Cyberliability Insurance Part 2

Computer Support
September 30, 20253 min read
Cyberliability Insurance Requirements

The 7 controls underwriters expect (and how to evidence them)

  1. Multi-Factor Authentication (MFA) everywhere that matters
    Scope: Email, VPN/remote access, privileged/admin accounts, and financial/HR apps.
    Proof to keep: Tenant-wide MFA report, conditional-access/policy screenshots, % coverage, exceptions with compensating controls.
    Why it matters: It stops most credential attacks; carriers/market guidance treat it as baseline. Prefer phishing-resistant MFA for admins.

  2. EDR + 24×7 monitoring (MDR/SOC)
    Scope: All servers/workstations; alerting and response after hours.
    Proof: Deployment coverage %, last 30-day detection log, MDR contract/SLA.
    Why: Brokers report EDR/MDR among the top controls reducing breach-related claims; insurers are nudging MDR “like they did with MFA.”

  3. Immutable, off-network backups (test restores monthly)
    Scope: 3-2-1 (ideally 3-2-1-1-0): one copy immutable/air-gapped; routine restore tests.
    Proof: Immutability settings (e.g., S3 Object Lock), backup job logs, restore test records.
    Why: CISA and industry guidance emphasize offline/immutable backups to blunt ransomware.

  4. Privileged Access Management (PAM) & RDP lockdown
    Scope: Separate admin identities, just-in-time elevation, no raw Internet-exposed RDP.
    Proof: Admin account inventory, PAM policy, external scan showing no open RDP.
    Why: Common initial access vector; repeatedly cited by brokers/carriers as a key underwriting control.

  5. Email security + user phishing training
    Scope: Modern mail hygiene (DMARC/SPF/DKIM), secure email gateway, and quarterly phishing simulations.
    Proof: DMARC policy record, gateway policy screenshots, training completion rates.
    Why: Social engineering remains the top loss driver; training and filtering rank high in carrier reports.

  6. Vulnerability & patch management with SLAs
    Scope: Monthly scan cadence, risk-based patch SLAs (e.g., critical < 14 days), auto-patch where safe.
    Proof: Last two scan reports, remediation tickets, SLA dashboard.
    Why: Explicitly listed among carrier key controls and broker “insurability” checklists.

  7. Logging + centralized monitoring (SIEM) & an exercised IR plan
    Scope: Central logs for identity, endpoint, email, firewall; annual tabletop exercises.
    Proof: SIEM coverage map, last tabletop agenda and lessons learned.
    Why: Incident response planning and monitoring measurably reduce the probability and cost of claims.

How denial actually happens (and how to avoid it)

  • Misrepresentation: If your application says “MFA enforced for all email/remote access/admin” and later forensics show gaps, the carrier may rescind or deny. Keep contemporaneous evidence and answer questionnaires precisely (avoid “always/everywhere” wording unless it’s true).

  • Failure-to-maintain clauses: Some policies exclude losses if you don’t maintain specified controls (“minimum required practices”). Read endorsements carefully; negotiate language you can actually meet.

  • Regulatory baselines: If your sector requires MFA (e.g., NYDFS), falling short can complicate both compliance and claims.

Field notes: 30-day “bind-ready” plan

Week 1:

  • Enforce MFA on email, VPN, and all privileged roles; disable legacy/basic auth; document exceptions + compensating controls.

Week 2:

  • Verify EDR coverage to >95%; connect to MDR/SOC; close external RDP; set PAM guardrails.

Week 3:

  • Configure one immutable backup copy; run and document a restore test; adopt 3-2-1 (ideally 3-2-1-1-0).

Week 4:

  • Run a vulnerability scan + patch sprint; verify DMARC, phishing training schedule, SIEM coverage; hold a 90-minute tabletop.

Deliverable to underwriters: one PDF with policy screenshots, coverage percentages, scan/backup/restore artifacts, and your IR playbook summary.

FAQ (for your CFO and broker)

  • Is SMS-code MFA “good enough”?
    Better than nothing, but phishing-resistant MFA (FIDO2/WebAuthn/passkeys) is recommended—especially for admins and high-risk apps.

  • We have EDR—do we still need MDR?
    Carriers increasingly treat 24×7 response as the next frontier (EDR without eyes-on can miss off-hours dwell time).

  • Do regulators really require MFA?
    Some do. For example, NYDFS mandates broad MFA from Nov 1, 2025 for covered entities.

What to do next (and how Roo can help)

  1. Run a pre-underwriting controls check (60 minutes): confirm MFA scope, EDR/MDR coverage, backup immutability, email hygiene, patch SLAs, SIEM/IR readiness.

  2. Harden + prove: for each control, capture screenshots/logs you can hand to the broker in one packet.

  3. Rehearse: 30-minute tabletop on “phished CFO + business email compromise,” focusing on timing, notification, and evidence preservation.

Nathan Taylor

Nathan writes for the Australian magazine, Croc Nation. He recently graduated from Perth University with a degree in Journalism.

Back to Blog