By Ryan Windt | Head of Growth Marketing | Updated June 2026
Most guidance on cyber insurance underwriting treats the application like a checklist. Turn on MFA, deploy EDR, keep backups, write an incident response plan, and you pass. The checklist is real, and you can read what underwriters verify in our breakdown of the security controls underwriters check before they quote you. But practitioners know the checklist is the floor, not the decision. Two applicants can tick every box and get different answers.
To get at what actually moves a bind decision, we sat down with Kyle Sawdey, who leads underwriting at SeedPod Cyber. What follows is his perspective on the judgment that happens after the controls clear, in his own words.
The Controls Are Clean. What Still Makes You Hesitate?
Kyle’s answer is that controls are only one input. Four factors sit outside the control stack and frequently decide the outcome.
Risk exposure by class and size. Industry and scale drive baseline hazard before a single control is reviewed.
“A payment processor is considered very high risk exposure because their day-to-day business creates a higher cyber and tech exposure. Compare that to a $20M nonprofit who carries some risk exposure but historically experiences less cyber events.”
Loss history. A track record of prior events raises the hazard rating, but the detail matters more than the fact.
“Underwriters want to understand how recently the event occurred, the further in the past the better, how large the claim was, the root cause, and what new controls or processes were put in place to prevent a future, similar event.”
If you are coming to market after an incident, how you present that history is often decisive. We cover the mechanics separately in getting cyber insurance after a prior breach.
Merger and acquisition hygiene. Strong controls can be undone by a single poorly diligenced acquisition.
“A company can have the best controls implemented into their business, but if they make an acquisition and integrate a company into their network without strong safeguards and due diligence, they may be acquiring a cyber attack without knowing about it.”
For acquisitive companies, this is its own underwriting conversation, which we go deeper on in cyber insurance in M&A and private equity.
Tested readiness. An IR plan that has never been exercised is a document, not a capability.
“Many ransomware payments have been paid by companies who had backups but realized it would take months to stand up their business with backups. Unfortunately, it was too late to test their controls.”
What Buyers Overweight and Underweight
Kyle drew a sharp line between the controls buyers believe carry the most weight and the ones that genuinely change his decision.
| What buyers overweight | What actually moves the decision |
|---|---|
| Certifications as proof of security | Whether controls are practiced and tested every day, not at a point in time |
| Having backups | Backups that are immutable, ideally air-gapped, and regularly tested |
| Tooling breadth | Good data hygiene: knowing what data you hold, where it lives, and who can access it |
“Certifications can be very important, but they are a point-in-time audit. If controls and processes are not practiced everyday and tested regularly, they may become a moot point.”
On backups, the format is the whole game. An underwriter is not reassured by a backup that a threat actor can reach and encrypt. Kyle’s standard lines up with what we detail in immutable backups and cyber insurance.
“If on any random day a company cannot determine how much confidential data they have, exactly where it is located, and who has access, they are at greater risk for a data breach.”
What Gets an Application Declined
Some gaps are not pricing problems. They are declinations. Kyle named the ones that most often end a submission.
- No written incident response plan or no standard contract such as an MSA. Their absence signals that other risk management practices are likely missing too.
- Missing MFA. It has become a minimum control across most of the market.
- Open VPNs. A large share of ransomware attacks since 2019 traced back to unprotected VPNs that threat actors find through non-intrusive scans.
“If a written IR plan or standard contract is not in place, there is an assumption other key risk management practices will be missing.”
If you want the prerequisite view of what has to be true before you even reach a pricing conversation, see cyber insurance requirements: what underwriters actually check.
The Tiebreaker Between Two Identical Applicants
When two submissions look the same on paper, Kyle’s tiebreaker is staffing.
“Most organizations have IT support, a generalist team. Many lack dedicated cyber security focused IT. That can be an important differentiator as a business grows.”
What a Strong Application Sounds Like
Beyond the controls, Kyle reads how a business talks about its own risk. The posture matters as much as the answers.
“A client that has experienced a cyber event and increased their budget and protections to prevent a future one may have become a hardened, battle-tested company with less likelihood of a future event.”
The inverse is just as telling. A business that had an incident and did not take the lessons seriously tends to reveal that in conversation, and underwriters move away from those accounts.
The Biggest Gap: What Buyers Think Makes Them Insurable
The most common misconception, in Kyle’s view, is that low data collection means low exposure. Data breaches are only one piece of the picture.
- An outage that stops you from delivering a service or product, driving lost revenue. We cover this in how cyber business interruption coverage works.
- A dual ransomware event where systems are locked and data is exfiltrated. The data does not have to be PII or card data; trade secrets, litigation files, and financials all qualify. See cyber extortion coverage.
- Fraudulent and manipulated invoices.
- Regulatory exposure, such as an Attorney General inquiry over a missed breach notification.
“The truth is, data breaches make up only a small portion of cyber exposure to a company.”
Frequently Asked Questions
Can a cyber insurance application be declined even with MFA, EDR, and backups in place?
Yes. Controls are the baseline. Exposure by industry class and size, loss history, M&A hygiene, and whether the incident response plan has actually been tested can all change the outcome after the controls clear.
What most commonly causes an outright decline?
A missing written incident response plan or standard contract, absent MFA, and open or unprotected VPNs are among the most common reasons a submission is declined rather than priced.
Are backups enough to satisfy an underwriter?
Not on their own. Underwriters look for backups that are immutable, ideally air-gapped, and tested on a regular schedule, because a backup a threat actor can reach offers little protection.
Related Resources
For the full preparation view, read how carriers evaluate your cyber insurance application and the companion piece on application errors that cost you at claim time. If a past incident is part of your story, getting covered after a prior breach walks through what to expect. And before you go to market, building a tested incident response plan closes one of the most common decline triggers.
SeedPod Cyber is a specialized provider of cyber and Tech E&O coverage. If you want to understand how your business looks to an underwriter before you submit, get in touch with our team.