By Ryan Windt | Head of Growth Marketing | Updated March 2026
If you are about to apply for cyber insurance or renew an existing policy, the single biggest thing that determines your outcome is not your revenue or your industry. It is whether you can document the security controls underwriters now treat as non-negotiable.
In 2026, self-attestation is no longer enough. Carriers want screenshots, exports from your RMM or PSA, and evidence of tested controls, not just a checked box. Companies that can produce this documentation qualify faster, avoid sublimits and exclusions, and routinely save 20 to 40 percent on premiums compared to peers who cannot.
This checklist covers the 10 controls underwriters scrutinize most closely, what evidence they want to see for each, and the specific gotchas that most commonly delay or sink a quote.
Who This Is For
This guide is written for three audiences:
SMBs who want to know what insurers actually require in 2026 without the jargon. MSPs and MSSPs looking to map their standard stack to underwriting requirements and speed up client quoting. Brokers who need a plain-English checklist to prep submissions and reduce back-and-forth with carriers.
Why Requirements Tightened — and Why That Is Good News
Cyber carriers price based on real-world claims data. The controls that consistently prevent or limit loss — MFA, EDR, and properly structured backups — moved from nice-to-have to table stakes because the data proved they work.
That is good news for well-prepared businesses. Meeting these minimums does not just get you insured. It improves your actual resilience, reduces your likelihood of a claim, and gives you meaningful pricing leverage at renewal. The companies getting the best terms in 2026 are the ones who can show their work.
The 10 Minimum Controls Underwriters Require
1. Multi-Factor Authentication (MFA) Everywhere
What underwriters want: MFA enforced for email, VPN and remote access, all privileged and admin accounts, and critical SaaS platforms including Microsoft 365, Google Workspace, and finance or HR applications.
How to show it: Conditional Access or MFA policy screenshots, RADIUS or SAML configuration exports, user MFA enrollment reports.
Common gotchas: Break-glass accounts excluded from MFA, legacy mail protocols like IMAP and POP still enabled, service accounts with mailbox access that bypass MFA requirements.
2. Endpoint Detection and Response (EDR) on All Endpoints
What underwriters want: Next-generation endpoint protection with behavioral detection, response and containment capabilities, and 24/7 alerting — either in-house or through a managed detection and response (MDR) provider. Coverage must include both servers and workstations.
How to show it: RMM or EDR console coverage report showing agents installed and healthy across all devices, policy screenshots, alert metrics from the last 30 to 90 days.
Common gotchas: Servers excluded from coverage, stale or unhealthy agents, macOS or Linux gaps, legacy antivirus solutions without behavioral detection being submitted as EDR.
3. Offline and Immutable Backups with Tested Restores
What underwriters want: A 3-2-1 style backup architecture where at least one copy is offline or immutable — object lock, air-gap, or vaulted storage — with documented, periodic test restores. Having backup jobs running is not sufficient. Proof of successful restores is required.
How to show it: Backup topology diagram, immutability policy documentation, last successful job logs, quarterly test restore report.
Common gotchas: Cloud sync solutions submitted as backups, backup targets accessible over the same domain credentials as production systems, no evidence of test restores on file.
4. Email Security and Phishing Awareness Training
What underwriters want: Modern email security via gateway or API-based filtering, combined with recurring security awareness training and phishing simulations. Annual one-time training is no longer sufficient.
How to show it: Email security policy screenshots, training completion rates, phishing simulation results from the last 12 months.
Common gotchas: Broadly allow-listed supplier domains creating bypass routes, dormant accounts not disabled, training conducted once per year with no simulations.
5. Patch and Vulnerability Management with Documented SLAs
What underwriters want: Documented patching SLAs — typically critical vulnerabilities within 7 to 15 days — recurring vulnerability scans, and documented proof of remediation.
How to show it: RMM patch compliance reports, vulnerability scan summaries with trend lines, change tickets or work orders showing remediation.
Common gotchas: Unsupported operating systems still in production such as Windows Server 2012, stalled reboots leaving patches unapplied, devices excluded from vulnerability scans.
6. Remote Access Hardening
What underwriters want: No open RDP exposed to the internet. All remote access routed through VPN or zero trust network access (ZTNA) with MFA enforced. Geo-IP or allow-listing in place. SMBv1 disabled, PowerShell restricted where appropriate.
How to show it: External attack surface scan report, firewall rule exports, VPN or ZTNA configuration documentation, Group Policy Object showing RDP disabled.
Common gotchas: Third-party vendor tunnels creating unmonitored access paths, remote tools listening on default ports, shadow IT remote control applications not captured in the inventory.
7. Privileged Access Management and Least Privilege
What underwriters want: Administrators using separate privileged accounts for admin tasks, local admin rights removed from standard users, password vaulting and rotation for shared credentials and service accounts.
How to show it: Group Policy exports, PAM tool configuration documentation, privileged group membership reports, vault audit logs.
Common gotchas: Excessive domain admin accounts, long-lived service credentials that have never been rotated, MFA bypass configurations on privileged roles.
8. Incident Response Plan with Tabletop Testing
What underwriters want: A current, written incident response plan with defined roles, decision trees for common scenarios like ransomware and BEC, pre-identified legal counsel and breach coach contacts, and evidence of tabletop testing at least once in the last 12 months.
How to show it: IR playbook document, tabletop exercise agenda and after-action report, call tree, vendor panel list with pre-negotiated forensics contacts.
Common gotchas: No defined authority to isolate or shut down systems, no pre-negotiated forensics vendor, unclear decision-making authority around ransom payments.
9. Centralized Logging, Monitoring, and 24/7 Triage
What underwriters want: Aggregated log collection from endpoints, authentication systems, firewalls, and SaaS platforms, with alerts triaged around the clock — either by an internal security operations center or an MDR provider.
How to show it: SIEM or MDR onboarding list showing covered sources, dashboard screenshot showing ingest volume and active detections, ticketing system integration evidence.
Common gotchas: Alerting only during business hours, critical log sources like Microsoft 365 or identity providers not onboarded, log retention periods too short to support forensic investigation.
10. Third-Party and Vendor Risk Controls
What underwriters want: A maintained inventory of critical vendors with documented security posture reviews and incident notification SLAs. For MSPs specifically, MSA language that clearly splits security responsibilities between the MSP and client, and a requirement for clients to carry their own cyber insurance.
How to show it: Vendor inventory with criticality ratings, annual review documentation, MSA language defining responsibilities, client certificates of insurance.
Common gotchas: Single points of failure in the vendor stack with no documented contingency, no formal offboarding process, no contractual breach notification timelines with vendors.
Building Your Evidence Pack
The fastest way to move through underwriting is to have your documentation organized before the application goes out. Create a folder called Underwriting Evidence and populate it with the following:
Policies and exports: MFA and Conditional Access policies, EDR configurations, backup immutability settings, patch management SLAs.
Coverage reports: EDR agent coverage by device and OS, last successful backup job logs, RMM patch compliance summaries.
Architecture diagrams: Backup and data flow diagram, network and remote access topology, identity architecture overview.
Testing documentation: IR tabletop exercise agenda, after-action notes, and remediation log.
Training records: Security awareness training completion rates and phishing simulation results for the last 12 months.
Compensating control memos: Short written attestations for any areas where a compensating control is in place instead of the standard requirement, with a remediation timeline.
For MSPs: generate coverage reports directly from your RMM, EDR, and backup consoles and map device counts one-to-one with your policy declarations. Discrepancies between what your application states and what your toolset shows are one of the most common sources of underwriting delay.
MSP Stack Mapping: Where to Pull Your Evidence
Common tools and where MSPs typically source underwriting documentation:
MFA and identity: Microsoft Entra ID Conditional Access reports, Okta or Duo policy exports, RADIUS configuration documentation.
EDR and MDR: Console coverage and policy reports broken out by operating system, MDR provider monthly summary reports.
Backups: Object lock or immutability settings, retention policy documentation, quarterly test restore reports.
Email security: Microsoft Defender or secure email gateway policies, DMARC enforcement reports, impersonation protection configurations.
Vulnerability management: RMM patch compliance dashboards, Nessus or Qualys scan summaries with linked remediation tickets.
Remote access: VPN or ZTNA configuration exports, external attack surface scan proving no open RDP.
Privileged access: Admin group membership exports, password vault audit logs, just-in-time elevation records.
Incident response: Written IR playbook, vendor panel documentation, tabletop after-action reports.
If you are using SeedPod Cyber’s integrations with ConnectWise or N-able, you can request or pre-verify quotes directly from inside your toolset, which significantly reduces the back-and-forth on evidence.
Common Underwriting Red Flags and How to Address Them
Legacy operating systems still in production: Isolate affected devices, document a firm upgrade timeline, and note compensating controls in place in the interim.
Backups accessible over domain credentials: Add immutability or air-gap and implement unique credentials for backup targets. Document a test restore.
No MFA on email or VPN: Prioritize rollout on these two surfaces first. Provide a documented timeline and describe interim controls to the underwriter.
Too many domain administrators: Reduce privileged group memberships and implement just-in-time elevation where possible.
RDP exposed to the internet: Close it now. Route remote access through VPN or ZTNA with MFA. Scan for brute-force artifacts and document remediation.
EDR coverage gaps on contractors, Macs, or Linux systems: Deploy agents and mobile device management to close inventory gaps. Show device count alignment with your policy declarations.
Quick Self-Assessment
Answer yes or no for each item and capture supporting evidence. This mirrors what underwriters will ask.
- MFA enforced for email, VPN, and all privileged roles
- EDR deployed on 100 percent of servers and workstations by OS
- Offline or immutable backups in place with quarterly test restores documented
- Email security deployed with quarterly phishing simulations conducted
- Patch SLAs documented with critical vulnerabilities remediated within 15 days
- No open RDP — all remote access behind MFA-protected VPN or ZTNA
- Separate admin accounts in use with PAM or vaulting for shared credentials
- IR plan current and tested via tabletop in the last 12 months
- Centralized logging and monitoring with 24/7 triage in place
- Vendor inventory maintained — client cyber insurance required in MSA (MSPs)
Scoring: 9 to 10 is a strong submission. 6 to 8 will likely result in a quote with conditions or sublimits on weaker controls. 5 or below should expect declinations or significant exclusions until controls are remediated.
Frequently Asked Questions
Can I get cyber insurance without MFA in place?
You can apply, but expect a declination or heavy sublimits if email, VPN, and admin account MFA are not enforced. If you are mid-rollout, document your timeline and describe interim controls. Underwriters respond better to a credible remediation plan than to a gap with no explanation.
Does traditional antivirus count as EDR?
No. Underwriters specifically look for behavioral detection, containment and rollback capabilities, and centralized response — the defining characteristics of EDR and XDR platforms, often paired with MDR. Legacy antivirus does not meet this requirement regardless of brand.
What qualifies as an offline or immutable backup?
Object-locked cloud storage, air-gapped physical media, or vaulted storage that prevents modification or deletion for a defined retention period — combined with documented, routine test restores. Cloud sync solutions like OneDrive or Dropbox do not qualify.
How do underwriters actually verify the controls I claim?
Expect follow-up requests for screenshots, policy exports, console reports, or brief calls to walk through configurations. For MSP-managed clients, pre-verified evidence documentation speeds approvals significantly and reduces carrier scrutiny.
Will having strong controls actually lower my premium?
Yes, materially. Controls reduce both the frequency and severity of claims, and underwriters price that directly. Companies with documented, provable security posture routinely see 20 to 40 percent better pricing, fewer sublimits, and broader terms than peers of identical size and revenue with weak or undocumented controls.
Next Steps
SMBs: Run the self-assessment above. If you score below 9, prioritize MFA, EDR, and immutable backups first — those three controls move the needle most with underwriters. For pricing benchmarks based on your security posture, see: How Much Does Cyber Insurance Cost? 2026 Pricing Guide.
MSPs: Incorporate this checklist into your client onboarding process. Add MSA language requiring client cyber insurance and clearly defining security responsibilities. For a full breakdown of MSP-specific coverage, aggregation risk, and what underwriters scrutinize in MSP submissions, see: Cyber Insurance for MSPs: What You Need, What You Pay, and How to Get It Right.
Tech companies: If your business builds or deploys software, your underwriting will also include contract language review and, if applicable, AI governance documentation. See: Cyber Insurance for Tech Companies: Coverage, Cost, and What Underwriters Look For.
Ready to See How Your Controls Stack Up?
SeedPod Cyber underwrites directly with carriers. We assess your actual security posture before binding coverage, which means no denied claim surprises and faster time to quote.
Get a Quote | Learn How We Work With MSPs
This guide is for general information and does not constitute legal or insurance advice. Coverage terms, eligibility, and pricing vary by carrier and risk profile. Consult a licensed insurance professional for guidance specific to your situation.