You might think your cyber insurance policy has you covered, but your carrier is betting on something else entirely: that you already have high-level security controls running—that are in place, and that you can prove them.
In the Pacific Northwest, where Cycrest Systems supports and protects hundreds of businesses, we see our Clients’ insurance questionnaires weekly. The answers to those questions determine what rates you’ll pay for insurance, but also, they determine if you will qualify for insurance at all.
While Cycrest continues to recommend multiple layers of protection to address multifaceted threat vectors, we can’t mandate them. Your insurance company may deny coverage if an attack occurs and you didn’t have the required protections in place.
Claims are denied every week because a business leader decided their IT layers were ‘good enough’. Don’t let this happen to you and your organization.
If you want your policy to actually pay out when it matters at a reasonable price, you need to know what your insurer is requiring —and ensure your stack really measures up.
Let’s get specific about the five controls every cyber insurance company expects you to have today.
Insurers Care About Your Security Controls
Cyber Insurance companies don’t just underwrite risk—they price it into every line of coverage. That means your cyber policy isn’t a blank check for any breach or ransomware event. It’s a bet that you’re managing risk to an industry standard, at a minimum.
Every policy review we’ve seen in Spokane or Boise lately asks the same questions:
Are you patching? Do you use MFA? Is there off-site backup? Do you have a monitored MDR system in place? Do you have protections in place for Cloud based applications and servers? The list goes on.
According to the NetDiligence Cyber Claims Study, over 60% of denied cyber insurance claims in 2023 cited ‘failure to maintain minimum controls.’ If you miss one of these controls, your claim could be dead on arrival.
The mechanism most owners miss—your answers on that initial application become the foundation of your contract. If you overstate your security, even by omission, you’re creating coverage gaps without realizing it.
#1: Multi-Factor Authentication—Or No Dice
Multi-factor authentication (MFA) isn’t just nice-to-have; it’s the new admission ticket for most cyber insurance policies. We’ve seen carriers like Travelers and Chubb flat-out deny coverage for claims where MFA was missing on admin accounts—or even on email.
With credential theft behind over 80% of breaches (Verizon DBIR, 2023), MFA is now the line between ‘basic hygiene’ and ‘negligence.’ If you don’t have MFA on every critical cloud app—email, financial platforms, remote desktops—you can safely assume your policy is hanging by a thread.
Many SMBs think ‘we have MFA’ when it’s just one department using it.
Your insurer actually means everywhere, not just on paper.
#2: Patch Management and Supported Software
The second pillar is patching—timely, reliable, and documented. Then ensure you are using only up-to-date, supported software. Most cyber insurance questionnaires won’t ask if you’re perfect; they want evidence that security updates are applied within 14–30 days of release for critical systems, and all software is on current supported versions. At Cycrest, we use tools to track patch status and generate real reports.
Why does this matter? Because in every major breach headline (think: Equifax, WannaCry), unpatched software was the doorway.
It’s not the zero-day that kills most SMBs—it’s letting a six-month-old hole linger, or an outdated software program until an attacker strolls through. If your MSP can’t show last month’s patch logs, your insurer can claim ‘failure to maintain’ and walk away.
#3: Backups—But Only If They’re Tamper-Proof
“We have backups” doesn’t cut it anymore.
Insurers want technical proof that your backups are:
- Offsite or offline
- Protected from tampering
- Tested regularly.
At Cycrest, our backup systems are encrypted, protected, and then replicated to help limit risk.
Attackers now target backups first because they know cyber insurance providers demand them. If your backups aren’t immutable or protected in a higher level fashion (i.e., locked against deletion for a set period), coverage is shaky at best.
#4: Endpoint Protection—The Antivirus Myth Dies Hard
Still relying on traditional antivirus? Insurers aren’t fooled—and neither are attackers. Modern policies now require endpoint detection and response (EDR) and (MDR) solutions such Open Text and Black Point Cyber, two products in Cycrest’s tech stack.
These tools don’t just help block malware; they monitor behavior and flag suspicious activity in real time. The difference is night and day: old-school AV is like a padlock on a tent flap, whereas our modern-day EDR and MDR are motion alarms with video backup.
#5: Security Awareness—Humans Remain the Weakest Link
Your firewall can block thousands of attacks a day, but one click on a phishing email can still take down your whole operation. That’s why insurers now ask for annual security awareness training records—and sometimes even simulated phishing results.
In our region, we’ve seen banks and clinics require quarterly training refreshers to remain compliant with insurance and regulatory requirements.
It’s not just about holding a lunch-and-learn once a year; insurers want proof that employees actually understand the risks and that you’re closing the loop on failures.
What Can Happen When You Don’t Meet These Standards?
If you fail on any one of these five, your insurer will have legal ammunition to deny claims or cap payouts far below what you expect. The problem isn’t just nonpayment; it’s that gaps often come to light after an incident, when the stakes are highest.
We’ve seen cases where ransomware hit a manufacturing firm with no MFA on remote desktop access—the insurer paid only for data recovery, not their lost revenue or legal costs, arguing ‘material misrepresentation.’
That’s why Cycrest recommends our full tech stack to help keep you in the driver’s seat so in the event of a possible breach, we have the documentation and services in place to mitigate risk.
Audit Your Controls Before Your Next Renewal
Your cyber insurance company isn’t gambling—they’re calculating risk based on what you say and what you can prove about your security posture. If your organization has delayed or rejected recommendations for our solutions, please reconsider today. With the advancement of AI, attacks will become more sophisticated, more frequent, and pose a greater risk.
Contact Cycrest today to get a simple insurance assessment. We’ll provide key recommendations to help you protect your company properly.
