Security 101

Cyber Insurance Requirements: What Carriers Want and How to Qualify

7 min read
Last updated March 2026

Cyber insurance was once a simple purchase. Fill out an application, pay a premium, and hope you never file a claim. Those days are gone. After absorbing massive ransomware losses from 2020 to 2023, carriers fundamentally restructured their approach. Today, cyber insurance is closer to an underwriting-driven risk assessment that evaluates your security controls as rigorously as a health insurer evaluates a patient’s medical history.

The result is that organizations with strong, documented security programs get coverage on favorable terms, while organizations with weak controls face denial, exclusions, or prohibitive premiums. Research shows that 82% of denied claims involved organizations that lacked MFA on critical systems, a control that carriers now consider non-negotiable.

This guide covers what carriers require, how the underwriting landscape is evolving, and how proactive security programs, particularly continuous offensive testing, help organizations qualify for better coverage at better prices.

The Baseline: What Every Carrier Requires

The insurance market has converged on a set of baseline controls that are effectively mandatory for coverage. Missing any of these will result in application denial or prohibitive pricing.

Multi-Factor Authentication

MFA on all remote access, email, privileged accounts, and administrative interfaces is the single most common requirement. Carriers have learned from claims data that organizations without MFA experience dramatically higher breach rates. Most carriers will not issue a policy without MFA verification.

Endpoint Detection and Response

Basic antivirus is no longer sufficient. Carriers require EDR (endpoint detection and response) solutions with active monitoring and response capabilities. The coverage should extend to all endpoints, including servers, workstations, and mobile devices that access corporate resources.

Vulnerability Management

A documented vulnerability management program with regular scanning and defined remediation timelines is required. Carriers want to see that you identify, prioritize, and remediate vulnerabilities systematically rather than reactively. MTTR metrics for critical findings demonstrate that your program produces results.

Email Security

Anti-phishing controls, email authentication (DMARC, DKIM, SPF), and employee security awareness training are standard requirements. Email remains the primary initial access vector for most threat actors, and carriers price accordingly.

Incident Response Plan

A documented and tested incident response plan is required, not just a plan that exists on paper. Carriers increasingly ask when the plan was last tested and whether the organization conducts tabletop exercises. Red team exercises and breach simulations that test response capabilities provide the strongest evidence of preparedness.

Backup and Recovery

Offline, tested backup capabilities are essential, particularly for ransomware coverage. Carriers want confirmation that backups exist, are stored separately from production systems, and have been tested for successful recovery.

Network Segmentation

Segmenting networks to limit lateral movement in the event of a compromise is increasingly required. Carriers understand that flat networks allow ransomware to spread rapidly, increasing both the probability and magnitude of claims.

Beyond the Baseline: What Differentiates Favorable Terms

Meeting baseline requirements gets you coverage. Exceeding them gets you better pricing, broader coverage, and fewer exclusions.

Continuous Security Testing

The most significant differentiator emerging in the insurance market is the distinction between annual and continuous security testing. An annual penetration test demonstrates point-in-time compliance. A continuous testing program demonstrates ongoing risk management.

Carriers are beginning to ask specifically about continuous testing:
– How frequently is testing conducted?
– Are findings validated through exploitation, or just scanner output?
– What is the mean time to remediate for critical findings?
– Is remediation verified through retesting?

The Praetorian Guard platform provides the continuous testing evidence that carriers value: validated findings, tracked remediation, and verified closure through retesting. This data directly supports favorable underwriting outcomes.

Attack Surface Management

Carriers recognize that you cannot secure what you do not know about. Organizations that maintain comprehensive attack surface visibility demonstrate awareness of their complete exposure, reducing the risk of breaches through unknown assets. External attack surface management is particularly valued because it covers the assets most accessible to external attackers.

Quantified Risk Data

Carriers increasingly value organizations that can articulate their risk in quantitative terms. Cyber risk quantification data demonstrates a mature risk management program and gives underwriters better data for pricing decisions. Organizations that present CRQ models backed by validated testing data demonstrate the highest level of risk awareness.

Third-Party Risk Management

With supply chain attacks rising, carriers evaluate third-party risk management programs as part of underwriting. A documented TPRM program that includes vendor assessments, continuous monitoring, and integration security testing demonstrates control over extended risk.

Zero Trust Architecture

Zero trust architecture principles, particularly identity verification, least privilege access, and microsegmentation, align with what carriers know reduces breach impact. Organizations implementing zero trust demonstrate architectural decisions that limit blast radius.

The Application Process

Cyber insurance applications have evolved from simple questionnaires to detailed security assessments. Understanding the process helps organizations prepare.

Pre-Application Preparation

Before engaging with carriers:

Conduct an internal controls assessment. Verify that every baseline control is actually in place, not just documented. Many claim denials result from application misrepresentation where controls were claimed but not implemented.
Gather documentation. Collect penetration test reports, vulnerability scan results, IR plan documentation, training records, and security metrics. Having this ready accelerates the application process.
Know your data. Understand what sensitive data you hold, where it resides, and what regulatory frameworks apply. Carriers price based on data exposure, so accuracy here directly affects premiums.

Common Application Questions

Modern cyber insurance applications typically include questions about:

MFA deployment coverage and enforcement
EDR tool name and deployment percentage
Patch management cadence and SLA compliance
Penetration testing frequency and scope
Incident response plan testing date
Backup frequency, testing, and offline storage
Network segmentation approach
Privileged access management
Security awareness training program
Third-party risk management program
Cloud security controls
Data encryption (in transit and at rest)

Answer every question accurately. Misrepresentation on the application is the leading cause of claim denial.

Carrier Evaluation

Sophisticated carriers may request:
– Penetration test executive summaries
– External attack surface scan results
– Security architecture documentation
– Incident history
– Compliance certification status (SOC 2, ISO 27001, PCI DSS)

Some carriers conduct their own external scans of your infrastructure as part of the underwriting process.

Claims and Coverage: What to Know

Common Coverage Areas

Standard cyber insurance policies typically cover:

First-party costs: Incident response, forensic investigation, notification expenses, credit monitoring, business interruption, data recovery, and ransom payments (though some carriers now exclude or sublimit ransomware coverage).

Third-party costs: Legal defense, regulatory fines (where insurable), settlement costs, and privacy liability.

Common Exclusions

Understanding exclusions is as important as understanding coverage:

Acts of war: Some carriers invoke this exclusion for nation-state attacks, though this is increasingly contested
Prior known incidents: Incidents that occurred before the policy period
Failure to maintain controls: If you represented that MFA was deployed and it was not, claims related to MFA bypass may be denied
Unencrypted data: Some policies exclude breaches involving data that should have been encrypted per the policy terms
Social engineering fraud: Some policies require separate endorsements for wire transfer fraud and business email compromise

The Claims Process

When filing a claim:

Notify immediately. Most policies require notification within 72 hours of discovering an incident. Late notification can result in coverage reduction.
Use approved vendors. Many carriers require using their pre-approved IR firms and forensic investigators. Using unapproved vendors may result in non-reimbursement.
Document everything. Maintain detailed records of response actions, costs, and decisions. Comprehensive documentation supports claims and reduces disputes.
Coordinate with legal. Engage your legal team early to manage privilege and regulatory obligations alongside the claims process.

How Proactive Security Reduces Premiums

The relationship between security posture and insurance pricing is becoming more direct as carriers invest in more sophisticated risk modeling.

The Evidence Hierarchy

Carriers evaluate security evidence on a credibility spectrum:

Evidence Level	Example	Carrier Value
Self-attestation	“We have MFA” on questionnaire	Baseline (required but lowest credibility)
Documentation	MFA deployment documentation and screenshots	Better
Certification	SOC 2 Type II, ISO 27001	Good
Testing evidence	Annual penetration test report	Very good
Continuous validation	Ongoing testing with validated findings and verified remediation	Best

Organizations that provide continuous validation evidence demonstrate the strongest risk management and receive the most favorable terms.

The Praetorian Advantage

The Praetorian Guard platform produces exactly the evidence carriers value most:

Continuous testing data showing ongoing vulnerability identification and validation
Verified remediation records confirming that findings are retested and closed
Attack surface visibility demonstrating comprehensive awareness of exposed assets
MTTR metrics showing rapid response to validated findings

This evidence portfolio positions organizations for the best available terms during renewal negotiations.

Preparing for Renewal

Cyber insurance renewal is an opportunity to demonstrate security improvements and negotiate better terms.

Before Renewal

Compile security improvements made during the policy period
Document testing results including validated findings and verified remediations
Update your risk quantification using CRQ models to show financial risk reduction
Address any incidents that occurred during the period with documented response and improvements
Benchmark your premiums against market rates for your industry and risk profile

During Negotiation

Present your security program as an evolving capability, not a static state. Show trend improvements in key metrics: MTTR going down, coverage going up, validated exposures decreasing. Carriers that see an improving trend are more likely to offer favorable renewal terms.

Frequently Asked Questions

What are the basic requirements for cyber insurance?

Every carrier requires MFA on all remote access and privileged accounts, EDR on all endpoints, regular vulnerability scanning with defined remediation timelines, email security controls, a documented and tested incident response plan, and offline backup capabilities. These are table stakes. Missing any baseline control will result in coverage denial or prohibitive pricing. Beyond baselines, carriers differentiate on testing evidence, attack surface management, and quantified risk data.

How does continuous security testing affect premiums?

Continuous testing evidence is becoming the strongest differentiator for favorable terms. Carriers distinguish between annual point-in-time testing and ongoing validation programs. Organizations with continuous penetration testing data showing validated findings, tracked remediation, and verified closure demonstrate the highest level of risk management. The Praetorian Guard platform provides exactly this evidence portfolio.

Why do cyber insurance claims get denied?

The most common denial reasons are misrepresentation on the application (claiming controls that were not in place), failure to maintain required controls throughout the policy period (letting critical controls lapse), and exclusion clauses for specific scenarios. Research shows 82% of denied claims lacked MFA on critical systems. Accurate application responses and maintained controls are the best defense against denial.

Should security testing results be shared with carriers?

Executive summaries showing testing scope, finding counts by severity, and remediation rates are appropriate to share. Detailed technical findings should not be shared as they could create additional risk if disclosed. The goal is to demonstrate that testing occurs regularly, findings are validated and tracked, and remediation is verified. Most carriers request summary-level evidence rather than detailed findings.

How does Praetorian help with cyber insurance requirements?

Praetorian’s continuous offensive testing program and attack surface management platform produce the continuous validation evidence that carriers value most. Our platform tracks validated findings, remediation progress, and verified closures, creating an evidence portfolio that directly supports favorable underwriting outcomes. Many Praetorian clients use their Guard platform data during insurance renewal to demonstrate ongoing security improvement and negotiate better terms. Contact our team to learn how continuous testing supports your insurance strategy.