By Ryan Windt | Head of Growth Marketing | Updated April 2026
If you have filled out a cyber insurance application in the last two years, you have seen the EDR question. It shows up in different forms depending on the carrier, but the intent is always the same: do you have endpoint detection and response deployed, where is it deployed, who is monitoring it, and can you prove it.
Most businesses answer yes and move on. Many of those answers do not hold up when the carrier asks a follow-up question, runs an external scan, or reviews a claim.
EDR is now a top-two underwriting requirement alongside MFA. Carriers are not just asking whether you have it. They are asking whether it is deployed everywhere it needs to be, whether it is actively monitored, and whether you can document it. The gap between “we have endpoint protection” and what underwriters actually require is where a lot of businesses find out they have a problem.
This post covers what EDR means in underwriting terms, how carriers evaluate it, what the documentation requirements look like in practice, and what to do if your current deployment does not meet the standard.
Why EDR Became a Core Underwriting Requirement
Ransomware is the primary loss driver in cyber insurance. Verizon’s 2025 Data Breach Investigations Report found ransomware involved in roughly 44 percent of breaches. The claims data tells the same story: ransomware and business interruption now account for the majority of paid cyber losses by dollar value.
EDR became a carrier requirement because it directly addresses how ransomware spreads. Traditional antivirus software detects known malware based on signatures. EDR monitors endpoint behavior continuously, looking for suspicious activity patterns regardless of whether the specific threat has been seen before. When it detects something, it can isolate the affected endpoint automatically, stopping lateral movement before it reaches backup systems, other workstations, or servers.
From an underwriting perspective, the math is straightforward. Organizations with EDR properly deployed and monitored have meaningfully shorter detection and containment windows than those without it. Shorter containment windows mean smaller claims. Smaller claims mean better loss ratios. Better loss ratios mean lower premiums and continued availability of coverage.
Carriers began requiring EDR not as a philosophical commitment to security but because the claims data showed it worked. That is why it is now a hard requirement at most carriers rather than a recommended practice.
What Underwriters Mean When They Ask About EDR
The question on most carrier applications looks simple: “Do you have endpoint detection and response (EDR) deployed on all endpoints?”
But underwriters are not just checking a box. When that question triggers a follow-up or when a submission goes to a more experienced underwriter, the conversation gets specific fast. Here is what they are actually evaluating.
Coverage percentage. “All endpoints” means all endpoints. Underwriters want to see EDR deployed on servers and workstations, on remote and hybrid workers’ devices, and on any endpoint with access to sensitive data or network resources. Partial deployment raises immediate questions. If 80 percent of endpoints are covered, the 20 percent that are not covered are the ones an attacker will find first.
Monitoring. EDR that is deployed but not actively monitored provides limited protection. A detection that sits in a dashboard for 72 hours before anyone reviews it is not a functional control from a claims standpoint. Carriers distinguish between organizations that have EDR installed and organizations that have EDR with active monitoring, either through an internal SOC or a managed detection and response provider. The latter gets better terms.
Response capability. Detection without response is half a control. Carriers want evidence that when EDR fires an alert, someone acts on it within a defined timeframe. For organizations using MDR services, this is documented in service level agreements. For organizations managing EDR internally, underwriters may ask about staffing, escalation procedures, and after-hours coverage.
Version and configuration. Legacy or unpatched EDR deployments are a flag. Carriers understand that EDR tools require maintenance and that the effectiveness of the tool depends on keeping it current. An EDR solution running on an outdated agent version with default configuration is not the same control as one that is actively managed.
EDR vs. Traditional Antivirus: Why the Distinction Matters for Coverage
Many businesses assume their existing endpoint protection satisfies the EDR requirement. In some cases it does. In many cases it does not, and the difference matters at claim time.
Traditional antivirus operates on a signature model. It compares files against a database of known threats and blocks matches. It is effective against known malware and relatively inexpensive to operate. It is not effective against novel ransomware variants, fileless attacks, or living-off-the-land techniques where attackers use legitimate system tools to execute malicious actions.
EDR operates on a behavioral model. It monitors what processes are running, what files they are accessing, what network connections they are making, and whether those behaviors look suspicious in context. When it identifies a threat, it can respond automatically: isolating the endpoint, terminating the process, rolling back changes.
Underwriters understand this distinction and apply it in their questionnaires. Most carrier applications now specifically ask whether you use EDR or next-generation endpoint protection rather than traditional antivirus. Some applications list specific qualifying platforms. Others ask follow-up questions that reveal whether what you have is functioning as a true EDR solution.
If your current endpoint protection is traditional antivirus only, that is a material gap in most modern cyber insurance submissions. It does not automatically result in declination but it will affect your terms, your pricing, and potentially the scope of coverage available to you.
MDR vs. Standalone EDR: How Carriers Treat the Difference
Managed detection and response is EDR plus ongoing human monitoring, typically provided by a third-party security operations center. Most carriers treat MDR-backed deployments differently from standalone EDR, and the difference shows up in pricing and eligibility.
The reason is the monitoring gap. A business that has EDR deployed but relies on its internal IT team to review alerts is subject to response delays, coverage gaps outside business hours, and the capacity constraints of a team that has other responsibilities. A business using an MDR provider has 24/7 coverage, defined response SLAs, and documented escalation procedures.
From a claims standpoint, the data supports the distinction. Organizations with MDR have shorter dwell times and smaller claim severities than those monitoring their own EDR tools without dedicated security operations support. Carriers price and structure coverage accordingly.
This does not mean standalone EDR is uninsurable. For smaller organizations, standalone EDR with good internal processes and documentation is sufficient for most carrier requirements. But if you are in a higher-risk category, either because of your industry, your revenue, or your prior claims history, MDR becomes more important for accessing competitive terms.
For MSPs specifically, the expectation is higher. Because MSPs carry aggregation risk across their client base, underwriters evaluating MSP submissions want to see MDR-level monitoring on MSP infrastructure and ideally on client environments as well. See our guide to cyber insurance for MSPs for a full breakdown of MSP-specific requirements.
What Documentation Underwriters Are Asking For
The era of answering “yes” on a cyber insurance application and moving on is over. Carriers are asking for evidence, and they are being specific about what that evidence needs to show. Here is what the documentation requirements for EDR look like in practice.
Endpoint coverage report. Most EDR platforms can generate a report showing how many endpoints are enrolled, what percentage of in-scope devices are covered, and whether any devices are out of compliance with the agent deployment. This is the primary document carriers want to see. It should show coverage at or near 100 percent of in-scope endpoints. Gaps need a documented explanation: devices in the process of being onboarded, devices that will be decommissioned, or compensating controls in place for devices that cannot run the standard agent.
Agent health report. Coverage percentage is not the same as operational health. Carriers want to see that enrolled endpoints are running current agent versions, that agents are communicating with the management console, and that there are no devices where the agent has been disabled or is not reporting. Most platforms surface this in a health dashboard that can be exported.
Alert response records. For organizations managing EDR internally, documentation of how alerts are reviewed and responded to is increasingly requested. This does not need to be elaborate: a process document describing how alerts are triaged, who is responsible for review, and what the escalation path looks like is sufficient for most applications. Evidence of past alert reviews, even in aggregate form, strengthens the submission.
MDR service agreement. For organizations using an MDR provider, the service agreement or a summary of its key terms is often requested. Underwriters want to see defined response SLAs, 24/7 coverage confirmation, and clarity on what the MDR provider does versus what the client is responsible for.
Tabletop or incident response test results. Not all carriers request this specifically for EDR, but those that do are looking for evidence that your EDR detection and response process has been tested. A tabletop exercise that includes an endpoint compromise scenario and walks through how EDR would detect and respond is sufficient for most requirements. See our guide on building an incident response plan for how to structure this.
How EDR Gaps Affect Your Policy
The consequences of EDR gaps depend on where the gap is and when it is discovered.
At application. Missing EDR or inadequate deployment discovered during the underwriting review will typically result in one of three outcomes: declination, a higher premium with a requirement to remediate before binding, or coverage with an exclusion that limits or eliminates coverage for endpoint-originated incidents. The specific outcome depends on the carrier, the rest of the application, and the size of the gap.
At renewal. If EDR was in place at the prior application but the carrier’s external scan or a follow-up questionnaire reveals degraded coverage, the renewal will flag it. This can result in a coverage condition requiring remediation within a defined timeframe, a premium increase, or non-renewal.
At claim time. This is the highest-stakes scenario. If a ransomware event occurs and the forensic investigation reveals that EDR was not deployed on the affected endpoint, or that alerts fired but were not acted on, the carrier will review whether the coverage representations on the application were accurate. If the application stated EDR was deployed on all endpoints and that turns out not to be true, the carrier has grounds to contest coverage. Courts have upheld carrier decisions to rescind policies where security controls claimed on the application were not actually in place. Apply accurately, then document.
Practical Steps to Meet the Standard
If your current EDR posture does not fully satisfy what carriers are looking for, here is how to close the gap efficiently.
Audit your current deployment. Pull an inventory of all in-scope endpoints and compare it against your EDR management console enrollment list. Identify devices that are not enrolled, devices where the agent is unhealthy, and devices running outdated agent versions. This audit is also the starting point for the documentation your underwriter will want to see.
Prioritize servers first. If you have to phase a rollout, servers are the priority. Servers are the high-value targets in a ransomware event: they hold data, they often have backup software running, and they are the systems whose compromise causes the most business interruption. A workstation getting encrypted is a problem. A server getting encrypted while the backup software is disabled is a catastrophe.
Evaluate your monitoring model. If you are relying on an internal IT team to monitor EDR alerts without dedicated security operations support, assess whether that coverage is realistic given the team’s capacity and hours. If it is not, the business case for MDR is straightforward: the premium savings from better coverage terms will often offset a meaningful portion of the MDR service cost.
Document everything before you apply. The goal is to be able to answer every carrier question with a document rather than an attestation. Coverage report, agent health export, response process documentation, and MDR agreement if applicable. Having these ready before you submit shortens the underwriting cycle and reduces the probability of follow-up questions that delay binding.
Coordinate with your MSP. If you use a managed service provider, they should be able to generate most of this documentation directly from their tools. They should also be able to speak to your coverage posture if the carrier wants to verify directly. An MSP that cannot produce an endpoint coverage report or explain your EDR monitoring model is a signal worth addressing before your renewal.
How EDR Connects to the Broader Controls Picture
EDR does not stand alone. Carriers evaluate it as part of a full controls picture, and its effectiveness in reducing your risk, and your premium, depends on how it works alongside the other controls underwriters require.
MFA limits the credential theft that gives attackers their initial foothold. EDR detects what they do after they get in. Immutable backups determine whether you can recover without paying a ransom. An incident response plan governs how fast and how effectively you contain the damage. Each control addresses a different phase of an attack, and gaps in any of them affect the value of the others.
This is why the controls checklist exists as a set rather than a menu. An organization with perfect EDR coverage but no MFA on remote access is still highly exposed to the most common ransomware entry point. An organization with MFA and EDR but no tested backups can still be forced into paying a ransom because recovery is not viable.
For a complete picture of what underwriters require across all controls, see our Cyber Insurance Requirements Checklist for SMBs and MSPs. For the specific documentation requirements around backups, see our guide on immutable backups and cyber insurance. For MFA, see our MFA implementation guide.
Frequently Asked Questions
Does traditional antivirus satisfy the EDR requirement?
For most carriers, no. Modern cyber insurance underwriting specifically asks about endpoint detection and response, not endpoint protection in general. If your current solution is signature-based antivirus without behavioral detection and response capabilities, it will not satisfy the EDR line item on most carrier questionnaires. Some carriers will accept next-generation antivirus with behavioral detection as an equivalent, but you should confirm this with your broker before applying.
What if some endpoints cannot run EDR?
Legacy systems, industrial control systems, and some specialized hardware may not support standard EDR agents. Carriers understand this and are not expecting 100 percent coverage of every device on a network. What they want to see is a documented inventory of devices that cannot run EDR, an explanation of why, and compensating controls in place: network segmentation, restricted access, enhanced monitoring at the network perimeter. Undocumented gaps are a problem. Documented exceptions with compensating controls are manageable.
Is MDR required to qualify for coverage?
Not universally. Most carriers do not have an explicit MDR requirement for standard SMB submissions. However, MDR-backed deployments typically qualify for better terms, and some carriers in higher-risk segments or for larger revenue bands are beginning to treat 24/7 monitoring as a condition of certain limit levels. If you are in a higher-risk industry, an MSP, or carrying limits above $2 million, the MDR question is worth discussing with your broker before renewal.
How often do carriers verify EDR claims after binding?
More often than most policyholders expect. External risk scanning tools are now standard in carrier underwriting workflows, and many carriers run scans at renewal to verify that the technical controls described on the application are still in place. Some run mid-term checks as well. The scan will not see inside your network, but it will surface signals about your external posture and flag inconsistencies that prompt follow-up questions.
What happens if we have EDR but it was not running at the time of the incident?
This is a material fact in any claim investigation. Forensic reviewers will determine whether EDR was operational on the affected endpoint, whether it fired alerts, and whether those alerts were acted on. If EDR was disabled, misconfigured, or not deployed on the affected system, and the application represented that EDR was in place on all endpoints, the carrier will review the accuracy of the application. Keep your deployment documentation current and make sure what you represent on your application matches your actual posture.
Related reading:
- MFA Implementation Guide for SMBs and MSPs
- Immutable Backups and Cyber Insurance: What Underwriters Actually Want to See
- How to Build an Incident Response Plan: A Template for SMBs and MSPs
- Cyber Insurance Requirements: The Minimum Controls Checklist for SMBs and MSPs
- Cyber Insurance Renewal Checklist: How to Prepare, What Underwriters Want, and How to Get Better Terms