Cyber Insurance
Carriers Are Tightening Cybersecurity Control Requirements
By: Rochelle Yoder, IT Director, and Thomas C Yoder, J.D., Business Account Executive
As professionals working daily at the intersection of insurance and cybersecurity, we have seen firsthand how quickly the landscape is changing. Cybercriminals are becoming more sophisticated, and insurance carriers are responding with stronger, more detailed requirements for businesses seeking cyber coverage. In this article, we outline the most critical controls insurers are requiring today, explain why they matter, and share insights from our perspectives—one rooted in insurance underwriting and claims and the other grounded in practical cybersecurity implementation.
1. MULTI-FACTOR AUTHENTICATION: THE NON-NEGOTIABLE STARTING POINT
From the carrier side, multi-factor authentication (MFA) is the number one requirement. Insurers expect MFA for all remote network access, email accounts, and—just as importantly—privileged or administrative accounts. Without this, it’s nearly impossible to secure coverage.
From a cybersecurity standpoint, not all MFA is equal. SMS text messages and email-based codes are too easily intercepted through SIM-swapping, compromised inboxes, or phishing. Stronger options, such as authenticator apps, provide more protection. However, even these can be bypassed if a user is tricked into entering a code on a fake login page. Another strong MFA option is a physical device known as a FIDO2 security key - a popular brand is YubiKey
To strengthen MFA, we recommend adding:
• Conditional Access Policies – such as blocking impossible travel (e.g., logins from Ohio and Virginia within 10 minutes),
• Geographic Restrictions – to prevent logins from high-risk regions
• Device Restrictions – allowing access only from company- owned and domain-joined computers
2. BACKUPS: AIR-GAPPED, CLOUD-BASED, AND TESTED
Backups are the second most important control carriers look for. Secure backups protect against ransomware, data corruption, and human error. Still, they only work if they are separated from the primary network. Air-gapped backups (kept off the main corporate network) or cloud-based backups with separate credentials are critical. Otherwise, attackers can encrypt or delete them before launching ransomware.
In our experience, carriers often prefer businesses that use multiple backup methods—for example, one local and one cloud. They also want to know that backups are password protected, MFA enabled, and tested regularly.
From a cybersecurity perspective, we advise businesses to:
• Verify Daily – that backups have occurred,
• Test Quarterly – by restoring files or servers,
• Use Immutable Backups – that cannot be altered once created.
These practices ensure backups will actually be there—and usable—in a crisis
3. ENDPOINT DETECTION AND RESPONSE
Traditional antivirus software is not enough. Carriers are increasingly requiring Endpoint Detection and Response (EDR), which does not just detect threats but also actively blocks or quarantines them.
Depending on size and industry, businesses may also need:
• Managed Detection and Response (MDR) – a 24/7 outsourced security team that monitors and responds in real time.
• Extended Detection and Response (XDR) – which covers endpoints, as well as networks, cloud environments, and email systems.
These practices ensure backups will be there — and usable — in a crisis
4. EMAIL FILTERING AND IMPERSONATION PROTECTION
Email remains the number one attack vector. Basic filtering reduces spam and blocks obvious malicious attachments or links, but dealing with today’s threats is far more complex.
We suggest advanced filtering that includes impersonation protection and AI-driven analysis to detect lookalike domains, fake invoices, an gift-card scams. Insurers may not always require this for smaller businesses, but as revenue grows, so does the expectation for stronger filtering.
The challenge lies in balance: Some employees will complain that filters are too strict, others not strict enough. This makes fine-tuning, education, and ongoing adjustments necessary.
5. ENCRYPTION OF DATA AT REST
If your business stores large amounts of PII (personally identifiable information), PHI (personal health information), or PCI (payment card information), insurers will require encryption at rest.
Fortunately, many tools are built in. Microsoft BitLocker, for instance, is included in Windows and can prevent data theft if a laptop is stolen. Similarly, mobile devices have encryption tied to passcodes or biometrics
6. EMPLOYEE TRAINING AGAINST PHISHING AND SOCIAL ENGINEERING
More than 70% of breaches are caused by social engineering. Carriers know this, which is why they expect businesses to have employee training programs in place. Quarterly training is ideal, but culture is more important than frequency. Training must be supported by leadership—if executives do not follow the rules, employees will not either.
WE RECOMMEND:
• Simulated phishing campaigns, followed by immediate feedback
• Policies requiring phone verification of all payment or banking changes
• Incentives for departments that pass phishing simulations
Ultimately, people are the last line of defense, and training is critical.
7. CARRIER TESTING AND PROACTIVE UNDERWRITING
A major trend we are seeing is insurers conducting their own vulnerability scans and penetration tests during underwriting. This ensures the answers on applications match reality.
We strongly support this shift. Too often, smaller companies guess when completing questionnaires. External scans give both the carrier and the business a clearer picture of risks.
8. PATCH AND UPDATE MANAGEMENT
While sometimes overlooked, patching policies are something insurers are asking more about. They want to know the following: How quickly do you apply emergency patches? How often do you update systems? From our perspective, critical patches should be applied immediately. Regular updates should be weekly or biweekly and never less than monthly.
9. BEYOND MINIMUM REQUIREMENTS
Meeting carrier requirements is essential, but going further
improves resilience and often reduces premiums.
WE RECOMMEND:
• Single Sign-On (SSO)– for centralized logins and audit logs
• Conditional Access Policies – tied to geography and device compliance
• Regular Audits – to ensure MFA stays active
• Data Retention Policies – to delete unneeded sensitive information
• Centralized Logging – to streamline breach investigation
10. THE HUMAN FACTOR AND THE LIMITS OF CONTROL
Despite all controls, there’s no such thing as 100% protection. People remain the biggest vulnerability. We liken cybersecurity to fire prevention: You can install alarms, sprinklers, and noncombustible materials, but human error can still cause a fire. The goal is not perfection but resilience—reducing risk and ensuring rapid recovery when incidents occur.
FINAL THOUGHTS: PRACTICAL ADVICE FOR BUSINESSES
1. Don’t Guess on Applications – inaccurate answers can lead to denied claims.
2. Prioritize MFA and Backups – these are the top requirements.
3. Test Regularly – include backups and phishing simulations.
4. Build a Culture of Security – leadership must lead by example.
5. Treat All Systems As Entry Points – don’t forget systems without regulated data.
6. You Don’t Always Need New Software – sometimes turning on the protections you already have is all it takes
For small businesses especially, the path to coverage may feel daunting. But as Tom often reminds clients: “You don’t need an in-house IT department to qualify. Having the basics in place—MFA, secure backups, and regular updates—can be enough.”
From our combined perspectives in insurance and cybersecurity, one truth is clear: Insurers are not just underwriting risk anymore. They are driving businesses toward stronger, more consistent, and more verifiable cyber practices. For policyholders, meeting these requirements isn’t just about coverage—it’s about survival in today’s digital threat environment.
.png)
