The 7 controls underwriters expect (and how to evidence them)

1. Multi-Factor Authentication (MFA) everywhere that matters
   Scope: Email, VPN/remote access, privileged/admin accounts, and financial/HR apps.
   Proof to keep: Tenant-wide MFA report, conditional-access/policy screenshots, % coverage, exceptions with compensating controls.
   Why it matters: It stops most credential attacks; carriers/market guidance treat it as baseline. Prefer phishing-resistant MFA for admins.

2. EDR + 24×7 monitoring (MDR/SOC)
   Scope: All servers/workstations; alerting and response after hours.
   Proof: Deployment coverage %, last 30-day detection log, MDR contract/SLA.
   Why: Brokers report EDR/MDR among the top controls reducing breach-related claims; insurers are nudging MDR “like they did with MFA.”

3. Immutable, off-network backups (test restores monthly)
   Scope: 3-2-1 (ideally 3-2-1-1-0): one copy immutable/air-gapped; routine restore tests.
   Proof: Immutability settings (e.g., S3 Object Lock), backup job logs, restore test records.
   Why: CISA and industry guidance emphasize offline/immutable backups to blunt ransomware.

4. Privileged Access Management (PAM) & RDP lockdown
   Scope: Separate admin identities, just-in-time elevation, no raw Internet-exposed RDP.
   Proof: Admin account inventory, PAM policy, external scan showing no open RDP.
   Why: Common initial access vector; repeatedly cited by brokers/carriers as a key underwriting control.

5. Email security + user phishing training
   Scope: Modern mail hygiene (DMARC/SPF/DKIM), secure email gateway, and quarterly phishing simulations.
   Proof: DMARC policy record, gateway policy screenshots, training completion rates.
   Why: Social engineering remains the top loss driver; training and filtering rank high in carrier reports.

6. Vulnerability & patch management with SLAs
   Scope: Monthly scan cadence, risk-based patch SLAs (e.g., critical < 14 days), auto-patch where safe.
   Proof: Last two scan reports, remediation tickets, SLA dashboard.
   Why: Explicitly listed among carrier key controls and broker “insurability” checklists.

7. Logging + centralized monitoring (SIEM) & an exercised IR plan
   Scope: Central logs for identity, endpoint, email, firewall; annual tabletop exercises.
   Proof: SIEM coverage map, last tabletop agenda and lessons learned.
   Why: Incident response planning and monitoring measurably reduce the probability and cost of claims.

How denial actually happens (and how to avoid it)

• Misrepresentation: If your application says “MFA enforced for all email/remote access/admin” and later forensics show gaps, the carrier may rescind or deny. Keep contemporaneous evidence and answer questionnaires precisely (avoid “always/everywhere” wording unless it’s true).

• Failure-to-maintain clauses: Some policies exclude losses if you don’t maintain specified controls (“minimum required practices”). Read endorsements carefully; negotiate language you can actually meet.

• Regulatory baselines: If your sector requires MFA (e.g., NYDFS), falling short can complicate both compliance and claims.

Field notes: 30-day “bind-ready” plan

Week 1:

• Enforce MFA on email, VPN, and all privileged roles; disable legacy/basic auth; document exceptions + compensating controls.

Week 2:

• Verify EDR coverage to >95%; connect to MDR/SOC; close external RDP; set PAM guardrails.

Week 3:

• Configure one immutable backup copy; run and document a restore test; adopt 3-2-1 (ideally 3-2-1-1-0).

Week 4:

• Run a vulnerability scan + patch sprint; verify DMARC, phishing training schedule, SIEM coverage; hold a 90-minute tabletop.

Deliverable to underwriters: one PDF with policy screenshots, coverage percentages, scan/backup/restore artifacts, and your IR playbook summary.

FAQ (for your CFO and broker)

• Is SMS-code MFA “good enough”?
  Better than nothing, but phishing-resistant MFA (FIDO2/WebAuthn/passkeys) is recommended—especially for admins and high-risk apps.

• We have EDR—do we still need MDR?
  Carriers increasingly treat 24×7 response as the next frontier (EDR without eyes-on can miss off-hours dwell time).

• Do regulators really require MFA?
  Some do. For example, NYDFS mandates broad MFA from Nov 1, 2025 for covered entities.

What to do next (and how Roo can help)

1. Run a pre-underwriting controls check (60 minutes): confirm MFA scope, EDR/MDR coverage, backup immutability, email hygiene, patch SLAs, SIEM/IR readiness.

2. Harden + prove: for each control, capture screenshots/logs you can hand to the broker in one packet.

3. Rehearse: 30-minute tabletop on “phished CFO + business email compromise,” focusing on timing, notification, and evidence preservation.