What Underwriters Look for in a Cyber Insurance Application

By Ryan Windt | Head of Growth Marketing | Updated May 2026

Cyber insurance underwriting has changed more in the last four years than in the previous decade. The checkbox questionnaire that most businesses filled out in 2019 and received a policy within 48 hours has been replaced by a process that involves evidence requests, control verification, and in some cases direct conversations with underwriters before a quote is issued.

That shift has caught a lot of buyers off guard. Businesses that assume the application is a formality, something to complete quickly so coverage can be bound, are increasingly finding that inaccurate answers, undocumented controls, or security gaps that are visible from the outside result in declined applications, substandard offers, or policies that later fail to respond when a claim occurs.

Understanding how underwriters actually evaluate a cyber insurance application is the most practical thing you can do before you apply. This post explains what underwriters are assessing, what they look at most closely, what separates a clean submission from a difficult one, and what mistakes create problems later.

What Underwriters Are Actually Trying to Determine

Every cyber insurance application is trying to answer two questions for the underwriter.

How likely is this business to have a claim? Underwriters are evaluating your probability of experiencing a covered incident: a breach, a ransomware attack, a business email compromise, a regulatory action. Your security controls, your industry, your revenue, and your claims history all inform that probability.

If a claim occurs, how severe will it be? Underwriters are also assessing how bad a loss could get. A business that holds 500,000 customer records in a single database has a fundamentally different severity profile than one that holds 2,000 records across segmented systems. The type of data you hold, your regulatory exposure, your contractual indemnification obligations, and the size of transactions you process all affect potential claim severity.

Premium, coverage terms, and eligibility all flow from the underwriter’s assessment of those two questions. The businesses that get the best outcomes (clean approvals, competitive pricing, broad coverage terms) are the ones that make both questions easy to answer favorably.

How Underwriting Has Changed

Before 2020, most cyber policies were issued based on self-reported answers to application questions. Underwriters largely trusted what applicants said and priced accordingly. The ransomware wave of 2020 and 2021 changed that completely.

Carriers absorbed catastrophic losses. Ransomware payments ballooned. Claims that were supposed to be contained turned out to be systemic. Carriers that had been writing cyber insurance profitably for years posted significant loss ratios. The entire market repriced and tightened simultaneously.

What emerged was a fundamentally different underwriting process. Carriers moved from trusting self-reported answers to requiring verification. They began using external scanning tools to identify vulnerabilities visible from the internet before they would quote. They started requesting evidence of controls rather than just attestations. They added application warranty clauses making coverage contingent on the accuracy of what was submitted.

The market has stabilized since 2022, and pricing has come down meaningfully for businesses with clean posture. But the verification expectation has not reversed. Underwriters today expect to be able to confirm what you tell them, and the consequences of inaccuracy are more significant than most buyers realize.

The Core Controls Underwriters Evaluate

These are the security controls that appear on virtually every cyber insurance application and that underwriters scrutinize most closely. They are not suggestions. For most carriers and most coverage levels, they are threshold requirements.

Multi-Factor Authentication

MFA is the single most important control in cyber underwriting today. Carriers want to see it deployed on every system that represents a meaningful entry point: email, VPN, remote desktop access, cloud platforms, administrative accounts, and any third-party tools that provide access to your environment or your clients’ environments.

What underwriters are specifically looking for is not whether MFA exists somewhere in your environment but whether it is enforced across all remote access and privileged accounts. A business with MFA on email but not on its VPN, or MFA available but not required, does not satisfy the underwriting requirement.

The Travelers v. International Control Services case established this clearly. A carrier rescinded a $1 million cyber policy after a ransomware attack because MFA had been enabled at the firewall but not across all systems as the application stated. The court upheld the rescission. The policy was treated as if it never existed.

For a detailed breakdown of what underwriters specifically look for in MFA deployment, see our MFA implementation guide for cyber insurance.

Endpoint Detection and Response

Traditional antivirus software is no longer sufficient from an underwriting perspective. Underwriters want to see EDR deployed on all workstations and servers. EDR provides real-time behavioral monitoring and automated response capability that legacy antivirus does not.

The questions underwriters ask about EDR are whether it is deployed on all endpoints, whether it is actively monitored, and whether your business has MDR (managed detection and response) coverage for the hours when internal staff are not watching the console. Businesses that can demonstrate 24/7 EDR monitoring, either through internal resources or a managed service, are viewed more favorably than those with EDR deployed but unmonitored.

For more on how EDR affects coverage and pricing, see our post on EDR and cyber insurance.

Backups

Ransomware has made backup posture one of the most scrutinized areas in cyber underwriting. Underwriters want to see backups that meet three criteria: they are immutable or stored offline so they cannot be encrypted by ransomware, they are tested regularly with documented restore results, and they are retained on a schedule that limits data loss exposure.

The specific questions vary by carrier but typically cover how often backups run, where they are stored, whether storage is air-gapped or immutable, when restores were last tested, and what your recovery time objective is. Businesses that can produce documented restore test results from the last 90 days are in a strong position. Businesses that have backup jobs running but have never tested a restore are not.

For more on what carriers require, see our post on immutable backups and cyber insurance.

Email Security

Email remains the primary attack vector for phishing, business email compromise, and social engineering fraud. Underwriters evaluate email security controls at the domain level and at the gateway level.

At the domain level, they want to see DMARC enforced (not just in monitoring mode), DKIM configured, and SPF published. At the gateway level, they look for filtering capable of detecting malicious attachments and links, and increasingly for API-based security tools that can catch threats that bypass traditional gateway filtering. Documented phishing simulation programs are viewed positively as evidence that employee awareness is being actively maintained.

For a full breakdown of what underwriters look for in email security, see our post on email security controls and cyber insurance.

Incident Response Plan

A documented, tested incident response plan is required by most carriers as a condition of coverage. The plan needs to be written, current, and tested. A plan that was created three years ago and has never been reviewed does not satisfy this requirement in most underwriters’ eyes.

What makes an IR plan credible to an underwriter is evidence that it has been exercised. Tabletop exercise documentation, a defined communication chain, carrier notification procedures, and named roles for incident response are all indicators that the plan is operational rather than aspirational. For a starting point, see our incident response plan template.

Privileged Access Management

PAM has moved from a nice-to-have to a near-requirement for businesses above certain revenue or data sensitivity thresholds. Underwriters want to see that administrative access to critical systems is controlled, logged, and subject to least-privilege principles. For financial institutions, healthcare organizations, and businesses carrying coverage above $3 million, PAM is frequently treated as a hard requirement.

For more on how PAM affects underwriting, see our post on privileged access management and cyber insurance.

Patch Management

Underwriters want to see a documented patch management process with defined SLAs for critical patches. The specific questions focus on how quickly critical patches are deployed, how systems that cannot be patched on a standard cycle are managed, and what compensating controls exist for legacy or end-of-life systems. Businesses with a high volume of unpatched systems or with end-of-life software running in production face harder questions and sometimes coverage restrictions.

What Underwriters Evaluate Beyond Controls

Security controls are the most visible part of the application, but they are not the only factors that determine your coverage terms, your premium, and in some cases your eligibility. Several non-control factors carry significant weight in the underwriting decision.

Claims History

Prior cyber claims are the strongest single predictor of future claims. A business that has filed a cyber claim will face more scrutiny, higher premiums, and in some cases exclusions related to the type of incident that produced the prior claim. Underwriters want to understand not just that a claim occurred but what remediation steps were taken and whether the underlying vulnerability or control gap was addressed.

A clean claims history is a meaningful underwriting positive and one of the most effective ways to maintain competitive pricing over time.

Revenue and Business Size

Revenue is the primary underwriting variable that drives premium. Larger businesses represent larger potential losses because they hold more data, carry more regulatory exposure, and are subject to larger breach notification obligations. Underwriters use revenue as a proxy for maximum potential claim severity, and premium scales accordingly.

Industry and Regulatory Exposure

Your industry determines your regulatory risk profile, which directly affects how underwriters think about claim severity. A healthcare organization faces HIPAA breach notification requirements and OCR investigations. A financial services firm carries GLBA and state financial privacy obligations. A business that handles payment card data has PCI DSS exposure. A dealership or any business facilitating consumer financing carries FTC Safeguards Rule obligations.

Businesses in heavily regulated industries pay more for cyber insurance not because carriers dislike them but because the downstream regulatory consequences of a breach create losses beyond the immediate response costs. For industry-specific breakdowns of how regulatory exposure affects coverage, see our vertical posts on healthcare, financial services, credit unions, and law firms.

Data Volume and Sensitivity

The type and volume of data you hold is a direct input into potential claim severity. A business holding 500,000 records containing Social Security numbers, financial account information, or protected health information has a very different breach cost profile than one holding 5,000 records of names and email addresses.

Underwriters ask about record counts, data types, and how data is stored and segmented. Businesses that can demonstrate data minimization practices, meaning they only retain what they need and purge records that no longer serve a business purpose, generally fare better than those with large, undifferentiated data stores.

Contract Terms and Indemnification Obligations

For technology companies, SaaS providers, MSPs, and any business that provides services to enterprise clients, the indemnification language in your client contracts is an underwriting factor. If your contracts accept broad indemnification obligations without liability caps for data security events, the maximum loss the carrier could face under your policy is not just a function of your own exposure. It is also a function of the worst-case claim your largest client could bring against you.

Underwriters ask about this directly on tech E&O and cyber applications. Contracts that accept uncapped liability for security events, or that require you to indemnify clients against regulatory fines in their jurisdiction, expand your potential loss profile in ways that premium based on your revenue alone does not capture.

For more on how contract terms affect coverage for technology companies and MSPs, see our posts on tech E&O insurance and cyber insurance for MSPs.

Vendor and Third-Party Dependencies

Underwriters have paid increasing attention to third-party risk since a series of high-profile vendor-side incidents demonstrated that businesses can suffer catastrophic losses from a compromise that never touched their own systems. The CDK Global attack, which took dealer management systems offline for two weeks and cost the automotive retail industry over $1 billion, is the clearest recent example.

Questions about your critical vendor dependencies, whether those vendors use MFA for remote access, and whether you have the ability to quickly disable vendor access if a vendor is compromised have become standard on many applications. Businesses with documented vendor risk management programs (an inventory of third-party access, periodic reviews of vendor security posture, and defined procedures for offboarding vendors) are viewed more favorably than those with uncontrolled or undocumented third-party access.

For more on how third-party risk affects coverage, see our posts on supply chain attack coverage and aggregation risk for MSPs.

Why Application Accuracy Is the Most Important Thing You Can Do

Cyber insurance applications include warranty language that makes the accuracy of your answers a condition of coverage. If you state that MFA is deployed across all remote access systems and it is later discovered during a claim investigation that it was not, the carrier has grounds to deny the claim, rescind the policy, or both.

This is not hypothetical. Claim denials based on application misrepresentation are one of the most common reasons cyber coverage fails to respond. For a full breakdown of how this plays out, see our post on cyber insurance application errors that lead to claim denial.

The practical implication is that you should answer application questions based on your actual security posture, not your intended posture or your aspirational posture. If a control is partially deployed, say so. If a control is in progress, say so. Misrepresentation in either direction creates problems: overstating controls exposes you to rescission; understating them may result in higher pricing than necessary, but that is correctable at renewal.

The better approach is to assess your actual posture before applying, address any material gaps you identify, and then answer the application accurately based on what is in place. Working with a broker who understands underwriting criteria and can help you interpret what each question is actually asking reduces the risk of unintentional inaccuracy.

What Separates a Clean Submission from a Difficult One

Underwriters process hundreds of applications. A submission that is well-organized, accurately completed, and supported by documentation moves through the process faster and with fewer surprises. A submission that is vague, incomplete, or inconsistent creates delays and skepticism.

The characteristics of a clean submission:

Controls are documented, not just attested. A business that can provide MFA enforcement reports from its identity provider, EDR deployment coverage from its endpoint management tool, and backup test results from the last quarter is in a fundamentally stronger position than one that checks boxes and hopes the carrier takes it on faith. Underwriters increasingly ask for this evidence upfront, and providing it voluntarily signals that you have nothing to hide.

The application is internally consistent. Inconsistencies between sections of an application are a flag. If you claim MFA is deployed on all remote access systems in one section and then list a remote access tool that does not support MFA in another section, underwriters notice. Review your application as a whole before submitting.

Prior incidents are disclosed and explained. If your business has had a prior cyber incident, even one that did not result in a formal claim, disclose it and explain what happened and what remediation steps were taken. Carriers typically discover prior incidents through external scans, news searches, and data breach notification databases. An incident that surfaces during underwriting without having been disclosed creates a credibility problem that is much harder to overcome than the incident itself.

Your IT environment is clearly described. Underwriters need to understand your environment to assess your risk accurately. Cloud vs. on-premises, the number of endpoints, the types of systems you run, and the nature of your third-party integrations all inform the underwriting decision. A vague or incomplete description of your environment creates uncertainty, and underwriters price uncertainty conservatively.

What Leads to a Decline, a Substandard Offer, or Clean Terms

Not every application results in a standard offer. Understanding what outcomes are possible and what drives each helps you go into the process with realistic expectations.

Declines typically result from: absence of MFA on critical systems, a recent major breach that has not been remediated, active ransomware indicators discovered through external scanning, revenue above thresholds that trigger a carrier’s appetite limits for a given industry, or a combination of multiple control gaps without compensating measures.

Substandard offers (coverage with exclusions, sublimits, or elevated deductibles attached to specific risk areas) typically result from: partial MFA deployment, a prior claim in the last three years, outdated or unpatched systems without a documented remediation plan, high-risk industry classification with limited controls documentation, or specific coverage areas where your posture does not meet the carrier’s standard threshold.

Clean terms at competitive pricing result from: full MFA enforcement across all remote access and privileged accounts, EDR on all endpoints with active monitoring, immutable backups with tested restores, a documented and exercised incident response plan, a clean claims history, accurate and well-documented application, and a risk profile that matches the carrier’s appetite for your industry and revenue level.

The distance between a substandard offer and clean terms is often smaller than buyers expect. Addressing one or two specific control gaps before applying can change the outcome materially.

How to Prepare Before You Apply

The most effective thing you can do before submitting a cyber insurance application is to assess your actual security posture against what underwriters will ask about, address any material gaps, and document what is in place so you can support your application with evidence.

For a complete checklist of the controls underwriters evaluate and what documentation looks like for each, see our cyber insurance requirements checklist.

For guidance on the buying process from application through binding, see our post on how to get cyber insurance. For guidance on evaluating what you receive, see how to compare cyber insurance quotes.

SeedPod Cyber works with businesses across industries to assess coverage gaps, prepare applications, and connect with carriers whose appetite and underwriting criteria match each client’s specific risk profile. If you want to understand how your current posture would be evaluated or what a policy would look like for your business, contact SeedPod Cyber or visit our businesses page.

Frequently Asked Questions

What is the most important thing underwriters look for?

Multi-factor authentication is consistently the highest-weighted single control in cyber underwriting. Its absence on critical systems is one of the most common reasons applications are declined or restricted. Beyond MFA, underwriters are looking at the overall coherence of your security posture: whether your controls work together as a system and whether they are documented and verifiable rather than just attested.

Can I get cyber insurance without perfect security controls?

Yes. Most businesses do not have a perfect security posture, and underwriters know this. What matters is whether your controls meet the threshold for the coverage you are seeking and whether your application accurately reflects what is in place. Businesses with partial controls can often obtain coverage with specific exclusions or sublimits on the areas where posture is weaker, and those restrictions can typically be removed at renewal once gaps are addressed.

Does my industry affect what underwriters look for?

Yes, in two ways. First, certain industries face higher baseline scrutiny because of the data they hold or the regulatory environment they operate in. Healthcare, financial services, legal, and technology companies all face industry-specific questions that go beyond the standard baseline. Second, industry determines which regulatory frameworks create downstream exposure, and underwriters factor that into claim severity estimates. For industry-specific guidance, see our vertical posts across healthcare, financial services, credit unions, law firms, manufacturing, car dealerships, and many others on the SeedPod Cyber blog.

How do underwriters verify what I put on my application?

Carriers use a combination of methods. External attack surface scanning tools can identify vulnerabilities visible from the internet before a quote is issued, including open ports, exposed remote desktop services, and domains without DMARC enforcement. Some carriers request supporting documentation directly, such as MFA enforcement reports or EDR deployment coverage reports. Others conduct brief calls with applicants for higher-limit policies. The level of verification scales with the size of the policy and the risk profile of the applicant.

What happens if something on my application changes after I bind coverage?

Most cyber policies require you to notify your carrier of material changes to your security posture or business operations during the policy period. If you add a significant new business line, experience a material change in revenue, or disable a control that was in place when you applied, that change may need to be reported. Failure to report material changes can create coverage disputes at claim time. Review your policy’s notification requirements and err on the side of disclosure.

How does a prior breach affect my application?

A prior breach does not automatically disqualify you from coverage, but it does affect your application materially. Underwriters want to understand what happened, what was exposed, what the remediation looked like, and whether the underlying vulnerability was addressed. A breach that was handled professionally, reported accurately, and followed by documented remediation is a very different application than one that was minimized, unreported, or followed by no meaningful security improvement. For more on what coverage looks like for businesses that have already experienced an incident, see our post on cyber insurance after a prior breach.