Cyber insurance is no longer a form you fill out and a premium you pay. Before a carrier will quote a policy in 2026, an underwriter checks whether your business actually runs a specific set of security controls—and increasingly asks you to prove it with screenshots and reports, not just tick a box. Get the controls wrong and you face a higher premium, a coverage exclusion, or a flat declination.
The shift is driven by claims. Ransomware was present in 44% of data breaches in Verizon's 2025 Data Breach Investigations Report, up from 32% the year before, and it appeared in 88% of breaches at small and mid-sized businesses. Insurers responded by turning the application into what amounts to a technical audit.
This is the practical companion to our overview of what cyber insurance covers and why your business needs it. Here we focus on one thing: the checklist an underwriter runs before they put a number on the table.
What do cyber insurers actually check before quoting a policy?
Underwriters check whether you enforce a defined set of security controls—multi-factor authentication, endpoint detection and response, tested offline backups, and a written incident response plan chief among them—and whether you can produce evidence for each. Missing controls do not just raise your premium; they can make a carrier decline to quote at all.
The reasoning is straightforward. A cyber policy is a bet that you will not suffer a catastrophic claim. Every control the underwriter checks maps to a common way ransomware and business email compromise actually succeed. When the controls are present and documented, the carrier prices a manageable risk. When they are absent, the carrier is being asked to underwrite the outcome of a breach it can already see coming.
The security controls underwriters treat as non-negotiable
Four controls now form the floor for most carriers: enforced multi-factor authentication, endpoint detection and response, tested and isolated backups, and a written incident response plan. Meeting these does not guarantee a low premium, but failing any one of them is the fastest way to be declined or heavily surcharged.
Multi-factor authentication (MFA), enforced everywhere that matters
MFA is the single most-scrutinized control. Underwriters want it enforced on email, remote access (VPN and RDP), cloud administrative consoles, and all privileged accounts—not just "available" to users who opt in. Text-message codes are increasingly treated as weak; carriers prefer app-based authenticators or, better, phishing-resistant methods such as hardware security keys and passkeys, a distinction we cover in our guide to MFA bypass and phishing-resistant authentication. Expect to supply an enrollment report from your identity provider showing which accounts are covered and which are exempt.
Endpoint detection and response (EDR), on servers and workstations
Traditional antivirus no longer satisfies most carriers. Underwriters look for next-generation endpoint protection with behavioral detection and the ability to isolate a compromised device—deployed across servers and workstations, not a subset. Many carriers now ask whether the tool is managed: a managed detection and response (MDR) service with 24/7 monitoring generally earns better terms than an unmonitored console. Be ready to show a coverage report confirming agents are installed and healthy on every device.
Tested, isolated, and immutable backups
Backups are what let a business refuse a ransom, so underwriters probe them hard. The questions go beyond "do you back up?" to whether copies are stored offline or in immutable storage that attackers cannot encrypt, and whether you have actually tested a restore. This scrutiny is well founded: backups are a primary target in modern attacks, which is why we wrote a full guide on how to ransom-proof your backups. Documented restore tests are the evidence carriers want to see.
A written incident response plan
Carriers want proof that if an incident occurs, your business knows what to do in the first hours—who is called, who decides, how systems are isolated, and how the insurer's breach team is engaged. A plan that exists only in someone's head does not count. As we argue in incident response planning before something happens, the value is in having written and rehearsed it before the crisis, not during it.
What underwriters check beyond the "big four"
Once the core controls are satisfied, underwriters look at a second tier that shapes your premium and terms. None of these alone will typically sink an application, but weakness across several of them signals an immature security program and pushes your price up. The most common items:
- Patch and vulnerability management. How quickly you apply critical security updates, especially to internet-facing systems. Unpatched remote-access appliances are a leading entry point for ransomware.
- Remote access hygiene. Whether Remote Desktop Protocol (RDP) is exposed to the internet and how VPN access is secured. Coalition's threat research has repeatedly tied ransomware intrusions to compromised VPN and remote-access credentials.
- Privileged access management. How administrator accounts are limited, separated from daily-use accounts, and monitored.
- Email security. Filtering, anti-phishing controls, and authentication standards (SPF, DKIM, DMARC) that reduce business email compromise—still one of the costliest claim types.
- Security awareness training. Whether staff receive regular phishing and social-engineering training, and whether you test it.
- Vendor and supply-chain risk. Which third parties touch your data and whether you review their security—an area explored in our look at third-party vendor risk from an SMB perspective. For key vendors, expect questions about SOC 2 reports.
- Encryption and data handling. Whether sensitive data is encrypted at rest and in transit, and how much regulated data (health, payment, personal) you hold.
These map cleanly onto frameworks your business may already reference: the CCCS Baseline Cyber Security Controls and PIPEDA obligations in Canada, and NIST SP 800-171, the CIS Controls, and the FTC Safeguards Rule in the United States. An underwriter's questionnaire is, in effect, a plain-language version of the same expectations.
Why underwriting got this strict
Underwriting tightened because ransomware losses forced it to. When carriers paid out on breaches that basic controls would have prevented, they rewrote applications to verify those controls up front. The application is now a screening tool designed to filter out the risks most likely to become expensive claims.
The loss data explains the posture. Coalition's 2026 Cyber Claims Report found that initial ransom demands surged 47% year over year in 2025, and that dual-extortion attacks—where criminals both encrypt systems and steal data to threaten publication—made up roughly 70% of ransomware claims. There is a hopeful counterpoint: a record 86% of affected businesses refused to pay, which Coalition attributes largely to viable backups and incident response plans. That is precisely why those two controls sit at the top of every underwriter's checklist—they are what turns a potential total loss into a recoverable event.
What documentation you'll need to hand over
Modern applications increasingly ask you to attach evidence, not just answer yes or no. Preparing these artifacts before you apply speeds up underwriting and avoids weeks of back-and-forth. Have the following ready:
- MFA enrollment export from your identity provider (for example, Microsoft Entra ID, Okta, or Duo) showing total accounts, accounts with MFA, and any exemptions.
- EDR/MDR coverage report listing protected endpoints and confirming agents are healthy across servers and workstations.
- Backup configuration and a recent restore-test record showing offline or immutable copies and a successful recovery.
- Your written incident response plan, ideally with a date of last review or tabletop exercise.
- Evidence of email security and patching cadence, such as filtering policies and a patch-management summary.
Insurers use these to confirm your protection is real and not a policy on paper. Misrepresenting a control on the application is worse than admitting a gap: an inaccurate answer can give the carrier grounds to reduce or deny a claim later, when it matters most.
What Canadian and US business leaders should take from this
You do not need to run the identity console yourself to manage this. You need to know whether the controls exist and whether someone can prove it on demand. These are questions an executive can put to an IT lead or managed service provider well before renewal season:
- Is MFA enforced—not just available—on email, remote access, cloud admin, and every privileged account? And can we export proof today?
- Do we have EDR or MDR on every server and workstation, and is anyone watching the alerts around the clock?
- When did we last test restoring from backup, and are those backups isolated from the network?
- Do we have a written incident response plan, and when did we last rehearse it?
- Could we produce the evidence an underwriter will ask for within a week?
If any answer is "I'm not sure," that gap is also what an underwriter will find. Closing it before you apply is the difference between a clean quote and a surcharge—or a declination.
Practical steps to prepare before you apply
A short runway of preparation meaningfully improves both your odds of coverage and your premium. Start 60 to 90 days before you need a policy in force, and work through these steps:
- Enforce MFA everywhere it's missing. Prioritize email, VPN, RDP, and admin accounts, and move off SMS codes toward app-based or phishing-resistant methods.
- Get EDR on every endpoint and consider managed monitoring. Confirm coverage is complete, not partial, and decide whether 24/7 MDR is worth the better terms it tends to earn.
- Test a real backup restore and isolate your copies. Document the test; an untested backup is a claim risk, not a safeguard.
- Write or refresh your incident response plan. Name the decision-makers, the escalation path, and how you'll reach your carrier's breach team.
- Assemble your evidence pack. Gather the exports and reports listed above so the application takes days, not months.
If you are unsure where your organization stands against this checklist, our free quick security assessment is a fast way to surface the gaps underwriters look for—before an underwriter finds them for you. For a broader baseline, our small business cybersecurity checklist for 2026 covers the same controls from a defensive standpoint.
The durable lesson
Cyber insurance has quietly become a forcing function for good security. The controls an underwriter checks before quoting are, almost item for item, the controls that keep you from filing a claim in the first place. Treating the application as a security project rather than a paperwork exercise is what earns both a better premium and a business that is genuinely harder to breach. The checklist is the same either way—the only choice is whether you complete it before an attacker tests it for you.
This article is intended for general informational purposes only and does not constitute professional security, legal, or insurance advice. Underwriting requirements vary by carrier, industry, and jurisdiction, and the controls and statistics described here are based on public reporting and industry data as of the date of publication and may change. Organizations should consult a licensed insurance broker and qualified cybersecurity professionals before making decisions about cyber insurance coverage or security controls.