Underwriters increasingly expect core controls in place—MFA everywhere, EDR on all endpoints, offline/immutable backups, email security & training, patch/vulnerability SLAs, secured remote access (no exposed RDP), privileged access management, incident response plans/tabletops, centralized logging/monitoring (often MDR), and third‑party risk controls. If you can document these quickly (screenshots, exports, RMM/PSA evidence), you’ll qualify faster, avoid sublimits/exclusions, and often save 20–40% when combined with a strong tech stack.
Who this is for
- SMBs who want to know what insurers actually require in 2025 (without the jargon).
- MSPs/MSSPs looking to map their standard stack to underwriting requirements and speed up quoting.
- Brokers who need a plain‑English, copy/paste‑ready checklist to prep clients.
Why requirements tightened (and why this helps you)
Cyber carriers use real‑world claims data. Controls that consistently prevent or limit loss—MFA, EDR, and good backups—moved from “nice to have” to table stakes. That’s good news: meeting these minimums improves resilience and can unlock better pricing and broader terms.
The Minimum Controls Checklist
Use this as your underwriting prep. Each item includes what, how to show it, and gotchas that can slow or sink a quote.
1) Multi‑Factor Authentication (MFA) everywhere
What: Enforce MFA for email, VPN/remote access, privileged/admin accounts, and critical SaaS (e.g., M365, Google Workspace, finance/HR apps).
Show: Conditional Access/MFA policy screenshots; RADIUS/SAML configs; user MFA enrollment reports.
Gotchas: Break‑glass accounts excluded from MFA; legacy mail protocols (IMAP/POP) still enabled; service accounts with mailbox access.
2) Endpoint Detection & Response (EDR/XDR) on all endpoints
What: Next‑gen endpoint protection with detection/response and 24/7 alerting/containment (in‑house or MDR). Servers and workstations.
Show: RMM/EDR console coverage report (agents installed & healthy); policy screenshots; last 30–90 day alert metrics.
Gotchas: Servers excluded; stale agents; macOS/Linux gaps; “AV only” without behavioral detection.
3) Offline / Immutable Backups with routine testing
What: 3‑2‑1 style backups; at least one copy is offline/immutable (object lock, air‑gap, or vault) with periodic test restores.
Show: Backup topology diagram; immutability policy; last successful job logs; quarterly test‑restore report.
Gotchas: Only cloud sync (not a backup); backup targets accessible over the same credentials/domain; no proof of test restores.
4) Email Security + Phishing & Awareness Training
What: Modern email security (gateway/API‑based) and recurring training/simulations.
Show: Email filter/security policy screenshots; training completion rates; phishing simulation results.
Gotchas: Allow‑listing supplier domains broadly; dormant accounts not disabled; one‑and‑done annual training.
5) Patch & Vulnerability Management with SLAs
What: Documented SLAs (e.g., critical within 7–15 days), recurring vulnerability scans, and proof of remediation.
Show: RMM patch compliance reports; vulnerability scan summaries with trend lines; change tickets/work orders.
Gotchas: Unsupported OS (Server 2012, old firewalls); stalled reboots; devices excluded from scans.
6) Remote Access Hardening (goodbye exposed RDP)
What: No open RDP to the internet; VPN or ZTNA with MFA; geo‑IP or allow‑listing; disable SMBv1; restrict PowerShell.
Show: External attack surface report; firewall rules; VPN/ZTNA configuration; RDP disabled GPO.
Gotchas: Third‑party vendor tunnels; remote tools listening on default ports; shadow IT remote‑control apps.
7) Privileged Access Management (PAM) & Least Privilege
What: Admins use separate admin accounts; local admin rights removed; password vaulting & rotation for shared secrets.
Show: Group policy exports; PAM tool configs; privileged group membership report; vault audit logs.
Gotchas: Too many domain admins; long‑lived service creds; MFA bypass on privileged roles.
8) Incident Response (IR) Plan + Tabletop Exercises
What: A current IR plan with roles, decision trees (e.g., ransomware, BEC), counsel/breach coach contacts, and tested via tabletop 1–2x/yr.
Show: IR playbook PDF; tabletop agenda & after‑action items; call tree; vendor panel list.
Gotchas: No authority to shut down systems; no pre‑negotiated forensics; unclear ransom decision makers.
9) Centralized Logging/Monitoring (SIEM) or MDR
What: Aggregate logs from endpoints, auth, firewalls, and SaaS; alerts triaged 24/7 (internal NOC or MDR).
Show: SIEM/MDR onboarding list; dashboard showing ingest & detections; ticketing integration.
Gotchas: “Alerting only” after hours; critical sources not onboarded (e.g., M365, IdP); retention too short for forensics.
10) Third‑Party/Vendor Risk & Contract Hygiene
What: Track critical vendors, security posture, and incident SLAs. For MSPs: MSA clearly splits responsibilities and requires client cyber insurance.
Show: Vendor inventory with criticality; annual reviews; MSA language; certificate of cyber insurance (COI).
Gotchas: Single points of failure (e.g., one backup vendor); no offboarding; no contractual breach notification timelines.
Evidence pack: how to get to “Yes” faster
Create a single folder called /Underwriting‑Evidence with:
- Policies/Exports: MFA/Conditional Access, EDR policies, backup immutability, patch SLAs.
- Coverage Reports: Agent coverage %, last success jobs, RMM compliance.
- Diagrams: Backup/data‑flow, network/remote access, identity architecture.
- Exercises: IR tabletop agenda, notes, and remediation log.
- Training: Completion & phishing results for the last 12 months.
- Attestations: Short memos on any compensating controls and timelines.
Tip for MSPs: generate these directly from your RMM/EDR/backup consoles and your PSA tickets. Map device counts 1:1 to policy declarations to avoid scrutiny.
MSP playbook: mapping your stack to underwriting
Below are common tools/features underwriters look for and where MSPs can typically pull proof. (Examples—use equivalents as needed.)
- MFA & Identity: M365 (Entra ID) Conditional Access reports; Okta/DUO policy exports.
- EDR/MDR: Console coverage & policy reports (by OS); MDR monthly summary.
- Backups: Immutability settings (Object Lock, retention); quarterly test restores.
- Email Security: M365 Defender/Secure Email Gateway policies; impersonation & DMARC reports.
- Vuln Mgmt: RMM patch compliance; Nessus/Qualys summaries with remediation tickets.
- Remote Access: VPN/ZTNA configs; external surface scan proving no open RDP.
- PAM: Admin group membership exports; password vault audit reports.
- IR: Playbooks, vendor panel, tabletop after‑action items.
SeedPod note: If you’re using our integrations, you can request or pre‑verify quotes from inside your toolset and reduce back‑and‑forth on evidence. (See: Quote Cyber & Tech E&O Right Inside ConnectWise/N‑able.)
Common underwriting red flags (and quick fixes)
- Legacy OS or devices still in production → Isolate, upgrade, or move behind VDI; document compensating controls.
- Backups accessible over the domain → Add immutability/air‑gap and unique credentials; test restores.
- No MFA on email or VPN → Prioritize rollout here; provide timeline and interim controls.
- Too many admins → Reduce memberships; implement just‑in‑time elevation.
- RDP exposed → Close now; route via VPN/ZTNA; monitor for brute‑force artifacts.
- Gaps in coverage (contractors, Macs, Linux) → Deploy EDR agents and MDM; show inventory alignment.
Quick self‑assessment (copy/paste)
Answer “Yes/No” and capture proof.
- MFA enforced for email, VPN/ZTNA, and all privileged roles
- EDR on 100% of servers/workstations (by OS)
- Offline/immutable backups + quarterly test restores
- Email security + quarterly phishing simulations
- Patch SLAs: Critical within ≤15 days; scan → remediate loop
- No open RDP; remote access behind MFA; geo/allow‑listing
- Separate admin accounts; PAM/vaulting for shared creds
- IR plan current; tabletop in last 12 months
- Centralized logging/monitoring with 24/7 triage (SIEM/MDR)
- Vendor list maintained; cyber insurance required in MSA (for MSPs)
Score: 9–10 = strong; 6–8 = quote likely with conditions; ≤5 = expect sublimits, exclusions, or declination until controls are remediated.
FAQs
Can I get insured without MFA?
Expect a declination or heavy sublimits if email/VPN/admin MFA isn’t in place. If you’re mid‑rollout, document timelines and interim controls.
Does traditional AV count as EDR?
No. Underwriters look for behavioral detection, containment/rollback, and centralized response—i.e., EDR/XDR, often with MDR.
What qualifies as “offline/immutable” backup?
Object‑locked cloud storage, air‑gapped media, or vaulting that prevents modification/deletion for a set retention period—plus routine test restores.
How do underwriters verify any of this?
Expect follow‑ups: screenshots, exports, policy docs, or short calls. For MSP‑managed clients, pre‑verified evidence speeds approvals.
Will this lower my premium?
Controls reduce both frequency and severity of claims. Many insureds see materially better pricing/retentions and fewer sublimits when they can prove strong posture.
Next steps
- SMBs: Run the self‑assessment. If you score <9, prioritize MFA, EDR, and immutable backups first.
- MSPs: Bundle this checklist into onboarding. Add language in your MSA that requires client cyber insurance and defines responsibilities.
- Everyone: When ready, request a quote. If you’re an MSP, you can start right from your toolset and pre‑verifycontrols to accelerate terms.
Ready to check your eligibility? Contact us about our Cyber & Tech E&O programs and integrations, or request a quote today.
This guide is for general information and not legal advice. Coverage eligibility and terms vary by carrier and risk profile.