What Your Cyber Insurance Policy Expects from Your IT Security

Cyber insurance policies increasingly require specific IT security controls as a condition of coverage. If you experience a breach and cannot demonstrate that these controls were in place, your claim may be denied. Understanding and meeting these requirements protects both your coverage and your business.

Why Cyber Insurance Requirements Have Gotten Stricter

Ransomware payouts skyrocketed between 2020 and 2024, costing insurers billions and forcing them to tighten underwriting standards dramatically. Many policies now include detailed security questionnaires during the application and renewal process, asking specific questions about MFA, endpoint protection, backup practices, and employee training.

Insurers are also actively denying claims when businesses misrepresented their security posture on the application. If you said MFA was enabled on all accounts but it was only enabled on two out of twenty, that discrepancy can void your coverage when you need it most.

The good news is that meeting these requirements is not just about keeping your insurer happy. Every control on this list genuinely reduces your risk of a breach. The insurers require them because they work.

Requirement 1: Multi-Factor Authentication (MFA)

Nearly every cyber insurance policy now requires MFA, and it is the single most common reason for claim denials. The insurer asks "Is MFA enabled on all email accounts and remote access?" on the application, the business checks "yes," and then a breach investigation reveals that MFA was only enabled on some accounts, or was configured but not actually enforced.

Where MFA must be enabled:

• Email (Microsoft 365 or Google Workspace) for all users, not just admins
• VPN and remote access connections
• Admin accounts for all systems, including firewalls, servers, and cloud platforms
• Cloud applications that store sensitive data (accounting, payroll, CRM)

Authenticator apps or hardware security keys are preferred. Some policies explicitly state that SMS-based MFA does not satisfy the requirement because it is vulnerable to SIM swapping attacks.

The most reliable way to enforce MFA across your organization is through Conditional Access policies in Entra ID, included with Microsoft 365 Business Premium. Conditional Access lets you create rules that require MFA for every sign-in, or for specific conditions like sign-ins from outside your office network or from non-compliant devices. This is enforcement at the platform level, meaning individual users cannot bypass it.

Requirement 2: Endpoint Detection and Response (EDR)

Traditional antivirus is no longer sufficient for most cyber insurance policies. Insurers now expect some form of EDR or next-generation endpoint protection that actively monitors for threats rather than just scanning for known malware signatures.

The specific language varies by insurer. Some policies say "EDR," others say "next-generation antivirus" or "managed detection and response." Read the exact language in your policy and make sure your solution meets the stated requirement.

Athencia deploys Microsoft Defender for Business as the endpoint protection foundation on every managed device, then layers Huntress on top to provide a 24/7 SOC with human threat hunters who actively investigate and respond to alerts. This combination satisfies the EDR requirement and the managed detection and response (MDR) requirement that many policies now include. Defender handles real-time protection; Huntress provides the human monitoring, SIEM, and incident response that insurers want to see. Other EDR options in the SMB space include SentinelOne and CrowdStrike.

If your policy requires MDR or 24/7 monitoring, make sure you can demonstrate that capability. Having EDR software installed but nobody watching the alerts is a gap that insurers will identify.

Requirement 3: Regular Data Backups

Policies typically require regular backups with offsite or cloud copies. The bar has been raised beyond simply running a backup job. Insurers now want to see:

• Regular backup frequency. Daily for most data, more frequently for critical systems like databases and financial records.
• Offsite or cloud storage. At least one copy of your backup must be stored outside your primary environment. If ransomware encrypts your local server, your backup needs to be somewhere it cannot reach.
• Immutable or air-gapped backups. Increasingly, policies require that at least one backup copy cannot be modified or deleted, even by an administrator. This prevents ransomware from encrypting your backups along with your production data.
• Documented backup testing. It is not enough to say backups are running. You need to demonstrate that you have tested restoration and that the data is recoverable. Keep logs of backup test results, including the date, what was restored, and whether it was successful.

Dropsuite provides cloud backup for Microsoft 365 email, OneDrive, and SharePoint. This gives you an independent, cloud-based copy of your Microsoft 365 data that lives outside your tenant. If your environment is compromised, Dropsuite lets you restore clean copies of email, files, and sites. Having a third-party backup solution like Dropsuite also demonstrates to your insurer that your backups are genuinely independent from your production environment.

Requirement 4: Patch Management

Unpatched systems are one of the most commonly exploited entry points for attackers, and insurers know it. Most policies require a documented patch management process, and many specify a timeframe for applying critical patches, typically within 14 to 30 days of release.

This requirement applies to everything: operating systems, applications (browsers, Adobe, Java), network devices (routers, firewalls, VPN appliances), and firmware. End-of-life software that no longer receives security patches is a red flag for insurers and may be grounds for increased premiums or denied coverage.

If your business uses Microsoft 365 Business Premium, Microsoft Intune can enforce Windows update policies across all enrolled devices, ensuring patches install automatically on both office and remote computers. For third-party application patching, your MSP or IT provider can implement tools that automate updates for common business software.

A documented patch management process does not need to be complicated. A simple written procedure that states "critical patches are applied within 14 days; all other patches within 30 days; end-of-life software is replaced before support ends" gives you a defensible position.

Requirement 5: Employee Security Awareness Training

Most cyber insurance policies require documented security awareness training for all employees. Phishing remains the most common entry point for attacks, and insurers expect you to be actively training your team to recognize and report it.

Training should cover:

• Phishing recognition (email, SMS, and voice phishing)
• Password hygiene and the use of password managers
• Social engineering tactics including business email compromise
• Data handling and what constitutes sensitive information

Frequency matters. Annual training is the minimum most policies require, but quarterly training demonstrates a stronger commitment to security. Many policies also expect simulated phishing tests, where fake phishing emails are sent to employees to measure who clicks and who reports.

Huntress provides security awareness training (SAT) as part of its platform, combining phishing simulations with targeted training modules. Employees who click on simulated phishing links receive immediate, relevant training. This approach measures actual behavior, not just attendance at a training session, which is exactly what insurers want to see.

Keep records of who completed training and when. During a claim, you may be asked to produce training completion reports for all employees.

Requirement 6: Access Controls and Privileged Account Management

Insurers expect you to follow the principle of least privilege: users should only have access to the systems and data they need for their job, nothing more.

Specific expectations include:

• Separate admin accounts. Administrators should have a separate account for admin tasks, distinct from their daily email and productivity account. If their daily account is phished, the attacker does not gain admin access.
• Prompt offboarding. When an employee leaves, their access must be revoked promptly. Document your offboarding process and show that it includes disabling accounts, revoking MFA, and removing access to shared resources.
• Password policies that meet minimum standards. Minimum length requirements (12+ characters), no password reuse, and the use of a password manager. Athencia recommends 1Password for small businesses because of its balance of security and usability.
• Regular access reviews. Periodically review who has access to what and remove unnecessary permissions. This does not need to be a formal audit; a quarterly check by your IT provider is sufficient.

Entra ID and Conditional Access make it straightforward to enforce these controls across your Microsoft 365 environment. Conditional Access can require compliant devices, block risky sign-ins, and enforce MFA on all admin accounts automatically.

Other Common Requirements

Beyond the six core requirements above, your policy may also expect:

• Incident response plan. A documented plan for what to do during a breach. Even a simple one-page plan that covers who to call, how to contain the threat, and how to notify stakeholders satisfies most policies.
• Email security. SPF, DKIM, and DMARC configured on your domain to prevent spoofing. Microsoft Defender for Office 365, included with Business Premium, provides additional email security through Safe Attachments, Safe Links, and anti-phishing policies.
• Full-disk encryption. BitLocker on Windows laptops, FileVault on Macs. Both are included with the operating system and can be enforced through Intune.
• Network segmentation. Guest Wi-Fi separated from your business network. Critical systems isolated from general user traffic.
• Vulnerability scanning. Regular scanning of internet-facing systems for known vulnerabilities. Your MSP should be doing this as part of their management service.

How to Prepare for Your Cyber Insurance Application or Renewal

Do not wait until the application lands on your desk. Prepare in advance so you can answer every question honestly and completely.

1. Get a copy of the insurer's security questionnaire before renewal. Your broker can usually provide this in advance.
2. Audit your current security posture against each requirement. Be honest. Misrepresentation can void your coverage entirely.
3. Fix gaps before submitting the application. If MFA is not enabled everywhere, enable it now. If backups are not tested, test them. Fixing the gaps before you apply is always better than hoping the insurer does not ask.
4. Document everything. Policies, training records, backup test results, patch reports, access reviews. Create a simple folder (physical or digital) where all compliance evidence lives.
5. Work with your MSP or IT provider to compile evidence of compliance. An Athencia One managed IT plan includes the security controls that most cyber insurance policies require, and we can help you document them for your insurer. Athencia also provides CIS Controls baseline assessments that map your current security posture against the CIS Controls framework, giving you a clear picture of where you stand and what needs to improve.

Need Help?

Cyber insurance requirements can feel overwhelming, but most of them boil down to the same security fundamentals: MFA, endpoint protection, backups, patching, and training. If you need help meeting your policy requirements or preparing for a renewal, contact Athencia. We work with small businesses to close security gaps and document compliance so your coverage holds up when you need it.