Cyber-insurance readiness
Carriers no longer take your word for it. They ask which controls you run, and if a claim later shows you did not have one you attested to, they can refuse to pay. I put the required controls genuinely in place, document them, and help you answer the application honestly, so the policy holds when you need it.
The application is a controls checklist. Nearly every cyber-insurance application now asks specifically about multi-factor authentication (Marsh), and the rest of the list is consistent across carriers. These are the ones that gate whether you can bind.
Identity
A second check beyond the password on email, on remote access, and on administrator accounts. Carriers ask about MFA more than any other control, and many will not quote at all without it. A stolen password alone goes nowhere.
Inbound filtering plus enforced SPF, DKIM, and DMARC so spoofed mail is rejected. Most intrusions and most funds-transfer losses begin with a phishing email, so the application asks how your mail is protected.
Detection
Software on every computer and server that watches for malicious behavior, not just known viruses, and can isolate a machine that looks compromised. Carriers increasingly treat consumer antivirus alone as not enough.
Recovery
Backups kept offline or in a form that cannot be altered or deleted, with restore tests that prove they actually work. This is what lets you recover from ransomware without paying, and untested backups fail at the worst moment.
Access
Each person has their own account with only the access their job needs, admin rights are limited and kept separate from daily use, and access is removed when someone leaves. It limits how far one compromised account can reach.
For a plain-English walk through each control and why the insurer asks for it, see the free cyber-insurance requirements explorer.
Underwriting has moved from a checked box to evidence. Carriers now want exports and proof of working controls, not a self-attestation, and the gap that hurts is the space between what you said on the application and what was actually running the day of the incident.
That gap is concrete. Funds-transfer fraud and business email compromise make up the largest share of cyber claims, around 56 percent, at roughly 100,000 dollars in average loss (Coalition 2024 Cyber Claims Report). If a carrier reviews the claim and finds a control you attested to was not in place, the policy you have been paying for can be denied, or even rescinded. A denied claim means you eat the whole loss yourself, after also paying every premium.
It is not hypothetical. In Travelers v. International Control Services (2022), an insurer obtained rescission of a policy after the insured was alleged to have misrepresented its multi-factor authentication. The fix is calm and cheap next to that outcome: make every attested control genuinely true, and keep the evidence that proves it.
The same controls do double duty. They are the ones that stop a fraudulent wire from clearing, so this work protects the money and the policy at the same time.
I take the controls the carrier asks about, check each one against how your office actually runs today, and hand you written findings: what is in place, what is missing, and what to fix before you sign the application. It is a fixed, bounded first step, not a rip-and-replace.
Once the gaps are closed, I assemble the proof a carrier now expects: documentation that MFA is enforced, that email authentication is set to reject spoofed mail, that EDR is deployed, and that backups are tested. You answer the questionnaire honestly with the evidence sitting behind every answer.
Controls drift. A setting gets changed, a new laptop skips EDR, a backup quietly stops running. The recurring layer keeps the attested controls in place and the evidence current between renewals, so the policy you bound this year is still the policy you can claim on next year.
| Stage | Not ready | Ready |
|---|---|---|
| Qualify | A missing required control means the carrier will not quote. | The required controls are in place, so you get a quote. |
| Bind | You guess on the questionnaire and hope the answers hold. | You answer honestly because every answer is documented. |
| Claim | A look back finds a gap, the claim is denied, you eat the loss. | The evidence matches the attestation, so the claim stands. |
Written by Hammad Arain, founder of Arain Systems. CCNA, CompTIA Security+, Microsoft AZ-104. Updated June 2026. Educational, not legal advice.
I check the controls a carrier would ask about against how your office runs today, show you where the gaps are, and give you written findings. No commitment, yours to keep.
Get my free review