Cyber Insurance Isn't What It Used to Be
Three years ago, getting cyber insurance was easy. Fill out a short application, pay a modest premium, and you were covered. Those days are gone.
Insurance companies have been hammered by ransomware claims, and they've responded by dramatically tightening requirements. Applications that used to be two pages are now ten. Premiums have doubled or tripled. And if you can't demonstrate that you have specific security controls in place, you'll either be denied coverage or face sky-high rates.
For Plymouth and South Shore businesses, this is a wake-up call. Whether you're applying for the first time or renewing an existing policy, here's what you need to have in place.
The Cyber Insurance Checklist
Every insurer is different, but these are the controls that virtually every cyber insurance application now asks about:
1. Multi-Factor Authentication (MFA)
This is the number one requirement β and the number one reason applications get denied. You need MFA on:
- All email accounts (Microsoft 365, Google Workspace)
- VPN and remote access connections
- Privileged/admin accounts
- Cloud applications with sensitive data
If you're not using MFA everywhere, stop reading and go enable it. Seriously. This is the single most impactful security control you can implement.
2. Endpoint Detection & Response (EDR)
Basic antivirus isn't enough anymore. Insurers want to see EDR β software that actively monitors endpoints for suspicious behavior, not just known malware signatures. Solutions like SentinelOne, CrowdStrike, or Microsoft Defender for Endpoint qualify. Norton and McAfee consumer products do not.
3. Email Security & Phishing Protection
90% of cyberattacks start with email. Insurers want to see:
- Advanced email filtering (not just basic spam filtering)
- Anti-phishing technology
- DMARC, DKIM, and SPF records configured
- Employee security awareness training (more on this below)
4. Backup & Disaster Recovery
Insurers want to know that if ransomware hits, you can recover without paying the ransom. You need:
- Regular automated backups (at least daily)
- Offsite or cloud backup (separate from your main network)
- Air-gapped or immutable backups (can't be encrypted by ransomware)
- Tested recovery procedures (when was the last time you actually tested a restore?)
5. Employee Security Training
Your team is your biggest vulnerability. Insurers want documentation showing:
- Regular security awareness training (quarterly is best)
- Phishing simulation testing
- Training completion records for all employees
- Specific training for high-risk roles (finance, HR, executives)
6. Patch Management
Unpatched software is an open door for attackers. You need:
- A documented patching process
- Critical patches applied within 14-30 days
- Operating system updates on all workstations and servers
- Third-party application updates (Adobe, Java, browsers)
7. Network Security
Insurers will ask about your network architecture:
- Business-grade firewall (not a consumer router)
- Network segmentation (separate guest Wi-Fi, IoT devices, sensitive systems)
- Intrusion detection/prevention
- Encrypted wireless networks
8. Incident Response Plan
Do you have a documented plan for what to do if you're breached? Insurers want to see:
- A written incident response plan
- Designated response team with roles and responsibilities
- Contact information for your IT provider, legal counsel, and insurer
- Communication procedures for notifying affected parties
9. Access Controls & Privilege Management
The principle of least privilege β employees should only have access to what they need:
- Unique user accounts for everyone (no shared logins)
- Admin access restricted to IT personnel only
- Regular access reviews (especially when employees change roles)
- Immediate access revocation when employees leave
10. Written Security Policies
Documentation matters. Insurers want to see that you have written policies for:
- Acceptable use of technology
- Password requirements
- Remote work security
- BYOD (bring your own device) policies
- Data classification and handling
For Massachusetts businesses, your WISP (Written Information Security Program) covers many of these requirements. If you don't have a WISP, you're not only uninsured β you're also violating state law.
What Happens If You Don't Meet Requirements
If you apply for cyber insurance without these controls in place, three things can happen:
You get denied. The insurer won't offer coverage. This is increasingly common for businesses without MFA and EDR.
You get covered at a massive premium. Expect to pay 2-5x what a compliant business pays.
You get covered β but claims get denied. Some policies include exclusions for businesses that misrepresented their security posture on the application. If you said you had MFA but didn't, your claim could be denied when you need it most.
The Plymouth Business Reality Check
Here on the South Shore, we work with businesses from Plymouth to Braintree, and the pattern is consistent: most small businesses meet maybe 3-4 of these 10 requirements. The good news? Getting from "3 out of 10" to "fully compliant" is very achievable with the right IT partner.
Typical timeline to get insurance-ready:
- 2-4 weeks for MFA deployment and email security
- 1-2 weeks for EDR deployment
- 2-4 weeks for backup improvements
- 4-8 weeks for complete compliance (all 10 items)
Take Action Before Your Renewal
Don't wait until your cyber insurance renewal date to find out you're not compliant. Start now, and you'll have everything in place when it matters.
Power Up Boston provides cybersecurity services and managed IT that cover every item on this checklist. We've helped dozens of South Shore businesses get β and stay β insurable.
Contact us for a free cybersecurity assessment. We'll review your current security posture and tell you exactly what you need for your insurance application.