By Ryan Windt | Head of Growth Marketing | Updated June 2026
Every cyber insurance application asks about security controls. The questions vary by carrier, but the controls they care about most have been largely consistent for the past three years: MFA, EDR, immutable backups, email security protocols, privileged access management, and incident response capabilities.
What’s changed is how rigorously underwriters verify what you report. In 2021, checking a box was enough. Today, carriers run external scans, review configuration documentation, and in some cases ask for evidence before they’ll bind coverage. The controls you have, and how well you can document them, directly affect whether you get quoted, at what premium, and with what sublimits.
This hub covers each control category in depth: what underwriters require, what actually moves the needle on your application, and how to document your posture before you apply.
Why security controls matter to underwriters
Cyber insurance underwriting is fundamentally a bet on how likely you are to have a claim. Security controls are the primary variable underwriters can observe before a breach occurs. A business with documented MFA across all remote access points, endpoint detection on every device, and tested backups presents a materially different risk profile than one without, regardless of industry or revenue.
The controls below aren’t arbitrary. They correspond directly to the attack paths that generate the most cyber claims: ransomware via unprotected remote access, business email compromise via phishing, and data exfiltration via compromised privileged accounts. Underwriters know this, which is why the questionnaires keep asking the same questions.
Strong controls do three things for your insurance program: they improve your chances of getting quoted, they lower your premium relative to peers, and they reduce the likelihood that a carrier will deny a claim by arguing your controls were misrepresented on the application.
The controls underwriters prioritize
Multi-factor authentication (MFA)
MFA is the single most-asked-about control on cyber insurance applications. It appears on every carrier’s questionnaire and is the most common reason applications are declined or rated up. Underwriters want to see MFA deployed on email, remote access (VPN, RDP), cloud applications, and admin accounts at minimum. Coverage limited to just email is increasingly insufficient at mid-market and above.
Phishing-resistant MFA (hardware keys, FIDO2) is beginning to appear on applications from more sophisticated carriers as AiTM attacks have demonstrated that TOTP-based MFA can be bypassed. Understanding what you have deployed, and how to document it, is the starting point for any application.
MFA and Cyber Insurance: What to Deploy, How to Document It, and What Underwriters Require →
Endpoint detection and response (EDR)
EDR has replaced traditional antivirus as the expected endpoint standard in the cyber insurance market. Most carriers require EDR on all endpoints as a condition of coverage, and some run external scans to verify deployment levels before binding. The specific platform matters less than coverage completeness: an EDR deployed on 80% of endpoints is functionally weaker than one deployed on 100%, and underwriters are starting to ask for deployment percentages rather than yes/no answers.
The documentation question has also evolved. “We have CrowdStrike” is less meaningful than a screenshot showing deployment scope and alerting configuration.
Immutable backups
Ransomware actors specifically target backup systems before encrypting production data. Immutable backups, which cannot be altered or deleted once written, are the primary defense against this tactic and the primary factor underwriters evaluate when assessing ransomware exposure. The questions have become more specific: underwriters want to know backup frequency, retention period, air-gap status, and most importantly whether backups have been tested for restoration.
A backup that has never been tested is not a backup from an underwriting perspective. Test documentation is increasingly requested as part of the application.
Immutable Backups and Cyber Insurance: What Underwriters Actually Want to See →
Email security controls (DMARC, DKIM, SPF)
Business email compromise is one of the most consistent sources of cyber claims. Email authentication protocols, specifically DMARC, DKIM, and SPF, reduce the ability of attackers to spoof your domain and impersonate your organization. Underwriters increasingly check these configurations directly, as they’re publicly verifiable via DNS lookups. A domain without a DMARC reject policy is a signal that basic email hygiene hasn’t been addressed.
Beyond the protocol configuration, underwriters want to see anti-phishing filters, link scanning, and attachment sandboxing in place. The combination of technical controls and employee awareness training is what underwriters are looking for in this category.
Email Security Controls and Cyber Insurance: What DMARC, DKIM, and SPF Mean for Your Coverage →
Privileged access management (PAM)
Compromised privileged credentials are the common thread in the most damaging breaches. Attackers who gain access to an admin account can disable security tools, exfiltrate data, and deploy ransomware across an entire environment. PAM controls, including vaulting of privileged credentials, just-in-time access, and separation of duties, limit the blast radius when credentials are compromised.
PAM has been on underwriter radar for about two years and is increasingly appearing on applications from larger carriers. It’s not yet universally required the way MFA and EDR are, but it’s moving in that direction, and businesses with documented PAM programs tend to get meaningfully better terms.
Privileged Access Management and Cyber Insurance: What Underwriters Are Starting to Ask →
Incident response planning
An incident response plan documents what your organization does in the first hours and days of a breach: who gets called, what gets isolated, when legal and PR get involved, and how you engage your insurance carrier’s response resources. Underwriters ask whether you have a documented IR plan because businesses with one tend to have smaller claims, faster containment times, and fewer coverage disputes.
Having a plan also affects how your carrier’s incident response panel engages with you after a claim. Organizations that have practiced their response are easier to work with and typically have better outcomes.
How Cyber Insurance Incident Response Works: Panels, Timelines, and How Carriers Compare →
Compliance frameworks and their relationship to cyber insurance
SOC 2
SOC 2 is primarily a customer-facing trust signal, not a cyber insurance requirement. But the controls it evaluates, particularly around access management, availability, and confidentiality, overlap substantially with what underwriters want to see. A company with a current SOC 2 Type II report has documented proof that an independent auditor assessed its control environment. That documentation carries weight in the application process, even if carriers don’t require it.
The key distinction is that SOC 2 and cyber insurance measure different things. SOC 2 is about whether controls exist and were operating during an audit period. Cyber insurance underwriting is about current risk posture. They complement each other but don’t substitute.
SOC 2 and Cyber Insurance: What Overlaps, What Doesn’t, and How to Use One to Improve the Other →
PCI DSS 4.0
PCI DSS v4.0 has been fully in effect since March 2025. For businesses that process, store, or transmit cardholder data, PCI compliance is a baseline expectation, not a differentiator. But PCI DSS 4.0 introduced customized implementation options and new requirements around authentication and software security that align closely with what underwriters want to see. Documenting your PCI compliance posture, including your Attestation of Compliance, strengthens your cyber application.
PCI DSS 4.0 Compliance and Cyber Insurance: What Changed, What’s Required, and How to Document It →
MSP-specific security controls
MSPs face a distinct underwriting challenge: their security posture affects not just their own coverage but their clients’ exposure. A compromised RMM platform can give attackers access to dozens or hundreds of client environments simultaneously, which is why underwriters scrutinize MSP applications more carefully than comparably sized businesses in other industries.
RMM hardening, including IP allowlisting, MFA on all RMM access, session recording, and limiting technician access to only the clients they actively manage, is the primary MSP-specific control underwriters evaluate. How you answer the RMM questions often determines whether you get quoted at standard rates or face a significant premium increase.
MSP RMM Hardening and Cyber Insurance: 5 Steps That Reduce Risk and Lower Your Premiums →
Controls and renewal leverage
Security controls aren’t just relevant at initial application. At renewal, carriers re-evaluate your posture relative to your prior year. Organizations that have added controls during the policy period, and can document the improvement, are in a stronger negotiating position. Those that have had incidents or let controls lapse tend to face rate increases or coverage restrictions.
Preparing for renewal with a controls documentation package, including evidence of MFA deployment, EDR coverage, backup testing, and any completed security assessments, gives your broker leverage in the market. The renewal conversation is different when you can show what you’ve done rather than just assert it.
What CFOs and finance teams need to know
Security controls have a direct financial implication that is often underappreciated at the CFO level. The same coverage limit costs meaningfully more for a business with weak controls than for one with strong ones. The delta between a well-prepared applicant and a poorly-prepared one can represent 20–40% of premium on identical coverage structures. For businesses spending $50,000 or more on cyber insurance annually, the ROI on improving controls before renewal is often substantial.
There’s also a coverage quality dimension. Carriers reserve their best sublimits, lowest retentions, and broadest terms for applicants they consider low-risk. Controls determine where you fall on that spectrum.
Frequently asked questions
What security controls are required for cyber insurance?
Most carriers require MFA on all remote access and email, EDR on all endpoints, and a documented backup strategy as minimum thresholds to qualify for coverage. Additional controls like PAM, email authentication protocols, and incident response plans vary by carrier and affect pricing rather than eligibility at most coverage tiers.
Can I get cyber insurance without all these controls?
Yes, but your options narrow and your premium increases as your control posture weakens. Some carriers specialize in higher-risk accounts and will quote businesses without EDR or MFA, typically at significantly higher premiums, with lower limits, and with higher retentions. Improving controls before you apply, even partially, tends to produce better outcomes than applying with a weak posture and trying to negotiate after the fact.
Do underwriters actually verify the controls I report?
Increasingly, yes. Carriers run external scans that can detect whether EDR agents are deployed, whether email authentication records exist in DNS, and whether remote access ports are exposed. What cannot be verified externally, like internal access controls and backup configurations, may be requested as documentation at renewal or after a claim. Misrepresenting controls on an application is one of the most common reasons claims are denied.
How do security controls affect my premium?
Underwriters score your application against a baseline control profile for your industry and size. Strong controls move you toward the lower end of the premium range; weak controls push you higher. The most impactful controls for pricing are typically MFA completeness, EDR deployment percentage, and backup strategy. Documented improvements between policy periods can be used as renewal leverage.
What documentation should I prepare for my cyber insurance application?
At minimum: screenshots showing MFA enrollment across systems, EDR deployment reporting showing coverage percentage, backup configuration documentation including retention schedules and test records, and a copy of your incident response plan if you have one. For larger accounts, carriers may also ask for vulnerability scan results, a network diagram, and evidence of security awareness training.
Related resources
- Cyber Insurance Underwriting: What Carriers Evaluate and How to Prepare Your Application
- What Underwriters Actually Require Before They’ll Quote You
- Cyber Insurance Renewal Checklist
- Cyber Liability Insurance: Coverage, Costs, and How to Buy the Right Policy
- Getting Cyber Insurance: What to Expect from Application to Binding
SeedPod Cyber works with businesses across every industry to find coverage that matches their actual risk profile and security posture. Whether you’re applying for the first time or heading into renewal, we can help you understand what carriers are looking for and how to position your program competitively. Talk to our team.