, which can change how an incident is handled.

Check the sublimits. Many policies carry lower sublimits for specific coverage areas: social engineering and BEC, regulatory defense costs, system failure as opposed to a security breach. A $5M policy with a $500K sublimit for BEC is not a $5M policy for your highest-frequency risk.

Understand the retroactive date. Coverage for incidents arising from events before that date is excluded. When you switch carriers, check that the new retroactive date preserves continuity with your prior policy.