Cyber insurance used to be simple. Fill out a questionnaire, pay a premium, and hope you never need it. Those days are gone. Insurance carriers have been paying out billions in ransomware claims, and they’ve responded by getting dramatically more demanding about what they require before they’ll cover you, and what they’ll deny if you haven’t done your homework.

The uncomfortable truth is that many organizations paying for cyber insurance right now would have their claims denied if they actually filed one. Not because of a technicality, but because they can’t demonstrate that they have the basic security controls their policy requires.

Here are the 10 questions every cyber insurance carrier is asking, and the answers they expect.

This is the number one requirement. If you don’t have multi,factor authentication on VPN access, email, admin accounts, and cloud platforms, most carriers will either deny coverage or charge significantly higher premiums. MFA is no longer a recommendation. It’s a prerequisite.

Traditional antivirus isn’t enough anymore. Carriers want to see EDR solutions that can detect, investigate, and respond to advanced threats in real time. If your endpoint protection is still signature,based, you have a gap that insurers will notice.

Unpatched systems are the most common entry point for attackers. Carriers want documented patch management processes with defined timelines, especially for critical vulnerabilities. “We patch when we get around to it” is a claim denial waiting to happen.

Backups that are connected to your network can be encrypted by ransomware just like your production data. Carriers want to see offline or air,gapped backups that are tested regularly. If you can’t demonstrate that your backups work, your policy may not cover ransomware recovery.

Not just “we’ll figure it out when it happens,” but a documented plan that defines roles, communication protocols, containment procedures, and recovery steps. Carriers increasingly require that this plan be tested through tabletop exercises at least annually.

Phishing is the number one attack vector. Carriers want evidence that your employees receive regular security training and that you run phishing simulations. Annual training is the minimum. Quarterly is the standard they prefer.

Who has admin access to your systems? How many people? Are those accounts individually assigned or shared? Carriers want to see privileged access management, including least privilege principles, admin account auditing, and just,in,time access where possible.

Flat networks where every device can communicate with every other device are a nightmare for insurance underwriters. Network segmentation limits the blast radius of a breach. Carriers want to see that critical systems, guest networks, and user segments are properly isolated.

Beyond basic spam filtering, carriers are looking for DMARC, DKIM, and SPF authentication to prevent email spoofing, advanced threat protection that scans links and attachments, and policies that flag external emails clearly so employees can identify potential phishing attempts.

If a breach exposes unencrypted sensitive data, student records, financial information, health data, the regulatory penalties and liability costs explode. Encryption is a baseline expectation for any organization handling sensitive information, and carriers require it.

Cyber insurance matters. It provides financial protection against catastrophic losses. But it was never meant to replace good security practices. It was meant to complement them.

The organizations that get the best coverage at the lowest premiums are the ones that can demonstrate strong security postures. Carriers reward maturity because it reduces their risk. Every control you implement not only protects your organization but also saves you money on your insurance.

If you’re paying for cyber insurance, make sure you can actually collect on it when you need it. Review your policy requirements. Audit your actual controls against what you claimed on the application. Close the gaps before a carrier finds them during a claim investigation.

And if you’re not sure where you stand, get a professional assessment. The cost of finding out now is a fraction of what it costs to find out during a breach.