Cyber insurance is requiring MFA and EDR — what that means

Why the application got harder

Carriers paid out historic ransomware losses through 2020 and 2021 and reacted exactly the way you'd expect: they tightened underwriting. The result is the application you're filling out now. Almost every control on it maps to a finding from a real claim — an organization that got hit, didn't have the control, and the carrier paid the loss they could have avoided.

The good news is the controls are concrete. Each one is buildable in a small business. None of them require a $50,000 software platform. The bad news is that a lot of small businesses don't have them, and the broker can only flag what's missing — closing the gaps is on you.

The eleven controls carriers ask about (and what they actually want)

1. Multi-factor authentication on email and remote access

The single most-asked-about control. Carriers want MFA on Microsoft 365 (or Google Workspace), on the VPN, on remote-desktop gateways, and on any administrative console. SMS-based MFA is the floor; phishing-resistant MFA (hardware keys, passkeys, Windows Hello) for finance and IT admins is the rising bar. See what MFA actually buys you.

2. Endpoint detection and response (EDR) on every endpoint

Traditional antivirus is not EDR. The carrier wants a named EDR vendor (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint Plan 2, Datto EDR, etc.) on every workstation, laptop, and server — not just the file servers. The 24/7 monitoring side is usually a related question: is the EDR being watched, or just installed?

3. Backups that are tested and isolated

Three sub-questions hide in this one: are you backing up production data, is at least one copy offline or immutable (so ransomware can't encrypt the backup too), and have you actually tested a restore in the last 90 days? "We have backups" is not enough. See backup is the answer; restore is the test.

4. Patching cadence on operating systems and third-party apps

Carriers ask for a documented patching schedule. "We update when prompted" is not a schedule. Most expect critical OS patches deployed within 14 days of release; third-party app patching (browsers, PDF readers, Java if it's still around) on a similar cadence. After October 14, 2025, Windows 10 endpoints without ESU enrollment are a hard problem here. See Windows 10 end-of-life: your migration timeline.

5. Email security beyond the M365 defaults

The native Microsoft 365 filter catches a lot, but business email compromise (BEC) routinely sneaks past it. Carriers want named anti-phishing protection (Inky, Proofpoint, Mimecast, Microsoft Defender for Office 365 Plan 2) and impersonation protection on executive mailboxes. BEC is the FBI's highest-loss cybercrime category by dollar volume; carriers treat it accordingly.

6. Security awareness training and phishing simulation

Carriers ask for documented annual training and at least quarterly phishing-simulation exercises with tracked results. "We tell people to be careful" is not training. Most managed plans include a training platform (KnowBe4, Hook Security, Curricula, etc.) with click-rate metrics that survive an audit.

7. A written incident-response plan

Not a long one — a workable one. Who calls the carrier within the breach-notification window. Who isolates affected systems. Who notifies clients if data is in scope. Who talks to the press if it gets there. The plan needs to exist on paper before an incident, not as an exercise during one.

8. Privileged access management

Carriers want admin accounts to be separate from daily-driver accounts, MFA-required, and reviewed quarterly. The CEO who has Global Administrator on Microsoft 365 because "it's easier" is the exact pattern the question is screening for.

9. Network segmentation

For practices that handle regulated data, the carrier wants imaging, EHR, POS, and guest Wi-Fi networks separated, not flat. Verticals where this matters most: healthcare (HIPAA), retail (PCI), municipal (CJIS).

10. Email-banking-fraud controls (BEC / wire fraud)

Dual control on bank changes. Callback verification to a known number (not the one in the email). DMARC / DKIM / SPF on the company's email domain. AP staff trained on the patterns. See wire fraud: the mistake every business almost makes.

11. Third-party / supply-chain risk

For larger policies, the application asks about which vendors have access to your systems and what controls they have. This is usually a soft section unless you handle truly sensitive data — but answer it consistently with your actual vendor stack.

What "yes" actually requires — in receipts, not assurances

A carrier reviewing a post-incident claim asks for evidence: the EDR deployment report from the month of the incident, the patching log showing the relevant CVE was closed, the MFA enforcement report from the affected tenant, the restore-test log. If the application said "yes" and the evidence file is empty, the claim either gets denied or settled at a fraction. Build the evidence file as you build the control — not retroactively.

How a managed-IT stack maps to the application

For Micro-IT clients, the controls above map cleanly to the stack we run on every environment. Pasting this as a quick-reference for your broker:

What to hand your broker on renewal day

1. The control map above, marked yes/no per the application's questions.
2. Vendor names for each control (the carrier wants specifics).
3. The current OS posture: how many Windows 10 endpoints remain, and the migration plan if any.
4. The most recent restore-test date.
5. The MFA coverage report from your Microsoft 365 tenant (Sign-in logs export, last 30 days).
6. The written incident-response plan.

That packet usually moves the conversation from "we'll need to review" to "we can quote."

Frequently asked questions