Cyber Insurance Requirements: Comple...

Cyber insurance has evolved from a niche product into a critical component of enterprise risk management. With the average cost of a data breach reaching $4.88 million (IBM 2025) and ransomware attacks demanding payments in the millions, even well-defended organisations face financial exposure that can threaten their survival. Meanwhile, insurers have responded to escalating claims by tightening underwriting requirements — the days of buying cyber insurance with minimal security controls are over.

Today's cyber insurance requirements read like a security audit checklist: multi-factor authentication, endpoint detection and response, privileged access management, incident response plans, backup strategies, and employee security awareness training are all standard prerequisites. Organisations that can't demonstrate these controls face premium increases of 50–100%, exclusions on key coverages, or outright denial.

This guide explains what cyber insurance covers, what security controls insurers require, how to navigate the application process, and how your compliance programmes (GDPR, NIS2, ISO 27001, SOC 2) align with insurance requirements.

Quick Reference	Details
What is cyber insurance?	Insurance coverage for financial losses resulting from cyber incidents (breaches, ransomware, business interruption, liability)
Other names	Cyber liability insurance, cyber risk insurance, data breach insurance
Typical premium	$1,500–$5,000/year (small business); $10,000–$100,000+/year (mid-market); $100,000–$1M+/year (enterprise)
Typical coverage	$1M–$10M (SMB); $5M–$50M (mid-market); $25M–$500M+ (enterprise)
Key coverage types	First-party (your losses) and third-party (liability to others)
Must-have controls	MFA, EDR, backup, incident response plan, security awareness training, privileged access management
Application process	Detailed questionnaire + potential technical assessment
Claims trend	Ransomware is #1 claim type; business email compromise is #2

Key Takeaways

Cyber insurance covers financial losses from cyber incidents — including breach costs, ransomware payments, business interruption, legal defence, and regulatory fines

Insurers have dramatically tightened underwriting requirements since 2020 — MFA, EDR, and tested backup are now minimum thresholds for most carriers

Coverage Area	What It Pays For
Breach response costs	Forensic investigation, notification to individuals, credit monitoring, call centre
Ransomware/extortion	Ransom payments (where legal), negotiation services, recovery costs
Business interruption	Lost income during system outage; extra expenses to maintain operations
Data recovery	Costs to restore or recreate lost or damaged data
Legal defence	Attorney fees for lawsuits, regulatory proceedings
Regulatory fines and penalties	GDPR fines, state attorney general penalties (where insurable)
Media liability	Defamation, copyright infringement through digital channels
Crisis management	PR/communications costs to manage reputational damage
Third-party liability	Claims from customers, partners, or other parties harmed by your breach
PCI DSS assessments	Card brand fines and assessments following a payment card breach

Exclusion	Why
Prior known incidents	Incidents you were aware of before the policy period
Unencrypted portable devices	Many policies exclude losses from unencrypted laptops/USB drives
War and nation-state attacks	The "war exclusion" is expanding and increasingly contested
Systemic/catastrophic events	Some policies exclude infrastructure-wide events (major cloud outage, internet disruption)
Failure to maintain minimum security	If you misrepresented your controls on the application
Intentional acts	Deliberate misconduct by the insured
Betterment	Upgrading systems beyond their pre-incident state
Contractual liability	Penalties under your contracts (unless specifically covered)
Infrastructure improvements	Costs to improve security after an incident (beyond restoration)

Aspect	First-Party Coverage	Third-Party Coverage
Who it protects	Your organisation (direct losses)	Against claims from others
Triggered by	Your incident; your losses	Claims or lawsuits from affected parties
Example: data breach	Forensic investigation, notification costs, data recovery	Customer lawsuits, regulatory fines, PCI assessments
Example: ransomware	Ransom payment, business interruption, recovery	Customer claims for service disruption
Example: BEC fraud	Financial loss from fraudulent transfer	Claims from business partner whose data was used

Tier	Controls Required	Premium Impact
Minimum threshold	MFA, EDR, backup, incident response plan	Required to obtain coverage at all
Standard controls	Above + PAM, email security, vulnerability management, security training	Standard premiums
Advanced controls	Above + SIEM/SOC, zero trust, ISO 27001/SOC 2, tested BCP	Premium discounts (15–30%)

#	Control	Why Insurers Require It	Impact on Application
1	Multi-Factor Authentication (MFA)	Prevents 99% of credential-based attacks	Mandatory — no MFA on email and remote access = likely denial
2	Endpoint Detection and Response (EDR)	Detects and contains endpoint compromise automatically	Mandatory for mid-market and above
3	Backup and Recovery	Enables ransomware recovery without paying ransom	Mandatory — must be tested, offsite/air-gapped
4	Incident Response Plan	Ensures organised response; reduces breach cost	Mandatory — tested plan; many insurers want to see it
5	Privileged Access Management (PAM)	Limits damage from compromised admin accounts	Strongly expected — especially for admin/root access
6	Email Security	Blocks phishing, BEC, malware delivery	Expected — SPF/DKIM/DMARC + advanced filtering
7	Security Awareness Training	Reduces human error (phishing clicks, social engineering)	Expected — regular training with phishing simulations
8	Vulnerability Management and Patching	Closes known vulnerabilities before exploitation	Expected — critical patches within 14–30 days
9	Network Segmentation	Limits lateral movement after initial compromise	Expected for mid-market and above
10	Encryption	Protects data at rest and in transit	Expected — especially for sensitive data
11	Logging and Monitoring	Enables detection and forensic investigation	Expected — centralised logging with 12+ months retention
12	Vendor Risk Management	Reduces supply chain attack surface	Increasingly expected — vendor assessments, DPAs

Control	Basic (Minimum)	Good	Best Practice
MFA	On email and VPN	On all cloud services and critical systems	On all systems; phishing-resistant MFA (FIDO2)
Backup	Daily backup; stored offsite	Daily backup; tested quarterly; offsite + immutable	Real-time replication; tested monthly; air-gapped; immutable
EDR	Deployed on servers and workstations	EDR with 24/7 monitoring	XDR with MDR service; automated response
Patching	Critical patches within 30 days	Critical patches within 14 days; regular scanning	Critical patches within 72 hours; continuous scanning

Source	What Insurers Learn
Application questionnaire	Your self-reported security controls, incidents, revenue, data types
External security scans	Your external attack surface — open ports, vulnerable services, email authentication, certificate issues
Security ratings	Your BitSight, SecurityScorecard, or UpGuard rating
Claims history	Previous cyber incidents and insurance claims
Industry and size	Sector-specific risk factors; revenue as a proxy for target attractiveness
Certifications	ISO 27001, SOC 2 — demonstrate mature controls
Supplemental questions	Deep-dive questions on specific controls (MFA, backup, IR)

Red Flag	Insurer Concern
No MFA on email or remote access	#1 attack vector unprotected
No EDR deployed	Unable to detect or contain endpoint compromise
Backups not tested or not offsite	Ransomware recovery not viable
No incident response plan	Disorganised response will increase claim cost
Previous breach within 2 years	Elevated risk; potentially systemic issues
End-of-life software in production	Known unpatched vulnerabilities
No security awareness training	Employees vulnerable to phishing/social engineering

Factor	Impact
Revenue	Higher revenue = higher target attractiveness = higher premium
Industry	Healthcare, financial services, retail (PCI) = higher premiums
Data volume	More records = higher breach costs
Sensitive data types	Health data, financial data, PII = higher risk
Claims history	Previous claims increase premiums 25–100%+
Weak controls	Missing MFA, EDR, backup = significant premium increase
International operations	Multi-country exposure (GDPR, multiple regulators)
Coverage limits	Higher limits = higher premiums
Lower deductible	Lower retention = higher premium

Factor	Typical Discount
ISO 27001 certification	10–20%
SOC 2 Type II report	10–15%
Mature security programme (documented, tested)	15–25%
No claims history (3+ years)	10–15%
Advanced controls (SIEM/SOC, zero trust, PAM)	10–20%
Tested incident response plan (with tabletop exercises)	5–10%
Security awareness training (with phishing simulations)	5–10%
Higher deductible	10–25% (you absorb more risk)

Step	Activity	Tips
1	Engage a broker	Use a broker specialising in cyber insurance; they know the market and can negotiate
2	Prepare documentation	Gather: security policies, IR plan, training records, certifications (ISO 27001, SOC 2), asset inventory
3	Complete the application	Answer every question honestly and completely; inaccurate answers can void coverage
4	Provide supplementary information	Some insurers request additional documentation: IR plan, network diagram, vendor list
5	External scan results	Insurer will likely scan your external attack surface; remediate issues before applying
6	Underwriting review	Insurer evaluates your risk profile; may ask follow-up questions
7	Quote and negotiation	Broker obtains quotes from multiple carriers; negotiate terms, limits, exclusions
8	Bind coverage	Accept terms and bind the policy
9	Onboarding	Review policy documents carefully; understand notification requirements, panel vendors
10	Annual renewal	Update information annually; demonstrate control improvements to negotiate better terms

Exclusion	What It Means	Negotiation Tip
War/hostile acts	Attacks attributed to nation-states may be excluded	Ask for specific wording; "cyber war" definitions vary; some policies now have "cyber operation" sub-limits
Infrastructure failure	Widespread outage (major cloud provider, internet backbone)	Ask whether the exclusion applies only to non-cyber infrastructure or also to cyberattacks on infrastructure
Unencrypted data	Losses from breach of unencrypted portable devices	Ensure your encryption policy covers all portable devices and media
Failure to patch	Losses from exploitation of known vulnerabilities not patched within a defined timeframe	Understand the expected patching timeline; align with your vulnerability management policy
Prior acts	Incidents or circumstances known before the policy inception	Ensure your retroactive date provides adequate coverage for past acts
Regulatory fines	Some policies exclude regulatory fines in certain jurisdictions where they're considered non-insurable	Ask specifically about GDPR fine coverage; varies by insurer and jurisdiction
Betterment	Costs to improve beyond pre-incident state	Understand that insurance restores, not upgrades
Social engineering sub-limit	BEC/wire fraud may have a lower sub-limit than the main policy	Negotiate adequate social engineering limits if BEC is a concern

Compliance Framework	Insurance Alignment
ISO 27001	Demonstrates comprehensive ISMS; addresses virtually all insurer-required controls; 10–20% premium discount
SOC 2 Type II	Independent auditor assurance over security controls; 10–15% premium discount
NIS2	Risk management, incident response, supply chain security — all align with insurer requirements
DORA	ICT risk management, incident reporting, resilience testing — strong alignment with insurer expectations
GDPR	Data protection measures, breach notification procedures, vendor management — all reduce insurance risk
NIST CSF	Industry-standard framework that maps directly to insurer control questionnaires

Step	Activity	Timeline
1	Discover the incident	As soon as possible
2	Notify your insurer	Within 24–72 hours (check your policy for the exact requirement)
3	Engage panel vendors	Insurers have pre-approved forensics firms, legal counsel, PR firms
4	Investigation	Forensic investigation determines scope, cause, and impact
5	Containment and remediation	Guided by forensic findings; expenses covered under policy
6	Notification	Regulatory and individual notifications (costs covered)
7	Claim documentation	Compile all expenses, losses, and supporting evidence
8	Claim settlement	Insurer reviews and pays the claim per policy terms

#	Mistake	Consequence	Prevention
1	Inaccurate application answers	Claim denied; policy rescinded	Answer honestly; disclose partial implementations
2	Not reading the policy	Surprised by exclusions during a claim	Read the full policy; understand exclusions, sub-limits, waiting periods
3	Treating insurance as a security substitute	Weak controls lead to incidents and premium increases	Invest in security controls first; insurance is for residual risk
4	Late incident notification	Insurer may deny coverage	Understand notification requirements; notify within 24 hours
5	Using non-panel vendors	Costs may not be covered	Use the insurer's pre-approved panel (forensics, legal, PR)
6	Inadequate coverage limits	Claim exceeds policy limits; organisation absorbs excess	Model potential breach costs; buy adequate limits
7	Ignoring sub-limits	Social engineering or ransomware claims hit a low sub-limit	Review and negotiate sub-limits for specific claim types
8	Not reviewing at renewal	Policy doesn't reflect your current risk profile	Annual review of coverage, limits, and exclusions
9	No broker	Miss better terms; overpay; don't understand options	Use a cyber-specialist broker
10	Failing to improve controls	Premiums increase annually; coverage restricted	Demonstrate security improvements at each renewal

Cyber Insurance Requirements: Complete Guide to Coverage, Controls, and Application (2026)

Key Takeaways

Share article

Need help with compliance?

Table of Contents

What Is Cyber Insurance?

What Cyber Insurance Covers (and Doesn't)

What's Typically Covered

What's Typically NOT Covered

First-Party vs. Third-Party Coverage

Cyber Insurance Requirements: What Insurers Demand

Underwriting Tiers

The 12 Controls Insurers Require

Control Maturity Assessment

How Insurers Evaluate Your Application

Information Sources

Red Flags That Increase Premiums or Cause Denial

Cyber Insurance Costs: Premium Factors

What Drives Premium Up

What Drives Premium Down

The Application Process Step by Step

Application Accuracy Warning

Common Policy Exclusions

Exclusions to Watch

Cyber Insurance and Compliance Alignment

Leveraging Compliance for Better Insurance Terms

Filing a Cyber Insurance Claim

Claim Process

Critical Claims Tips

Common Mistakes with Cyber Insurance

Frequently Asked Questions

How much cyber insurance do I need?

Is cyber insurance required by law?

Does cyber insurance cover GDPR fines?

What's the difference between cyber insurance and professional indemnity (E&O)?

How does ransomware coverage work?

Will my premiums go down if I get ISO 27001?

How do I handle cyber insurance in vendor contracts?

What happens if my security controls change after I get the policy?

Related Resources

Conclusion

Related Articles

Business Continuity Plan Template: Complete BCP Guide with Ready-to-Use Framework (2026)

Vendor Risk Assessment: The Complete Third-Party Risk Management Guide (2026)

AI Risk Assessment: The Complete Framework for EU AI Act Compliance (2026)