The Non-Negotiable Eight
The cyber insurance market has tightened dramatically since 2023. What used to be a simple questionnaire has become a rigorous security audit. Insurers now have a clear set of baseline controls they require before they'll even consider your application.
Miss one, and you'll likely be denied. Miss several, and you may struggle to find coverage at any price.
Here are the eight controls every major cyber insurer requires in 2026 — and exactly what you need to do to comply.
1. Multi-Factor Authentication (MFA)
Why insurers require it: MFA is the single most effective control against account compromise. Microsoft reports that MFA blocks 99.9% of automated attacks.
What insurers look for:
- MFA on all remote access (VPN, RDP, cloud applications)
- MFA on email accounts (especially Microsoft 365 and Google Workspace)
- MFA on privileged/admin accounts
- MFA on backup systems
How to implement it: Enable MFA through your existing email and cloud providers. Use authenticator apps (Microsoft Authenticator, Google Authenticator) rather than SMS where possible. For legacy systems that don't support MFA natively, consider a solution like Duo or Okta.
Common mistake: Enabling MFA for some users but not all. Insurers specifically ask if MFA is enforced for ALL users, not just admins.
2. Endpoint Detection and Response (EDR)
Why insurers require it: Traditional antivirus catches known threats. EDR detects unusual behavior patterns, which is critical for catching zero-day attacks and advanced persistent threats.
What insurers look for:
- EDR deployed on all endpoints (workstations, laptops, servers)
- Real-time monitoring and alerting
- Automated response capabilities
- Regular updates and maintenance
How to implement it: Solutions like CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint provide EDR capabilities. For small businesses, Microsoft Defender for Business offers enterprise-grade EDR at an accessible price point.
3. Tested Backups
Why insurers require it: Backups are your last line of defense against ransomware. But backups that haven't been tested are backups that might not work when you need them most.
What insurers look for:
- Regular backup schedule (daily at minimum)
- Offline or immutable copies (can't be encrypted by ransomware)
- Regular restoration testing (quarterly at minimum)
- Documented backup procedures
How to implement it: Follow the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored offsite or offline. Cloud backup solutions like Veeam, Datto, or even properly configured Microsoft 365 backup meet most requirements.
4. Incident Response Plan
Why insurers require it: An incident response plan demonstrates that you've thought about what happens when (not if) a breach occurs. Companies with tested incident response plans save an average of $2.66 million per breach.
What insurers look for:
- Written, documented plan
- Defined roles and responsibilities
- Communication procedures (internal and external)
- Contact information for key responders (legal, forensics, PR)
- Evidence preservation procedures
- Regular testing or tabletop exercises
How to implement it: Your incident response plan doesn't need to be a 50-page document. A clear, actionable plan that your team can actually follow is far more valuable. CoverReady provides incident response templates that you can customize for your organization.
5. Security Awareness Training
Why insurers require it: Human error remains the leading cause of breaches. Phishing alone accounts for over 36% of all data breaches. Training your employees is one of the highest-ROI security investments you can make.
What insurers look for:
- Regular training (at least annual, quarterly preferred)
- Phishing simulations
- New employee onboarding training
- Completion tracking and documentation
- Topics covering phishing, password hygiene, social engineering, and data handling
How to implement it: Platforms like KnowBe4, Proofpoint, and CoverReady's built-in training modules make it easy to deploy and track security training across your organization.
6. Written Security Policies
Why insurers require it: Policies establish the rules your organization follows. Without written policies, there's no standard to enforce and no way to demonstrate due diligence.
What insurers look for:
- Acceptable Use Policy
- Password/Authentication Policy
- Data Handling and Classification Policy
- Incident Response Policy
- BYOD (Bring Your Own Device) Policy
How to implement it: Start with templates and customize them for your organization. The key is that policies are documented, communicated to employees, and actually enforced. A beautiful policy document that nobody reads provides zero protection.
7. Patch Management
Why insurers require it: Unpatched systems are the second most common attack vector after phishing. The average time from vulnerability disclosure to exploit is now just 15 days.
What insurers look for:
- Critical patches applied within 14 days (many insurers require 72 hours)
- Regular patching schedule for non-critical updates
- Coverage of operating systems, applications, and firmware
- Documentation of patching procedures
How to implement it: Enable automatic updates on all systems where possible. For systems that require manual patching, establish a weekly review cadence. Tools like Microsoft WSUS, ManageEngine, or NinjaRMM can automate patch management.
8. Network Segmentation
Why insurers require it: If an attacker compromises one system, network segmentation prevents them from moving laterally across your entire environment. It limits the blast radius of any incident.
What insurers look for:
- Separation between IT and OT networks (if applicable)
- Guest Wi-Fi isolated from business networks
- Critical systems on separate network segments
- Firewall rules between segments
How to implement it: At minimum, ensure your guest Wi-Fi is on a separate VLAN from your business network. For more advanced segmentation, work with your IT provider to create network zones based on data sensitivity and system criticality.
Bringing It All Together
These eight controls form the foundation of what insurers consider "minimum acceptable security." But they're also genuinely good security practices that protect your business regardless of insurance.
The challenge for most small businesses isn't knowing what to do — it's proving they've done it. Insurers want evidence: screenshots of MFA configurations, backup test logs, training completion records, signed policy acknowledgments.
This is where a structured approach pays off. Rather than scrambling to gather evidence when your renewal comes up, maintain continuous documentation throughout the year. Your future self (and your insurance broker) will thank you.