By Ryan Windt | Head of Growth Marketing | Updated May 2026
If you are about to apply for cyber insurance or renew an existing policy, the single biggest thing that determines your outcome is not your revenue or your industry. It is whether you can document the security controls underwriters now treat as non-negotiable.
In 2026, self-attestation is no longer enough. Carriers want screenshots, exports from your RMM or PSA, and evidence of tested controls, not just a checked box. This cyber insurance requirements checklist covers the 10 controls underwriters scrutinize most closely, what evidence they want to see for each, and the specific gotchas that most commonly delay or sink a quote. Companies that can produce this documentation qualify faster, avoid sublimits and exclusions, and routinely save 20 to 40 percent on premiums compared to peers who cannot.
Who This Is For
This guide is written for three audiences:
- SMBs who want to know what insurers actually require in 2026 without the jargon.
- MSPs and MSSPs looking to map their standard stack to underwriting requirements and speed up client quoting.
- Brokers who need a plain-English checklist to prep submissions and reduce back-and-forth with carriers.
Why Cyber Insurance Requirements Tightened, and Why That Is Good News
Cyber carriers price based on real-world claims data. The controls that consistently prevent or limit loss, including MFA, EDR, and properly structured backups, moved from nice-to-have to table stakes because the data proved they work.
That is good news for well-prepared businesses. Meeting these minimums does not just get you insured. It improves your actual resilience, reduces your likelihood of a claim, and gives you meaningful pricing leverage at renewal. The companies getting the best terms in 2026 are the ones who can show their work. For a full breakdown of how controls affect what you pay, see our cyber insurance cost guide.
The 10 Minimum Controls Underwriters Require
1. Multi-Factor Authentication (MFA) Everywhere
What underwriters want: MFA enforced for email, VPN and remote access, all privileged and admin accounts, and critical SaaS platforms including Microsoft 365, Google Workspace, and finance or HR applications.
How to show it: Conditional Access or MFA policy screenshots, RADIUS or SAML configuration exports, user MFA enrollment reports.
Common gotchas: Break-glass accounts excluded from MFA, legacy mail protocols like IMAP and POP still enabled, service accounts with mailbox access that bypass MFA requirements.
For a detailed breakdown of what carriers specifically look for in MFA deployment, see our MFA implementation guide for cyber insurance.
2. Endpoint Detection and Response (EDR) on All Endpoints
What underwriters want: Next-generation endpoint protection with behavioral detection, response and containment capabilities, and 24/7 alerting, either in-house or through a managed detection and response (MDR) provider. Coverage must include both servers and workstations.
How to show it: RMM or EDR console coverage report showing agents installed and healthy across all devices, policy screenshots, alert metrics from the last 30 to 90 days.
Common gotchas: Servers excluded from coverage, stale or unhealthy agents, macOS or Linux gaps, legacy antivirus solutions without behavioral detection being submitted as EDR.
For more on what qualifies as EDR and how carriers evaluate it, see our post on EDR and cyber insurance.
3. Offline and Immutable Backups with Tested Restores
What underwriters want: A 3-2-1 style backup architecture where at least one copy is offline or immutable, using object lock, air-gap, or vaulted storage, with documented, periodic test restores. Having backup jobs running is not sufficient. Proof of successful restores is required.
How to show it: Backup topology diagram, immutability policy documentation, last successful job logs, quarterly test restore report.
Common gotchas: Cloud sync solutions submitted as backups, backup targets accessible over the same domain credentials as production systems, no evidence of test restores on file.
For a full breakdown of what qualifies and how to document your backup posture, see our guide on immutable backups and cyber insurance.
4. Email Security and Phishing Awareness Training
What underwriters want: Modern email security via gateway or API-based filtering, combined with recurring security awareness training and phishing simulations. Annual one-time training is no longer sufficient.
How to show it: Email security policy screenshots, training completion rates, phishing simulation results from the last 12 months.
Common gotchas: Broadly allow-listed supplier domains creating bypass routes, dormant accounts not disabled, training conducted once per year with no simulations.
For more on what carriers evaluate in email security, see our post on email security controls and cyber insurance.
5. Patch and Vulnerability Management with Documented SLAs
What underwriters want: Documented patching SLAs, typically critical vulnerabilities within 7 to 15 days, recurring vulnerability scans, and documented proof of remediation.
How to show it: RMM patch compliance reports, vulnerability scan summaries with trend lines, change tickets or work orders showing remediation.
Common gotchas: Unsupported operating systems still in production such as Windows Server 2012, stalled reboots leaving patches unapplied, devices excluded from vulnerability scans.
6. Remote Access Hardening
What underwriters want: No open RDP exposed to the internet. All remote access routed through VPN or zero trust network access (ZTNA) with MFA enforced. Geo-IP or allow-listing in place. SMBv1 disabled, PowerShell restricted where appropriate.
How to show it: External attack surface scan report, firewall rule exports, VPN or ZTNA configuration documentation, Group Policy Object showing RDP disabled.
Common gotchas: Third-party vendor tunnels creating unmonitored access paths, remote tools listening on default ports, shadow IT remote control applications not captured in the inventory.
For more on how RMM hardening affects your coverage and premiums, see our post on MSP RMM hardening and cyber insurance.
7. Privileged Access Management and Least Privilege
What underwriters want: Administrators using separate privileged accounts for admin tasks, local admin rights removed from standard users, password vaulting and rotation for shared credentials and service accounts.
How to show it: Group Policy exports, PAM tool configuration documentation, privileged group membership reports, vault audit logs.
Common gotchas: Excessive domain admin accounts, long-lived service credentials that have never been rotated, MFA bypass configurations on privileged roles.
For more on how PAM affects your underwriting, see our post on privileged access management and cyber insurance.
8. Incident Response Plan with Tabletop Testing
What underwriters want: A current, written incident response plan with defined roles, decision trees for common scenarios like ransomware and BEC, pre-identified legal counsel and breach coach contacts, and evidence of tabletop testing at least once in the last 12 months.
How to show it: IR playbook document, tabletop exercise agenda and after-action report, call tree, vendor panel list with pre-negotiated forensics contacts.
Common gotchas: No defined authority to isolate or shut down systems, no pre-negotiated forensics vendor, unclear decision-making authority around ransom payments.
If you do not have a plan in place, our incident response plan template for SMBs and MSPs provides a starting point.
9. Centralized Logging, Monitoring, and 24/7 Triage
What underwriters want: Aggregated log collection from endpoints, authentication systems, firewalls, and SaaS platforms, with alerts triaged around the clock, either by an internal security operations center or an MDR provider.
How to show it: SIEM or MDR onboarding list showing covered sources, dashboard screenshot showing ingest volume and active detections, ticketing system integration evidence.
Common gotchas: Alerting only during business hours, critical log sources like Microsoft 365 or identity providers not onboarded, log retention periods too short to support forensic investigation.
10. Third-Party and Vendor Risk Controls
What underwriters want: A maintained inventory of critical vendors with documented security posture reviews and incident notification SLAs. For MSPs specifically, MSA language that clearly splits security responsibilities between the MSP and client, and a requirement for clients to carry their own cyber insurance.
How to show it: Vendor inventory with criticality ratings, annual review documentation, MSA language defining responsibilities, client certificates of insurance.
Common gotchas: Single points of failure in the vendor stack with no documented contingency, no formal offboarding process, no contractual breach notification timelines with vendors.
For more on how vendor risk factors into your underwriting, see our post on what underwriters look for in a cyber insurance application.
Building Your Evidence Pack
The fastest way to move through underwriting is to have your documentation organized before the application goes out. Create a folder called Underwriting Evidence and populate it with the following:
Policies and exports: MFA and Conditional Access policies, EDR configurations, backup immutability settings, patch management SLAs.
Coverage reports: EDR agent coverage by device and OS, last successful backup job logs, RMM patch compliance summaries.
Architecture diagrams: Backup and data flow diagram, network and remote access topology, identity architecture overview.
Testing documentation: IR tabletop exercise agenda, after-action notes, and remediation log.
Training records: Security awareness training completion rates and phishing simulation results for the last 12 months.
Compensating control memos: Short written attestations for any areas where a compensating control is in place instead of the standard requirement, with a remediation timeline.
For MSPs: generate coverage reports directly from your RMM, EDR, and backup consoles and map device counts one-to-one with your policy declarations. Discrepancies between what your application states and what your toolset shows are one of the most common sources of underwriting delay.
MSP Stack Mapping: Where to Pull Your Evidence
Common tools and where MSPs typically source underwriting documentation:
MFA and identity: Microsoft Entra ID Conditional Access reports, Okta or Duo policy exports, RADIUS configuration documentation.
EDR and MDR: Console coverage and policy reports broken out by operating system, MDR provider monthly summary reports.
Backups: Object lock or immutability settings, retention policy documentation, quarterly test restore reports.
Email security: Microsoft Defender or secure email gateway policies, DMARC enforcement reports, impersonation protection configurations.
Vulnerability management: RMM patch compliance dashboards, Nessus or Qualys scan summaries with linked remediation tickets.
Remote access: VPN or ZTNA configuration exports, external attack surface scan proving no open RDP.
Privileged access: Admin group membership exports, password vault audit logs, just-in-time elevation records.
Incident response: Written IR playbook, vendor panel documentation, tabletop after-action reports.
Common Underwriting Red Flags and How to Address Them
Legacy operating systems still in production: Isolate affected devices, document a firm upgrade timeline, and note compensating controls in place in the interim.
Backups accessible over domain credentials: Add immutability or air-gap and implement unique credentials for backup targets. Document a test restore.
No MFA on email or VPN: Prioritize rollout on these two surfaces first. Provide a documented timeline and describe interim controls to the underwriter.
Too many domain administrators: Reduce privileged group memberships and implement just-in-time elevation where possible.
RDP exposed to the internet: Close it now. Route remote access through VPN or ZTNA with MFA. Scan for brute-force artifacts and document remediation.
EDR coverage gaps on contractors, Macs, or Linux systems: Deploy agents and mobile device management to close inventory gaps. Show device count alignment with your policy declarations.
Quick Self-Assessment
Answer yes or no for each item and capture supporting evidence. This mirrors what underwriters will ask.
- MFA enforced for email, VPN, and all privileged roles
- EDR deployed on 100 percent of servers and workstations by OS
- Offline or immutable backups in place with quarterly test restores documented
- Email security deployed with quarterly phishing simulations conducted
- Patch SLAs documented with critical vulnerabilities remediated within 15 days
- No open RDP: all remote access behind MFA-protected VPN or ZTNA
- Separate admin accounts in use with PAM or vaulting for shared credentials
- IR plan current and tested via tabletop in the last 12 months
- Centralized logging and monitoring with 24/7 triage in place
- Vendor inventory maintained, with client cyber insurance required in MSA (MSPs)
Scoring: 9 to 10 is a strong submission. 6 to 8 will likely result in a quote with conditions or sublimits on weaker controls. 5 or below should expect declinations or significant exclusions until controls are remediated.
Frequently Asked Questions
Can I get cyber insurance without MFA in place?
You can apply, but expect a declination or heavy sublimits if email, VPN, and admin account MFA are not enforced. If you are mid-rollout, document your timeline and describe interim controls. Underwriters respond better to a credible remediation plan than to a gap with no explanation.
Does traditional antivirus count as EDR?
No. Underwriters specifically look for behavioral detection, containment and rollback capabilities, and centralized response, the defining characteristics of EDR and XDR platforms, often paired with MDR. Legacy antivirus does not meet this requirement regardless of brand.
What qualifies as an offline or immutable backup?
Object-locked cloud storage, air-gapped physical media, or vaulted storage that prevents modification or deletion for a defined retention period, combined with documented, routine test restores. Cloud sync solutions like OneDrive or Dropbox do not qualify.
How do underwriters actually verify the controls I claim?
Expect follow-up requests for screenshots, policy exports, console reports, or brief calls to walk through configurations. For MSP-managed clients, pre-verified evidence documentation speeds approvals significantly and reduces carrier scrutiny. For more on how the verification process works, see our post on what underwriters look for in a cyber insurance application.
Will having strong controls actually lower my premium?
Yes, materially. Controls reduce both the frequency and severity of claims, and underwriters price that directly. Companies with documented, provable security posture routinely see 20 to 40 percent better pricing, fewer sublimits, and broader terms than peers of identical size and revenue with weak or undocumented controls.
What is a cyber insurance checklist used for?
A cyber insurance checklist is the set of security controls and documentation standards that carriers use to evaluate your application. Underwriters use it to assess the probability and potential severity of a claim. Buyers use it to prepare their evidence pack before applying and to identify gaps that need to be addressed before renewal. The 10 controls above represent the current minimum standard for most carriers in 2026.
Next Steps
SMBs: Run the self-assessment above. If you score below 9, prioritize MFA, EDR, and immutable backups first. Those three controls move the needle most with underwriters. For pricing benchmarks based on your security posture, see our cyber insurance cost guide.
MSPs: Incorporate this checklist into your client onboarding process. Add MSA language requiring client cyber insurance and clearly defining security responsibilities. For a full breakdown of MSP-specific coverage, aggregation risk, and what underwriters scrutinize in MSP submissions, see Cyber Insurance for MSPs: What You Need, What You Pay, and How to Get It Right.
Tech companies: If your business builds or deploys software, your underwriting will also include contract language review and, if applicable, AI governance documentation. See our post on cyber insurance for tech companies.
Ready to See How Your Controls Stack Up?
SeedPod Cyber underwrites directly with carriers. We assess your actual security posture before binding coverage, which means no denied claim surprises and faster time to quote.
Get a quote or learn how we work with MSPs.
This guide is for general information and does not constitute legal or insurance advice. Coverage terms, eligibility, and pricing vary by carrier and risk profile. Consult a licensed insurance professional for guidance specific to your situation.