By Ryan Windt | Head of Growth Marketing | Updated June 2026
Most controls underwriters check are about keeping attackers out. Logging and monitoring is different. It is the control that determines what happens once someone gets in, and increasingly it is the one that separates a contained incident from a catastrophic claim.
When forensics teams reconstruct a breach, the first question is almost always the same: what do the logs show? If the answer is “not much,” the investigation gets longer, the scope gets wider, the notification obligations get broader, and the claim gets bigger. Underwriters know this, which is why logging, monitoring, and detection capability have moved from a footnote on the application to a question that can affect both your terms and your premium.
This post covers what underwriters actually want to see, why log retention is the detail that quietly sinks claims, and how the requirement differs for an SMB running a lean stack versus an MSP defending dozens of client environments.
Why Logging Became an Underwriting Question
For years, cyber applications focused on preventive controls: MFA, EDR, patching, backups. Those still matter, but carriers learned an expensive lesson from years of ransomware and business-email-compromise claims. The businesses that recovered fastest and cheapest were not necessarily the ones with the strongest perimeter. They were the ones that could see what happened.
Detection capability is now treated as a loss-mitigation control. The faster you can detect and scope an intrusion, the smaller the claim, and underwriters price that directly.
Two numbers drive this. The first is dwell time, the gap between when an attacker gets in and when they are detected. Long dwell time means more time to move laterally, exfiltrate data, and stage ransomware. The second is investigation cost. When logs are missing or too short, forensic firms cannot prove what was and was not accessed, so the insured often has to assume the worst and notify everyone, which is where the costs explode.
What Underwriters Are Actually Asking About
Logging and monitoring shows up on modern applications in a few distinct forms. Underwriters want to know not just that you collect logs, but that you can act on them.
- Centralized log collection. Are logs aggregated somewhere, or scattered across individual devices where they are useless during an incident and easy for an attacker to wipe?
- SIEM or log management platform. Do you have a system that correlates events across sources, or are you relying on someone manually checking individual tools?
- Coverage of the right sources. Endpoint, identity, network, cloud, and email logs are the high-value sources. Underwriters care most about authentication and access logs, because those reconstruct an attacker’s path.
- Alerting and response. Collecting logs no one reads is not a control. Carriers increasingly ask whether alerts are monitored, and by whom, and how fast someone responds.
- 24/7 monitoring or MDR. For higher-risk applicants, the question is whether monitoring is continuous. A SIEM that only gets reviewed during business hours leaves nights and weekends, which is exactly when attackers prefer to work.
Log Retention: The Detail That Sinks Claims
If there is one specific to get right, it is retention. Logs that exist but only cover the last 7 or 14 days are frequently worthless during a real investigation.
Attackers commonly sit in an environment for weeks or months before acting. By the time ransomware detonates or fraud is discovered, the initial intrusion may be well outside a short retention window. When that happens, forensics cannot establish the entry point or the full scope, the insured has to treat the breach as maximal, and notification and credit-monitoring costs are calculated against the worst case rather than the actual one.
A practical baseline that satisfies most underwriters and most forensic needs:
| Log source | Practical retention target |
|---|---|
| Authentication / identity logs | 12 months |
| Endpoint and EDR telemetry | 6 to 12 months |
| Network and firewall logs | 6 months minimum |
| Cloud and SaaS audit logs | 12 months |
| Email security logs | 6 to 12 months |
The exact numbers vary by carrier and by any compliance regime you fall under, but the principle is constant: short retention is a false economy that converts a scoped incident into an unscoped one. For how this plays out at claim time, see Filing a Cyber Insurance Claim: What to Do First, What Carriers Verify, and How to Avoid Denial.
How Logging Fits With the Controls Underwriters Already Check
Logging is not a standalone control. It is the layer that makes every other control verifiable and useful during an incident.
- EDR generates the endpoint telemetry that proves what an attacker did on a machine. Without retention, that telemetry expires. See EDR and Cyber Insurance.
- Privileged access management is only as strong as your ability to log and review privileged sessions. See Privileged Access Management and Cyber Insurance.
- Network segmentation limits lateral movement, and network logs are how you prove it held. See How Underwriters Evaluate Network Segmentation.
- Insider risk detection depends almost entirely on logging and behavioral monitoring. See Insider Risk and Cyber Insurance.
- Immutable backups protect recovery, but logs tell you whether the backups were touched before you restore from them. See Immutable Backups and Cyber Insurance.
For the full picture of the controls underwriters check before quoting, see our security controls hub.
SMBs vs. MSPs: Two Different Logging Conversations
The logging requirement looks very different depending on who is being underwritten.
For SMBs, the realistic question is not whether you run an enterprise SIEM. It is whether you have centralized, retained, monitored logs at all. Many small businesses cannot staff 24/7 monitoring, which is why managed detection and response (MDR) has become the practical answer. An MDR service gives an underwriter what they want, continuous monitoring and expert response, without requiring the business to build a security operations center. For most SMBs, “we use an MDR provider” is a stronger application answer than “we have a SIEM.”
For MSPs, logging is both a control and a liability surface. An MSP is not just logging its own environment; it is responsible, contractually or by expectation, for monitoring across many client stacks at once. Underwriters evaluating an MSP want to see consistent logging standards applied across clients, centralized visibility, and the ability to detect an incident in one client before it becomes an incident in all of them. Gaps in client logging are gaps in the MSP’s own risk. See MSP Cyberattack Defense: A Practical Playbook.
How to Document Logging for Your Application
Underwriters reward applicants who can answer precisely. Before you submit, be ready to state:
- What you collect (which sources: identity, endpoint, network, cloud, email).
- Where it goes (the SIEM, log management platform, or MDR provider).
- How long you keep it (specific retention periods by source).
- Who watches it (in-house team, MDR provider, hours of coverage).
- How fast you respond (alerting thresholds and escalation process).
Vague answers (“we have logging”) get treated as weak controls. Specific answers (“12-month retention on identity logs, 24/7 MDR, sub-15-minute alerting on privileged access events”) get treated as a mature program and quoted accordingly. For the broader application picture, see Cyber Insurance Underwriting: What Carriers Evaluate and How to Prepare Your Application.
Frequently Asked Questions
Do I need a SIEM to get cyber insurance? Not necessarily. Smaller businesses often satisfy underwriters with an MDR service rather than a full SIEM. What carriers care about is the outcome, continuous, retained, monitored logging, not the specific product category.
How is logging different from EDR? EDR watches endpoints and can respond to threats on them. Logging and SIEM aggregate events across many sources, including identity, network, and cloud, to give a complete picture. They are complementary; underwriters increasingly expect both.
How long should we retain logs? Twelve months for identity and cloud audit logs is a strong baseline, with six months as a common floor for network logs. Short retention is the most common gap that hurts an investigation.
Will better logging lower my premium? It can. Strong detection and response capability is a recognized loss-mitigation control, and demonstrating it, especially 24/7 monitoring or MDR, can improve both terms and pricing.
Does logging matter for SOC 2 too? Yes. Logging and monitoring is a core SOC 2 requirement, so the same investment serves both. See SOC 2 and Cyber Insurance.
Related Resources
- What Your Cyber Insurance Policy Actually Covers for Incident Response
- Vulnerability Management and Cyber Insurance
- MFA and Cyber Insurance: What Underwriters Require
- Email Security Controls and Cyber Insurance
- Cyber Insurance Requirements: The Minimum Controls Checklist
- What Is Cyber Insurance and What Does It Cover?
Logging and monitoring is the control that decides whether a breach is an expensive inconvenience or a business-ending claim. It is also one of the most cost-effective ways to improve both your security posture and your insurability at the same time. If you want a review of how your current detection and response capability looks to an underwriter, get in touch with our team.