Cyber insurance used to be easy. Fill out a questionnaire, maybe have a phone call, pay your premium, done. The underwriter barely looked at your security posture because claims were rare and payouts were manageable.
Then ransomware happened. Carriers paid out billions in claims. Some exited the cyber insurance market entirely. The ones that stayed got a lot more careful about who they insure and what they require.
Now carriers want proof. Real evidence that you actually have the controls you claim to have. And if you can't provide it, you're looking at higher premiums, reduced coverage, or outright denial. Here's what carriers are asking for, what evidence they expect, and how to put together a package that gets you the coverage you need.
Why cyber insurance underwriting changed
To understand what carriers want now, it helps to understand what happened. The ransomware epidemic of 2020-2022 devastated the cyber insurance industry. Claims skyrocketed. Loss ratios—the percentage of premiums paid out in claims—exceeded 100% for many carriers, meaning they were paying more in claims than they collected in premiums.
Carriers responded in two ways. First, they raised prices dramatically. Cyber insurance premiums increased 50-100% or more for many companies between 2020 and 2023. Second, they got much more rigorous about underwriting. Instead of taking your word for it, they started requiring evidence of specific security controls before issuing policies.
The controls carriers now require aren't arbitrary. They're the controls that, statistically, make the biggest difference in preventing ransomware and other major cyber incidents. Companies with these controls in place file fewer claims and have smaller losses when incidents do occur. Carriers have the data to prove it.
This means that demonstrating good security posture isn't just about checking boxes anymore. It's about providing concrete evidence that convinces an underwriter you're a good risk. And that evidence needs to be current, specific, and verifiable.
The baseline controls every carrier requires
There's a core set of controls that virtually every carrier now requires. If you can't demonstrate these, expect problems at renewal time.
Multi-factor authentication
MFA is non-negotiable. Every carrier asks about it, and most won't issue a policy without it. But the requirement is broader than many companies realize. It's not enough to have MFA on your VPN. Carriers want MFA on email access, on remote desktop connections, on administrative accounts, on cloud service logins—basically anywhere someone could gain initial access to your environment.
The evidence carriers want to see is straightforward but specific. They want screenshots showing MFA is enabled in your identity provider configuration. They want enrollment statistics showing what percentage of users actually have MFA set up—and that number needs to be close to 100%. If you're using conditional access policies, they want to see those configurations. If you have exceptions (service accounts, legacy systems), they want to understand why and what compensating controls exist.
Endpoint detection and response
Traditional antivirus isn't sufficient anymore. Carriers want to see EDR—endpoint detection and response—which provides more sophisticated threat detection, investigation capabilities, and often automated response to threats.
Common EDR solutions carriers recognize include CrowdStrike, SentinelOne, Carbon Black, Microsoft Defender for Endpoint, and similar platforms. If you're using something less common, be prepared to explain what it does and how it compares to better-known solutions.
The evidence carriers expect includes dashboard screenshots showing your EDR coverage percentage—how many endpoints have the agent installed and reporting. They want to see that coverage is comprehensive, not just deployed to some machines. They may also ask for examples of recent detections or alerts to demonstrate the system is actually working, not just installed.
Backup and recovery
Backups are your last line of defense against ransomware. If everything else fails and your systems get encrypted, backups let you recover without paying the ransom. Carriers know this, which is why they scrutinize backup practices closely.
But having backups isn't enough. Carriers want to see that backups are configured properly, stored securely, and actually tested. Configuration evidence should show backup frequency (daily at minimum for critical systems), retention periods, and what data is included. Security evidence should demonstrate that backups are stored separately from your production environment—ideally air-gapped or in immutable storage that ransomware can't reach. Testing evidence should show recent restore tests that prove you can actually recover from backups, not just create them.
The testing piece is where many companies fall short. They've been backing up data for years but have never actually tried to restore from those backups. Carriers have learned that untested backups often fail when needed most, so they specifically ask for restoration test results.
Email security
Email remains the primary vector for initial access in most cyber attacks. Phishing emails deliver malware, harvest credentials, and trick employees into taking actions that compromise security. Carriers want evidence that you've implemented controls to reduce this risk.
At minimum, carriers expect proper email authentication: SPF, DKIM, and DMARC records configured in your DNS. These controls help prevent attackers from spoofing your domain in phishing attacks. Evidence is straightforward—DNS record lookups or screenshots from your email security dashboard showing these protocols are in place.
Beyond authentication, carriers want to see active email security tools: anti-phishing filters, malicious link scanning, attachment sandboxing, impersonation protection. If you're using Microsoft 365, this might be Defender for Office 365. If you're using Google Workspace, it's built-in security features plus possibly third-party tools. Whatever you use, be prepared to show configuration screenshots and explain what protections are active.
Additional controls carriers check
Beyond the baseline requirements, carriers often dig into additional controls depending on your industry, company size, and coverage amount. Higher coverage limits generally mean more scrutiny.
Privileged access management
How do you manage accounts with administrative access? Carriers want to know that privileged accounts are identified, that access is limited to people who need it, that there's some form of monitoring on what those accounts do, and ideally that access is time-limited rather than permanent. This doesn't necessarily require a dedicated PAM tool, but you need to be able to explain your approach and provide evidence.
Network segmentation
Is your network flat, where any compromised system can reach any other system? Or have you segmented it so that a breach in one area can't easily spread to others? Carriers increasingly ask about segmentation, particularly between IT and OT environments, between user workstations and servers, and between production and development systems. Network diagrams and firewall rule summaries serve as evidence.
Patch management
How quickly do you apply security patches, particularly for critical vulnerabilities? Carriers want to see that you have a defined process with reasonable SLAs—critical vulnerabilities patched within days or weeks, not months. Evidence includes your patch management policy, recent patch compliance reports, and examples of how you handled specific critical vulnerabilities.
Security awareness training
Humans are often the weakest link. Carriers want to see that you're training employees to recognize phishing and other social engineering attacks. Evidence includes training program documentation, completion records showing who completed training and when, and ideally results from phishing simulations showing how employees perform.
Incident response plan
If something does go wrong, do you know what to do? Carriers want to see a documented incident response plan that covers detection, containment, eradication, and recovery. Bonus points if you can show that you've tested the plan through tabletop exercises.
Vulnerability management
Are you scanning for vulnerabilities? How often? What do you do when you find them? Carriers want to see evidence of regular vulnerability scanning and a process for addressing what you find. This overlaps with patch management but also covers configuration issues and other vulnerabilities beyond missing patches.
Third-party risk management
Your vendors can be a path into your environment. Carriers may ask how you assess vendor security before granting access, what security requirements you include in contracts, and how you monitor vendor risk over time. This is especially relevant if you use managed service providers or other vendors with privileged access to your systems.
How to put together an evidence package
Understanding what carriers want is one thing. Actually assembling the evidence is another. Here's how to do it efficiently.
Timing matters
Carriers want recent evidence—typically from the last 30 to 90 days. That screenshot from last year's audit won't work. Plan to refresh your evidence close to your renewal date, not months in advance.
Format for the reviewer
Remember that an underwriter is reviewing your evidence alongside dozens of other applications. Make it easy for them. Label everything clearly—don't submit a file called "screenshot.png" when you could call it "MFA-enrollment-stats-Dec2024.png." Include dates in your evidence or in your labels. If a screenshot needs explanation, add a brief note.
Be specific, not vague
"We use industry best practices for access management" tells the underwriter nothing. "We use Okta for identity management with MFA required for all users, enforce 90-day password rotation, and conduct quarterly access reviews" tells them exactly what they need to know. When in doubt, be specific.
Address gaps honestly
If you don't have something, don't try to hide it. Underwriters can tell when you're being evasive, and it makes them suspicious about everything else you've submitted. Instead, acknowledge the gap and explain your plan: "We don't currently have a dedicated PAM solution. We manage privileged access through Okta with MFA and session timeouts. We're evaluating CyberArk for implementation in Q2." That's a much better answer than silence or vague assurances.
Organize by control area
Structure your evidence package to match how carriers ask questions. Group MFA evidence together, EDR evidence together, backup evidence together. This makes it easy for the underwriter to find what they're looking for and confirms that you've addressed each requirement.
Common mistakes that hurt your application
We've seen companies make the same mistakes repeatedly. Avoid these and your renewal will go more smoothly.
Using outdated evidence is probably the most common issue. Carriers specifically want recent documentation because security posture changes over time. A screenshot from six months ago might not reflect your current configuration.
Being vague when specificity is needed hurts credibility. Every time you write "industry best practices" or "enterprise-grade security," you're wasting space that could contain actual information. Underwriters have seen thousands of applications. They can tell the difference between companies that know their security posture and companies that are bluffing.
Missing context makes evidence harder to interpret. A screenshot of an EDR dashboard is good. A screenshot with annotations explaining what you're showing is better. Don't make the underwriter guess what they're looking at.
Ignoring carrier questions signals that you either don't have what they're asking about or you're not organized enough to provide it. If a question doesn't apply to your business, explain why. If you don't have something, acknowledge the gap and explain your plan.
Waiting until the last minute causes problems. If your renewal is in two weeks and you haven't started gathering evidence, you're going to have a bad time. Start at least 30-60 days before renewal to give yourself time to gather everything, address any gaps you discover, and respond to follow-up questions.
Frequently asked questions
What if we don't have all the controls carriers require?
You have a few options. You can implement the missing controls before renewal—MFA can often be deployed quickly, for example. You can accept higher premiums or reduced coverage. Or you can shop around, as carriers have different requirements and risk appetites. What you shouldn't do is misrepresent your security posture, as that can void your coverage when you need it most.
Will better security actually lower my premiums?
Usually, yes. Carriers offer better rates to companies they see as lower risk. Strong evidence of good security practices can directly translate to premium savings. Some carriers offer specific discounts for certain controls like MFA or EDR.
My carrier has a specific questionnaire. Should I fill that out too?
Absolutely. The questionnaire is where underwriting decisions start. Answer it thoroughly and accurately. The evidence package supports and validates your questionnaire answers.
How often do I need to provide this evidence?
At minimum, annually at renewal time. Some carriers may request updated evidence mid-term if there's a significant change in your business or security posture. Keep your evidence organized and relatively current so you're not scrambling when requests come in.
What evidence format do carriers prefer?
Most carriers accept PDFs and common image formats. Some have portals where you upload directly. Ask your broker or carrier contact what format they prefer. When in doubt, PDF is usually safe.
Getting help with evidence packages
Putting together a comprehensive evidence package takes time—time that most IT and security teams don't have, especially close to renewal deadlines. If you're struggling to assemble everything carriers want, we can help.
Our Cyber Insurance Evidence Package includes documentation for all the standard controls carriers require, formatted for easy underwriter review. We pull the evidence from your systems, organize it properly, and deliver a package you can submit directly to your carrier. $1,990, ten business days.
For related reading, see our guide on security policies that work and vendor risk management basics.
The bottom line: Cyber insurance underwriting has fundamentally changed. Carriers now require evidence of specific security controls, not just attestations. The baseline requirements—MFA, EDR, backup, and email security—are non-negotiable. Additional controls like PAM, segmentation, and incident response planning can improve your coverage options and rates. Put together your evidence package early, be specific rather than vague, address gaps honestly, and make it easy for underwriters to verify your security posture. Do this well and you'll get better coverage at better rates. Do it poorly and you'll struggle to get coverage at all.