The Cyber Insurance Requirements Checklist

Notes on CMMC, compliance, security, and accessible technology.

A few years ago, getting cyber insurance meant filling out a short form and writing a check. Not anymore. After a wave of ransomware payouts, insurers tightened up — and now they require specific security controls before they'll write a policy, and they'll deny claims if you weren't actually running them.

If you have an internal IT person, this checklist is where they often need backup. Here's what carriers are asking for.

The Non-Negotiables

Almost every carrier now requires these. Missing any one can mean denial or a much higher premium:

  • Multi-Factor Authentication (MFA) — on email, remote access (VPN/RDP), and admin accounts. This is the #1 item carriers check.
  • Endpoint Detection & Response (EDR/MDR) — not just legacy antivirus. Carriers want active detection and response, often 24/7.
  • Tested, off-site backups — following a 3-2-1 strategy, with restores actually tested. Backups that can't be restored don't count.
  • Email security & filtering — phishing is the top initial-access vector, so carriers want gateway filtering and anti-spoofing (SPF/DKIM/DMARC).
  • Security awareness training — documented, recurring training with phishing simulations.

The Increasingly-Common Asks

  • Privileged access management — limiting and monitoring admin rights.
  • Network segmentation — so one compromised machine can't reach everything.
  • Patch & vulnerability management — a documented cadence, not "we update when we remember."
  • Incident response plan — written, and ideally tested.
  • Logging & monitoring (SIEM) — visibility into what's happening across your environment.

Why the Wording Matters

Two things get businesses in trouble: claiming a control on the application that they don't actually run (a fast path to a denied claim), and treating the application as a one-time event. These controls need to be operating and documented continuously — which is exactly the kind of thing that slips when a one-person IT team is stretched thin.

How We Help

This checklist maps almost one-to-one onto our Co-Managed IT security stack. We can stand up MFA, EDR/MDR, backups, and the documentation carriers want — working alongside your internal team, not replacing them — and keep the evidence current so renewals are painless.

Next Step

Not sure where you stand against your carrier's requirements? Request a free IT assessment and we'll show you the gaps before your renewal does.

Ready to get CMMC-ready, secure, and supported?

We implement and maintain the controls — independent assessors verify them.

Contact Us 800-863-3854