Cyber Insurance 101: What Underwriters Look For (And How to Prep Evidence)

We’ve supported businesses in Concord and beyond with IT security readiness for years, and one recurring question we get from clients is: What do I need to show underwriters when applying for cyber insurance? The truth is, cyber insurance is no longer a quick questionnaire and signature. Carriers now demand concrete proof of controls, readiness, and resilience. If you want affordable coverage—and fast claims approval when something goes wrong—you need to understand what underwriters look for and prepare evidence accordingly.

Why Cyber Insurance Requirements Have Tightened

Five years ago, many insurers were willing to issue cyber liability policies with minimal vetting. Today, ransomware payouts have skyrocketed, regulatory penalties have grown harsher, and attackers have become more industrialized. As a result, insurers are losing money unless they sharpen underwriting standards. They now want assurance that applicants have not only purchased security tools, but also deployed them correctly and tested them in practice.

Underwriters focus on two main questions. First: how likely is this company to be breached? Second: if it is breached, how fast and effectively can it recover? Every question on an application or supplemental questionnaire ultimately ties back to those two concerns. The way you answer, and the evidence you provide, can be the difference between affordable coverage with strong terms—or a rejection or sky-high premiums.

The Core Security Controls Underwriters Examine

Although every insurer has its own questionnaire, most prioritize the same control areas. Here are the top categories underwriters want to see in place:

Multi-Factor Authentication (MFA): 

This is now table stakes. Insurers expect MFA for remote access, admin accounts, cloud services, and email. Adaptive MFA that escalates requirements when risk signals are detected earns you credibility. Weak coverage—such as MFA only for VPN but not for privileged accounts—can raise red flags.

Endpoint Detection and Response (EDR/XDR): 

Traditional antivirus is no longer sufficient. Underwriters want to see modern endpoint monitoring with behavioral detection, automated isolation, and incident investigation capabilities. Dashboards showing recent alerts and remediation outcomes carry weight.

Backups and Disaster Recovery: 

You’ll be asked whether you maintain offline or immutable backups, how often they run, and whether you test restorations. Insurers know backups can make the difference between surviving ransomware intact and paying a multi-million-dollar ransom.

Patch and Vulnerability Management: 

Evidence of regular vulnerability scanning and documented patch cycles is critical. Many breaches stem from unpatched known vulnerabilities, so underwriters zero in on whether you track remediation times for critical CVEs.

Incident Response and Business Continuity: 

Having a written incident response plan is one thing. Proving you’ve tested it—through tabletop exercises, drills, or simulated ransomware scenarios—is what convinces underwriters you’re serious.

Security Awareness Training: 

Phishing remains a top entry vector. Insurers expect annual training at minimum, plus ongoing simulated phishing campaigns. Attendance logs and phishing test results can demonstrate maturity.

Third-Party Risk Management: 

If your vendors handle sensitive data or have remote access into your systems, underwriters want to know what guardrails exist. Signed agreements with security clauses, vendor risk questionnaires, and periodic reviews all help.

Data Protection and Encryption: 

Expect questions about whether sensitive data is encrypted at rest and in transit, how you classify data, and how long you retain it. If your business processes personal data subject to GDPR, HIPAA, or other regulations, prepare to show evidence of compliance.

Certifications and Audits: 

External attestations such as SOC 2, ISO 27001, or penetration test reports provide objective validation of your controls. Underwriters take these seriously.

Evidence That Carries Weight With Underwriters

Possessing the right controls is step one. Proving them is step two. Underwriters aren’t impressed by vague assurances; they want hard evidence. Here’s what to assemble before submitting an application:

Policy Documents: Updated access control policies, device usage guidelines, data retention rules, and remote work standards. Each should be dated and signed off by leadership.

Technical Reports: Recent vulnerability scans, patch compliance reports, backup test logs, MFA enforcement screenshots, and EDR dashboards.

Training Records: Dates, topics, and participation rates for security awareness sessions. Phishing test statistics showing improvement over time.

Incident Response Playbooks: Written plans that define roles, escalation paths, and communication procedures. Bonus points if you include post-exercise reports.

Vendor Contracts: Agreements with your top suppliers showing breach notification requirements, audit rights, and security clauses.

Compliance Attestations: SOC 2 audit reports, PCI DSS certifications, HIPAA assessments, or ISO certificates if applicable.

The more tangible and recent your evidence, the more confidence an underwriter has that your controls aren’t just paper exercises.

Common Gaps That Lead to Higher Premiums

Many organizations believe they’re “covered” because they bought a tool or wrote a policy. But underwriters are trained to spot weak spots. These are the most common pitfalls:

• MFA deployed only for VPN but not for email or admin accounts
• Backup jobs configured but never tested for restorability
• Written incident response plans with no history of drills
• Vendor risk overlooked, with no contracts or assessments in place
• Training limited to new hire orientation, with no ongoing refreshers
• Policies last updated years ago with no sign of enforcement

These gaps don’t just increase premiums—they can trigger outright denials. Underwriters know that a control that looks good on paper but hasn’t been operationalized is almost as bad as not having it at all.

How to Structure Preparation Before Applying

Preparing for cyber insurance isn’t a weekend project. Think of it as a phased effort. Here’s a practical timeline:

Six to Twelve Months Ahead: 

Conduct a full risk assessment. Inventory your data, vendors, and systems. Identify missing controls. Begin deploying MFA broadly, selecting an EDR platform, and upgrading backup systems if needed.

Three to Six Months Ahead: 

Run internal and external vulnerability scans. Patch critical systems. Update policy documents. Conduct at least one backup restoration test. Launch security awareness training and phishing simulations. Secure updated agreements with critical vendors.

One to Three Months Ahead: 

Compile evidence. Collect training logs, vulnerability scan reports, MFA screenshots, and vendor risk assessments. Run a tabletop exercise for your incident response plan and capture the report. Draft a summary of security improvements made in the past year.

Application Time: 

Complete the insurance forms carefully and consistently. Underwriters often use external scans to validate your claims, so honesty matters. Submit your evidence package in an organized format—ideally a binder or digital folder with sections for policies, technical proof, training, and audits.

How Premiums and Coverage Are Decided

Understanding how underwriters translate your evidence into pricing helps you prioritize. Premiums are influenced by:

• Exposure Size: Revenue, number of employees, and data records handled
• Industry Risk: Highly regulated sectors like healthcare and finance pay more
• Control Maturity: The depth and operationalization of MFA, EDR, backups, etc.
• Incident History: Past breaches, and whether lessons were learned and controls improved
• Third-Party Dependencies: Heavy reliance on cloud or suppliers can increase exposure
• Regulatory Environment: GDPR, HIPAA, and other fines add to potential payouts

The more you demonstrate preparedness, the better your odds of lower premiums and broader coverage. Some insurers even adjust deductibles based on the maturity of your controls.

Where Cyber Insurance Is Heading

Looking ahead, underwriting will get even stricter. Expect to see:

• More emphasis on zero-trust architecture and network segmentation
• Supplemental ransomware questionnaires drilling into backups and incident response
• Greater scrutiny of remote work and BYOD practices
• Requirement for centralized logging, SIEM, and threat intelligence integration
• Closer review of supply chain risk, especially with SaaS vendors and cloud hosting

Underwriters know the threat environment is accelerating, and they’ll keep raising the bar. Businesses that treat cyber insurance prep as part of their security strategy—not an afterthought—will be better positioned.

Final Thoughts

Securing cyber insurance is no longer just a paperwork exercise. Underwriters want to see operational evidence of security controls that reduce both the likelihood and the impact of a cyber incident. By preparing detailed documentation, technical logs, and proof of regular testing, you show insurers that you take security seriously. That not only increases your chances of approval but can also lower your premiums and give you stronger coverage when you need it most.

For organizations without internal security teams, working with a trusted IT partner can make preparation much easier. Whether it’s setting up MFA across all critical systems, running vulnerability scans, or organizing incident response drills, external expertise can help you package the evidence underwriters expect. In the process, you’re not just chasing insurance approval—you’re building real resilience against the threats that matter.