If you are asking what does cyber insurance require, it usually means one of two things. Either your renewal questions have become far more detailed, or you have discovered that cover is no longer based on a simple application and a premium. Insurers now want evidence that your business can prevent common attacks, limit damage quickly, and recover without extended disruption.
That shift matters because cyber insurance is no longer just a financial product. It has become closely tied to how your IT is run day to day. If your systems, access controls, backups and response processes are weak, insurers may raise premiums, reduce cover, add exclusions, or decline the policy altogether.
What does cyber insurance require in practice?
Most insurers are looking for a baseline level of cyber maturity rather than perfection. They know no business can remove all risk. What they want to see is that the most common and most damaging attack paths have been addressed.
In practice, that usually means controls around identity, devices, email, backups, patching and incident response. The exact requirements vary by insurer, sector, turnover and risk profile, but the direction is consistent. Businesses are expected to prove they can manage known risks, not just say they take security seriously.
The questions on proposal forms also go deeper than they used to. A form may ask whether you use multi-factor authentication, but the real issue is where it is enforced. If it only protects one or two systems and leaves remote access, admin accounts or Microsoft 365 exposed, that answer may not help much.
The controls insurers most often expect
Multi-factor authentication
For many insurers, multi-factor authentication is now non-negotiable. It is commonly expected for email, cloud platforms, remote access, VPNs, privileged accounts and any critical business systems. Some policies specifically require MFA for all users, while others focus on administrators and internet-facing services.
This is one of the clearest examples of where detail matters. Saying you have MFA in place is not enough if it is optional, inconsistently deployed or easy to bypass. Insurers increasingly want confirmation that it is enforced across the estate.
Secure backups
Backups are a major underwriting focus because they directly affect ransomware impact. Insurers want to know whether backups are regular, protected from tampering, tested for restoration and stored in a way that malware cannot easily encrypt or delete them.
A backup system that exists only on paper is not much use during a real incident. If recovery takes days, fails completely, or brings corrupted data back into production, the business interruption cost rises sharply. That is why insurers often ask about immutability, offline copies and testing frequency.
Patch management and vulnerability control
Unpatched systems remain one of the easiest ways into a business. Most insurers now expect a formal approach to patching operating systems, endpoints, servers, firewalls and business-critical applications. High-risk vulnerabilities should be addressed quickly, especially on externally exposed systems.
This does not mean every patch can be installed the moment it is released. Operational realities matter. Legacy platforms, production dependencies and change windows all affect timing. What insurers want to see is a managed process with prioritisation, visibility and accountability.
Endpoint protection and monitoring
Traditional antivirus on its own is often viewed as outdated. Many insurers now ask whether you use managed detection and response, endpoint detection and response, or comparable monitoring tools that can identify suspicious behaviour and support containment.
For smaller businesses, the requirement may be less formal, but the expectation is still moving towards active monitoring rather than passive protection. If a threat can sit unnoticed for weeks, the eventual claim is likely to be larger.
Access control and privileged account management
Insurers look closely at who has access to what, and how that access is controlled. That includes least-privilege access, separate admin accounts, password policies, joiner-mover-leaver processes and restrictions on shared credentials.
This area often exposes hidden risk. Businesses grow quickly, teams change roles, suppliers retain old access, and nobody fully reviews permissions. From an insurer’s point of view, weak access control increases both external attack risk and internal misuse.
Email and user protection
Email remains a leading route for phishing, credential theft and fraud. Underwriters may ask about email filtering, domain protection, awareness training and payment verification procedures. They are not just concerned about malware. They are also looking at business email compromise, where a single convincing message can trigger a major financial loss.
Training matters here, but it has limits. Staff awareness should support technical controls, not replace them. A good insurer understands that people make mistakes, especially under pressure.
What does cyber insurance require beyond technology?
Technology controls are only part of the picture. Cyber insurance increasingly depends on whether your business can respond in a structured way when something goes wrong.
Incident response planning
A documented incident response plan is becoming more important at renewal. Insurers want to know who is responsible, how incidents are escalated, which third parties are involved, and what steps are taken to contain an event.
The plan does not need to be oversized or full of jargon. It needs to be usable. During an incident, clarity beats complexity every time.
Business continuity and disaster recovery
Cyber events quickly become operational events. If core systems fail, staff cannot work, orders stop, customers are affected and revenue is interrupted. For that reason, insurers often look at your continuity and recovery planning alongside security controls.
This is especially relevant for businesses with multiple locations, customer-facing systems, or compliance obligations. A company may survive a technical breach but still suffer major losses if it cannot restore operations in a controlled way.
Policies, governance and evidence
Insurers do not just assess whether a control exists. They often assess whether it is governed. That means documented policies, security ownership, regular reviews and evidence that the stated controls are actually operating.
This is where many businesses run into trouble. The controls may be in place informally, but there is little documentation to support them. Underwriters and claims teams prefer evidence they can verify.
Why insurers have become stricter
Cyber claims have changed the market. Ransomware, data breaches and payment fraud have driven up losses, while attackers have become faster and more opportunistic. Insurers have responded by tightening underwriting standards and paying closer attention to avoidable weaknesses.
From a business perspective, that can feel frustrating. Premiums rise, forms get longer and the technical questions become more specific. But the logic is straightforward. If two firms want the same cover and one has mature controls while the other does not, they do not present the same level of risk.
There is also a practical upside. The same controls that help secure insurance usually improve resilience, reduce downtime and lower the chance of a serious incident in the first place.
Common gaps that affect cover
The biggest issues are rarely exotic. They are usually basic controls applied inconsistently. MFA is rolled out to some users but not all. Backups run, but nobody tests restoration. Patching happens, but there is no visibility of critical vulnerabilities. Admin rights are broader than they should be. Departed users still appear in systems.
Another common gap is overconfidence. Some businesses assume outsourced IT means every insurer requirement is automatically covered. Sometimes it is, sometimes it is not. Responsibility can become blurred across providers, internal teams and software vendors.
That is one reason a single accountable technology partner can make such a difference. When infrastructure, support, cybersecurity and operational ownership sit together, it becomes far easier to prove control, close gaps and approach renewal with confidence.
How to prepare before you apply or renew
Start by treating the insurance application as a risk review, not paperwork. Compare the questions against your live environment and be honest about what is fully implemented, partially implemented or absent.
Then prioritise the controls most likely to influence both risk and insurability. MFA, backup resilience, patching discipline, privileged access and incident response usually belong near the top of the list. If a control is planned but not yet operational, do not assume it counts.
It also helps to gather evidence before the questions arrive. Policy documents, screenshots, configuration records, test results and asset inventories can all support a smoother underwriting process. More importantly, they reduce the chance of misstatements that create problems later if you need to claim.
For businesses with limited internal capacity, this is often where external support becomes commercially sensible. The goal is not to add complexity. It is to make sure your security controls, compliance posture and insurance requirements line up in a way that is practical to manage.
The real answer to what cyber insurance requires
The short answer is that cyber insurance requires more than a policy premium. It requires proof that your business has taken reasonable steps to prevent common attacks, contain incidents quickly and recover operations without unnecessary delay.
Exactly how far that goes depends on your size, sector, systems and insurer. A small professional services firm will not be assessed in the same way as a multi-site retailer or a business running critical infrastructure. But the direction is the same across the market: stronger controls, clearer evidence and less tolerance for avoidable weaknesses.
If your renewal is approaching, the right question is not just whether you can get cover. It is whether your environment would stand up to the scrutiny behind that cover. When the answer is yes, insurance becomes far easier to place and far more likely to perform when you need it.
