Cyber Insurance IT Requirements Checklist

Loss ratios forced the market to change

The cyber insurance market experienced severe losses between 2019 and 2022 as ransomware attacks surged and average claim payouts grew faster than premiums. Marsh McLennan data shows U.S. cyber insurance premiums increased more than 50% in 2022 alone as insurers responded to claims volume. The industry stabilized in 2023, but only because insurers became far more selective about what they cover and who they cover.

Major insurers including Coalition, Corvus, Chubb, Beazley, and AIG now use pre-binding security questionnaires and technical scanning to assess control maturity before issuing policies. Businesses that can't demonstrate baseline security controls either pay significantly higher premiums or receive coverage with ransomware sublimits and exclusions.

What insurers are actually checking

Most insurers now conduct external scanning of your internet-facing infrastructure as part of underwriting — looking for exposed RDP, unpatched systems, and missing email authentication records (SPF/DKIM/DMARC). They cross-reference your self-reported questionnaire against what their scanners actually find.

If a claim is filed and investigation reveals that controls you claimed were in place weren't actually implemented, insurers can deny the claim and potentially rescind the policy entirely. Accurate representation of your security controls isn't just good practice — it's a legal obligation on your application.

Identity & Access Controls

• Multi-factor authentication (MFA) on all email accounts — no exceptions for any user
• MFA on all VPN and remote desktop (RDP) access
• MFA on all privileged accounts and admin portals (cloud consoles, backup software, DNS)
• MFA on all financial portals and banking access
• Privileged Access Management (PAM) — admin accounts separated from daily-use accounts
• Regular review and removal of unused or terminated user accounts

Endpoint & Network Security

• Endpoint Detection and Response (EDR) deployed on all endpoints — not just legacy antivirus
• Patch management program with critical patches applied within 30 days
• Remote Desktop Protocol (RDP) not exposed to the public internet, or protected by MFA and VPN
• Network segmentation — at minimum, guest Wi-Fi isolated from business systems

Backup & Recovery

• Offsite or cloud backups of all critical data — not just local backups
• Immutable backups that cannot be modified or deleted by ransomware
• Backup credentials stored separately from domain/network credentials
• Backup restore testing performed at least quarterly
• Documented Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

Email & Awareness

• Email filtering with anti-phishing and malicious attachment scanning
• SPF, DKIM, and DMARC records published for your email domain
• Annual security awareness training for all staff
• Phishing simulation program in place
• Written incident response plan — documented and tested, not just filed away
• Cyber insurance application answers consistent with actual controls in place

Prioritize by claim frequency

If you need to triage, start with the controls that drive the most claims. Coalition's data consistently shows account takeover (addressed by MFA) and ransomware (addressed by EDR, backups, and MFA) represent the majority of claim volume by value. MFA alone, deployed across email and remote access, eliminates the entry point for a significant share of incidents. Prioritize MFA → EDR → tested offsite backups → email security in that order.

Document what you have

Insurers respond to evidence. If controls are in place but undocumented, they effectively don't exist from an underwriting perspective. Work with your IT provider to produce a written inventory of security controls in place, tool names and versions, patch status, and backup schedules. This documentation directly supports your application accuracy and strengthens your position if a claim is ever disputed.