By Ryan Windt | Head of Growth Marketing | Updated June 2026
Ransomware works by spreading. An attacker gains initial access through a phishing email, a compromised credential, or an unpatched vulnerability, and then moves laterally through the network looking for systems to encrypt, data to exfiltrate, and backups to destroy. The faster they can move, the more damage they do before they’re detected.
Network segmentation slows that movement. By dividing a network into distinct zones with controlled access between them, segmentation limits how far an attacker can travel from their initial foothold. A ransomware infection that would have encrypted every server in a flat network may be contained to a single segment when segmentation is properly implemented.
Underwriters understand this dynamic. Network segmentation is increasingly evaluated during the underwriting process, particularly for mid-market and enterprise accounts, manufacturing and industrial environments, and organizations that handle sensitive data across multiple systems. This post explains what underwriters look for, how they verify it, and what a defensible segmentation posture looks like.
What Network Segmentation Actually Means
Segmentation is the practice of dividing a network into separate zones, sometimes called segments or VLANs, with access controls governing what traffic can pass between them. Instead of a single flat network where any device can communicate with any other device, a segmented network enforces boundaries.
The most common segmentation approaches:
VLAN-based segmentation. Virtual local area networks create logical separation at the network switch level. VLANs are relatively easy to implement in most environments and are appropriate for separating user workstations, servers, guest networks, and IoT devices.
Firewall-enforced segmentation. Internal firewalls or next-generation firewall rules control traffic between network zones. This approach enforces segmentation at the network layer and allows for inspection of traffic crossing segment boundaries.
Micro-segmentation. A more granular approach that creates security policies at the individual workload or application level, often used in cloud and virtualized environments. Micro-segmentation limits lateral movement even within a single segment.
Air gaps. Complete physical or logical separation between networks, common in operational technology environments where industrial control systems need to be isolated from corporate IT networks.
The right approach depends on the organization’s environment, the sensitivity of the data involved, and the risk profile underwriters are evaluating.
Why Underwriters Care About Segmentation
Cyber underwriters have paid enough ransomware claims to have strong opinions about what determines claim severity. Two of the biggest factors are how quickly the attacker was detected and how far they were able to spread before detection.
An attacker who gains access to a workstation in a properly segmented environment may be limited to encrypting that workstation and the shared drives it can reach. The same attacker in a flat network can potentially reach backup servers, domain controllers, financial systems, and every other machine on the network.
The difference in claim severity between those two scenarios is substantial. Underwriters price and structure coverage based on expected loss, and expected loss is significantly lower for organizations with effective segmentation than for those operating flat networks.
Several specific scenarios underwriters are focused on:
Backup isolation. If backups are on the same network segment as production systems, ransomware can encrypt both. Underwriters want to see backups in a separate segment with no direct write access from production environments. This is related to but distinct from immutable backup requirements. Our post on immutable backups and cyber insurance covers that side of the requirement in detail.
IT and OT separation. In manufacturing, energy, utilities, and other industrial environments, operational technology networks run equipment that often can’t be patched or updated. If OT and IT networks are not separated, a ransomware infection that starts in the corporate office can reach industrial control systems. Underwriters serving these industries specifically ask about IT/OT segmentation.
Payment and financial system isolation. Systems that process payments or hold financial data should be in segments with restricted access. PCI DSS requires segmentation of the cardholder data environment, and underwriters look for this regardless of whether formal PCI compliance is required.
Domain controller and identity system protection. Domain controllers are a primary target in ransomware attacks because compromising them gives attackers control over the entire Windows environment. Isolating domain controllers in a protected segment with strict access controls is a meaningful security control.
What Underwriters Are Actually Asking
Network segmentation questions have become more common on cyber applications in recent years, particularly for accounts above a certain size or in industries with complex network environments. Common application questions include:
Whether the network is segmented at all. The baseline question. A flat network where all devices can communicate freely is a meaningful underwriting concern.
Whether backups are isolated from production. This is asked on most applications at this point. The expected answer is that backup systems are in a separate segment with controlled, one-way access.
Whether IT and OT networks are separated. This question appears specifically for manufacturing, industrial, healthcare, and utilities applicants. Underwriters want to know whether clinical or operational systems are on the same network as corporate IT.
Whether guest and corporate networks are separated. A basic segmentation control that prevents guest devices from accessing internal systems.
Whether remote access is segmented. VPN and remote desktop access should land users in a segment appropriate for their role, not directly into the core network.
For larger accounts or accounts in sensitive industries, underwriters may go further and ask about micro-segmentation, zero trust architecture, or specific controls around privileged access paths.
Segmentation in Specific Industry Contexts
The importance and complexity of network segmentation varies by industry. A few sectors where underwriters apply additional scrutiny:
Manufacturing and industrial. Operational technology environments present the most complex segmentation challenge. OT systems run on protocols and hardware not designed for modern security practices. Many industrial control systems cannot be patched. If they are connected to the corporate IT network, a ransomware infection or targeted attack can reach systems that control physical equipment. Underwriters writing coverage for manufacturers expect IT/OT network separation as a baseline, with additional controls like unidirectional gateways or data diodes for environments with particularly sensitive operational systems. Our post on cyber insurance for manufacturing covers the broader underwriting profile for that sector.
Healthcare. Clinical networks running medical devices and electronic health record systems should be separated from corporate and guest networks. Legacy medical devices that cannot be updated are a particular concern; segmentation limits their exposure without requiring replacement. Underwriters expect separation of clinical and administrative networks, and isolation of particularly sensitive systems like imaging or infusion pump networks.
Energy and utilities. NERC CIP requirements for electric utilities include explicit network segmentation requirements for bulk electric system assets. Underwriters writing coverage for energy companies expect compliance with applicable regulatory frameworks and will ask about segmentation of control system networks. Our post on cyber insurance for energy and utilities covers the regulatory and coverage landscape for that sector.
Defense contractors. CMMC 2.0 includes network segmentation requirements for contractors handling Controlled Unclassified Information. Underwriters writing coverage for defense subcontractors expect segmentation of CUI environments from general corporate networks. Our post on cyber insurance for defense subcontractors covers how CMMC compliance intersects with coverage.
MSPs. Managed service providers present a specific segmentation challenge: they have privileged access into multiple client environments. An attacker who compromises an MSP’s management tools can potentially reach every client on the same RMM platform. Underwriters expect MSPs to segment their own internal environment and to isolate client environments from each other. Our post on cyber insurance for MSPs covers the broader underwriting profile.
What a Defensible Segmentation Program Looks Like
You don’t need a zero trust architecture or enterprise-grade micro-segmentation to satisfy underwriting requirements for most accounts. What underwriters want to see is intentional, documented segmentation that addresses your actual risk profile. The core elements:
A documented network diagram. You cannot defend what you cannot describe. A current network diagram showing your segments, the assets in each, and the access controls between them is the foundation of a defensible segmentation posture. Underwriters may ask for this for larger accounts.
Backup isolation. Backup systems in a separate segment, with write access from production controlled and monitored. No direct connectivity between backup systems and internet-facing systems.
Guest network separation. Guest WiFi on a separate VLAN with no access to internal systems. This is a basic control that is easy to implement and expected by essentially all carriers.
Role-based access between segments. Access between network zones should be based on least privilege: users and systems can reach only the segments they need for their function. Default-allow between segments is a red flag.
Logging of inter-segment traffic. Traffic crossing segment boundaries should be logged and monitored. Unusual lateral movement is easier to detect when segmentation is in place because cross-segment traffic is visible and relatively rare.
OT/IT separation where applicable. If your environment includes operational technology, industrial control systems, or medical devices, those networks should be physically or logically separated from corporate IT with strict controls on any necessary communication paths.
Documented exceptions. Any cases where segmentation requirements are relaxed or where systems have broader network access than the baseline should be documented with rationale and compensating controls.
How Segmentation Connects to Other Underwriting Controls
Network segmentation is most effective as part of a layered control environment. Underwriters evaluate it alongside:
Endpoint detection and response. EDR on endpoints provides visibility into lateral movement attempts even when segmentation slows them down. Segmentation and EDR are complementary: segmentation limits movement, EDR detects it. Our post on EDR and cyber insurance covers what underwriters require.
Multi-factor authentication. MFA on accounts that can cross segment boundaries is particularly important. If a privileged account that has access to multiple segments is compromised, MFA is a critical control on the blast radius. Our post on MFA and cyber insurance covers deployment and documentation requirements.
Vulnerability management. Unpatched systems in any segment are a potential entry point. Segmentation limits spread from a compromised system but doesn’t prevent initial compromise. Our post on vulnerability management and cyber insurance covers what underwriters verify.
Privileged access management. Accounts with access across multiple segments are high-value targets. PAM controls on those accounts reduce the risk of lateral movement through privileged credential abuse.
The full picture of what underwriters evaluate is covered in The Security Controls Underwriters Check Before They Quote You.
Frequently Asked Questions
Is network segmentation required to get cyber insurance?
Not universally required for smaller accounts, but it is expected at most carriers for mid-market and enterprise accounts, and specifically asked about for manufacturing, healthcare, utilities, and defense contractors. For smaller businesses, a flat network may not be a barrier to coverage but it will factor into pricing.
What is the difference between segmentation and a firewall?
A perimeter firewall controls traffic between your internal network and the internet. Network segmentation controls traffic within your internal network. They are complementary controls: the firewall protects the perimeter, segmentation limits lateral movement once an attacker is inside. Many organizations have strong perimeter firewalls but flat internal networks, which is exactly the gap ransomware exploits.
Do underwriters scan for network segmentation?
Not directly in most cases. External security scans carriers conduct as part of underwriting can identify some network architecture signals, but internal segmentation is generally attested on the application. For larger accounts, underwriters may request network diagrams or technical documentation.
How does segmentation affect ransomware claims?
Segmentation is one of the factors that most directly affects ransomware claim severity. Organizations with effective segmentation tend to have more contained incidents, shorter recovery times, and lower total losses than those with flat networks. This is reflected in both pricing and how underwriters evaluate the risk.
What does IT/OT segmentation mean in practice?
It means that systems controlling physical equipment, such as PLCs, SCADA systems, and industrial control systems, are on a separate network from corporate IT systems like email, file servers, and business applications. Communication between the two environments is controlled and logged. In highly sensitive environments, a unidirectional gateway or data diode allows data to flow in one direction only, preventing any path for a threat actor to move from IT into OT.
Related Resources
- The Security Controls Underwriters Check Before They Quote You
- Cyber Insurance Requirements: What Underwriters Actually Check
- Vulnerability Management and Cyber Insurance
- Immutable Backups and Cyber Insurance: What Underwriters Actually Want to See
- EDR and Cyber Insurance: What Underwriters Require, What They Actually Verify, and How to Document It
- What Ransomware Insurance Actually Covers
Network segmentation is one of the controls that most directly affects how a ransomware event plays out. Organizations that have it contain incidents. Those that don’t tend to have much larger claims. Documenting your segmentation posture before renewal gives your broker the evidence to present a stronger risk to underwriters and negotiate better terms.
Ready to review your coverage or discuss your security posture? Contact us or explore your coverage options.