What Controls Do Cyber Insurance Underwriters Check? 5 to Know
You’ve quoted enough cyber insurance to know the premiums aren’t cheap, and you’ve watched submissions get bounced for reasons the application never explained…Underwriters aren’t just taking your word for it on security posture. They’re checking specific controls against carrier claims data, and gaps in the wrong places can get accounts declined or worse, bound on warranties the client can’t defend at claim time. So,what controls do Cyber Insurance underwriters check? Five carry more weight than the rest. Get these right at submission and you’ll bind cleaner, renew better, and keep your commercial book out of denial territory.
Key Takeaways
- Cyber insurance underwriters prioritize Multi-Factor Authentication (MFA) coverage, declining more submissions for MFA gaps than any other control failure.
- Endpoint Detection and Response (EDR) is preferred over basic antivirus, as faster breach detection can reduce costs by over $168,000.
- Immutable, air-gapped backups with documented recovery testing are required to qualify for ransomware coverage under underwriting standards.
- Patch management must follow strict SLAs, addressing critical vulnerabilities within 24-72 hours, with fully documented and verifiable processes.
- Employee phishing training must occur at least quarterly, with documented engagement metrics and individual tracking to satisfy underwriter verification requirements.
1. MFA: The Cyber Underwriting Control With the Highest Declination Rate
Carriers decline more cyber submissions over MFA gaps than any other single control failure.
Before you submit any cyber application, you need to know exactly where your client stands on MFA coverage across email, remote access, cloud applications, and privileged accounts.
Get this wrong on the application and you’re not just looking at a declination. You’re looking at a coverage dispute at claim time.
Why Carriers Decline MFA
MFA has the highest declination rate of any single control in cyber underwriting, and the reason is almost never that a client lacks MFA entirely. It’s that their implementation has gaps carriers won’t accept.
| Declination Trigger | MFA Limitation | Carrier Concern |
|---|---|---|
| Email-only MFA | Incomplete coverage | Remote access stays exposed |
| No phishing resistance | Weak authentication | Push-bombing bypasses control |
| Admin accounts excluded | Privileged access gap | Lateral movement risk |
| Poor documentation quality | Unverifiable compliance | Application warranty issues |
| Implementation challenges on legacy systems | Coverage inconsistency | Critical assets unprotected |
Before submitting, confirm MFA covers email, remote access, and admin accounts. Carriers are tightening requirements around phishing resistance specifically. If your client can’t document what’s covered, underwriters will assume the worst, and they’ll be right to.
What Brokers Must Verify
Knowing where the gaps are is one thing. Closing them before submission is what keeps the binder clean.
Before you submit any cyber application, the broker automation to verify MFA implementation best practices needs to be in place: enrollment rates across all users, not just IT staff. Confirm remote access considerations are covered, meaning VPN and RDP endpoints are protected, not just email.
Check that administrative account security is locked down with privileged access controls that underwriters will ask about directly. Review documentation compliance requirements: carriers want configuration records, not verbal assurances.
Increasingly, applications also ask about phishing resistant techniques like hardware tokens or FIDO2 keys, not just SMS codes. If your client can’t produce evidence for any of these, resolve it before the application goes in.
2. EDR vs. Basic Antivirus: What Cyber Underwriters Actually Distinguish
If your client checks “yes” to endpoint protection on the application, that answer means almost nothing without knowing what’s actually running.
Underwriters aren’t asking whether the client has antivirus. They’re asking whether the client can detect a threat that already bypassed the perimeter and respond before it spreads.
That distinction, detection speed versus passive scanning, is where the underwriting question gets precise and where most small commercial accounts fall short.
Detection Speed Drives Cost
Detection speed is where carriers separate antivirus from EDR, and the cost gap between them is documented in IBM’s 2025 breach data: breaches with a lifecycle over 200 days cost $5.01M versus $3.87M for those contained under 200 days. That $1.14M delta is pure detection-speed cost.
Underwriter expectations reflect this directly in how they score your client’s risk assessment.
EDR benefits show up in the numbers:
- EDR delivers a documented $168,361 breach-cost reduction per IBM 2025
- Faster containment cuts lifecycle, which is the primary cost driver underwriters price against
- Basic antivirus generates no detection telemetry, meaning incidents age undetected until damage is done
Cost implications are straightforward.
Slower detection equals longer dwell time equals higher loss. Underwriters know this. Your application needs to show they do too.
What Counts As EDR
When underwriters ask whether your client has EDR, they’re not asking whether endpoints have antivirus. That’s one of the most common EDR misconceptions brokers run into.
Basic antivirus runs signature-based scans for known malware. EDR continuously monitors endpoint behavior, flags anomalies in real-time, and generates forensic data carriers can actually use at claim time.
EDR advantages include automated response and threat hunting. EDR challenges include deployment gaps. Underwriters want coverage across all organizational endpoints, not just servers.
EDR implementation documentation matters: carriers ask for deployment percentages across the endpoint fleet, not just confirmation that a tool exists. A single unmanaged endpoint (laptop, server, or mobile device) is the gap an attacker uses, and underwriters know it.
Your pre-submission verification question is straightforward: what percentage of endpoints have EDR installed, and who monitors the alerts?
3. Immutable Backups: What Cyber insurance Underwriters check Before binding Ransomware coverage
When a client says “we have backups,” that’s the beginning of the underwriting conversation, not the end of it.
Carriers writing ransomware coverage have tightened their backup questions considerably because ransomware now touches 44% of all breaches and accounts for 81% of recovery expenses (Market.us, 2023).
What underwriters are actually verifying is whether those backups can survive the same attack that encrypts everything else.
Why “We Have Backups” Fails
“We have backups” is the answer underwriters hear most often and trust least. Without documented backup best practices, that answer is unverifiable at application time and indefensible at claim time.
Underwriters are looking for specifics:
- Immutability and air-gapping: Can ransomware reach and encrypt your backup environment, or is it isolated?
- Recovery planning and restoration testing: Documented, scheduled restoration tests confirm data integrity checks actually work when you need them.
- Automated backup solutions with retention logs: Frequency, retention periods, and audit trails matter. Manual processes fail silently.
Incident response readiness depends on backups that function under attack conditions, not ideal ones. If your client can’t produce a recent restoration test date, the underwriter will notice.
What Underwriters Actually Verify
They want verifiable specifics, not assurances. When a ransomware claim hits, underwriters go straight to documentation. Backup frequency matters: daily incremental isn’t the same as hourly, and carriers distinguish between the two when calculating recovery time exposure.
Retention policies get scrutinized for gaps. If your client’s retention window is shorter than the average ransomware dwell time, that’s a problem worth surfacing before submission, not after.
Air gap strategies need proof of actual separation, not a verbal description of the architecture. Restoration testing is the sharpest question on the application. A backup nobody has tested is a backup nobody can trust.
Documentation importance can’t be overstated here. Carriers want logs, test results, and configuration records. If those don’t exist, expect complications at both underwriting and claim time.
If you want the exact questions underwriters ask on these five controls — in plain language, with the broker’s verification step for each — the free cyber-readiness assessment walks through them client-by-client.
4. Patch Management SLAs That Pass Cyber Underwriting
Unpatched systems are the #1 root cause of ransomware attacks, according to Sophos’s 2025 State of Ransomware report.
CVE exploits drove $8 billion in extreme-loss events in Cyentia’s IRIS 20/20 Xtreme dataset. Underwriters know this, which is why patch management questions on cyber applications have moved well past “do you patch?” and into cadence, documentation, and SLA specifics.
Before you submit a client’s application, you need to know exactly how fast they’re closing critical vulnerabilities and whether they can prove it.
Why Patching Pace Matters
Patching is the control where underwriters can actually measure your client’s discipline, not just take their word for it.
Patch management importance shows up directly in loss data. Sophos identifies exploited vulnerabilities as the #1 ransomware root cause, and Cyentia ties CVE exploits to $8B in extreme-loss events. Slow patching isn’t a technical failure. It’s a documented underwriting liability.
Three things underwriters are watching for:
- Vulnerability reduction strategies with defined SLAs: critical patches within 24-72 hours, high-severity within 7-14 days
- Proactive risk management documentation showing deployment timelines and testing outcomes, not verbal assurances
- Compliance documentation practices that prove cadence is consistent, not reactive
Patch deployment challenges don’t excuse gaps. Underwriters treat an undocumented patching program as no program at all.
Acceptable SLA Benchmarks
When underwriters ask about patch management, they’re not looking for a general commitment to “staying current.” They want SLA numbers, and they’ve benchmarks in mind: critical vulnerabilities: patched within 24-72 hours, high severity within 7-14 days, routine updates on a monthly cadence. Anything slower than that on a documented exploitable CWE is a coverage problem waiting to surface at claim time.
Your client needs to demonstrate patch effectiveness through documentation, not just verbal assurance. Compliance audits and documentation standards matter here.
Underwriters want records showing actual deployment dates against discovery dates. That paper trail proves your client’s vulnerability assessment process runs on schedule and that risk prioritization isn’t ad hoc.
If those records don’t exist before submission, the application becomes a liability. Gaps discovered at claim time after a ransomware event will draw direct scrutiny to patch history.
5. Employee Phishing Training Cyber Underwriters Treat as a Premium Variable
Of the five controls underwriters scrutinize, phishing training is the one most clients think they’ve checked off when they haven’t.
Doing a security awareness session once a year doesn’t meet the bar carriers are actually measuring against.
You need to know exactly what frequency and format underwriters require before your client’s application goes in, because the difference between a documented, recurring program and a one-time lunch-and-learn shows up in both the quote and the claim.
Why Training Frequency Matters
Training frequency is where most small commercial clients get caught. “We did training last year” fails every underwriter’s risk assessment.
Carriers want to see program evaluation built into your client’s calendar, not a one-time checkbox.
What underwriters are actually scoring:
- Training methods and engagement strategies: Annual slide decks don’t count. Underwriters want simulated phishing campaigns run quarterly, at minimum.
- Retention techniques: IBM’s 2025 data shows employee training delivers a $192,266 breach-cost reduction. That number assumes the training sticks, which requires repeated reinforcement.
- Frequency as a control signal: Carriers treat regular cadence as proof of a proactive risk posture, not just compliance.
Before submission, confirm your client runs documented, simulated phishing exercises at least quarterly.
If they can’t prove it, the application can’t warrant it.
What Underwriters Actually Verify
Underwriters don’t take training programs on faith. They want documentation. Expect questions about phishing training effectiveness metrics: click rates on simulated phishing campaigns, failure trends over time, and whether your client tracks individual employee engagement strategies rather than just aggregate participation.
Training content variety matters too. A single annual video doesn’t demonstrate a live security culture. Underwriters look for recurring sessions, role-specific modules, and incident response drills that test actual employee behavior under simulated attack conditions.
Long term retention techniques, such as quarterly simulations and reinforcement messaging, signal a program with operational discipline. If a client claims training at application but can’t produce participation records or simulation results at claim time, that warranty statement becomes a coverage dispute.
Document everything before submission.
Frequently Asked Questions
What Are the Minimum Security Controls Required for Cyber Insurance?
The five controls required for Cyber Insurance are MFA, EDR, immutable backups, documented patch management, and quarterly phishing-aware training. This is the minimum bar for most carriers. None of them are optional. Carriers don’t reject applications for “weak culture”. They reject them for unprotected admin accounts, missing EDR telemetry, untested backups, undocumented patch SLA, and annual-only training.
What Are the Underwriting Controls in Insurance?
Like a filter screening water, underwriting controls are your risk management checkpoints. They shape assessment criteria, drive pricing models, define policy terms, and determine how smoothly you’ll move through the claims process.
What Are the 4 Types of Cyber Security Controls?
You’ll encounter four cybersecurity control types: administrative (security assessments, incident response), technical (vulnerability scanning, data protection), physical (access controls), and operational (risk management processes). Each category addresses distinct threats across your organization’s security framework.
What Does a Cyber Insurance Underwriter Do?
A cyber insurance underwriter evaluates the security posture of an applying organization, prices the risk based on controls and claims history, sets sub-limits and retentions on specific loss categories, and decides whether to bind, decline, or quote with conditions. Their job is loss prevention through controls verification, not just rate setting.
Conclusion
Carriers underwrite five controls. The brokers who run cyber-insurance broker automation against all five before the application goes in bind cleaner, renew better, and keep their commercial book out of denial territory at claim time. MFA. EDR. Immutable backups. A documented patch SLA. Quarterly phishing-aware training. Those are the five. Nothing else on the application moves the underwriting decision more than these do.
Pre-screen your next client against all five controls in 20 minutes
The free cyber-readiness assessment walks your client through the MFA, EDR, backup, patching, and training questions underwriters actually ask. Built for the 1–20-agent brokerage. No login required.
Or book a 20-minute call to walk through your book of business.
Michael Toback is the founder of PracticeForge AI. Licensed California P&C agent (#4528883), retired California Bar and USPTO patent attorney, CompTIA CySA+, ACRM 401 Cyber Risk Management. More about Mike →
