Why Your Cyber Insurance Application Keeps Getting Rejected

share:

Why Insurers Have Gotten So Strict

Before we get into the fixes, it helps to understand why this has happened.

Between 2019 and 2022, cyber insurance claims exploded. Ransomware attacks weren’t just hitting enterprise companies; they were crippling SMBs. And insurers paid out billions.

The result? Insurers rewrote their underwriting rules. They started asking detailed technical questions. They began requiring specific security controls as conditions of coverage.

Today, if you don’t meet their baseline security requirements, you’ll either get rejected, be quoted an astronomical premium, or be given coverage with so many exclusions it’s barely worth having.

Let’s look at what they’re actually checking.

---

1. No Multi-Factor Authentication (MFA)

The Problem: This is the number one reason for rejection. If you’re not using MFA on email, remote access, and admin accounts, most insurers won’t even consider you.

Why it matters to insurers: MFA stops over 99% of account compromise attacks. Without it, one phished password = full access to your systems. That’s too much risk.

The Fix:

• Enable MFA on Microsoft 365 / Google Workspace for all users (not just admins)
• Require MFA for VPN and remote desktop access
• Use authenticator apps (Microsoft Authenticator, Google Authenticator) rather than SMS
• Document your MFA policy for the application

Timeline: You can implement MFA in a week. There’s no excuse not to have this.

---

2. No Email Security Beyond Basic Spam Filtering

The Problem: Email is still the number one attack vector. Basic spam filtering isn’t enough anymore — insurers want to see advanced threat protection.

Why it matters to insurers: Phishing and business email compromise (BEC) cause huge losses. A single fraudulent invoice payment can cost tens of thousands.

The Fix:

• Implement Microsoft Defender for Office 365 or equivalent advanced email security
• Configure DMARC, DKIM, and SPF records (prevents email spoofing)
• Enable Safe Attachments and Safe Links
• Consider an additional email filtering service for layered protection

Timeline: A few days to implement and configure properly.

---

3. No Offline or Immutable Backups

The Problem: If ransomware hits and your backups are connected to your network, they get encrypted too. Insurers know this – and they’re asking specifically about backup isolation.

Why it matters to insurers: Companies with proper backups recover without paying ransoms. Companies without them face huge losses – and huge claims.

The Fix:

• Implement the 3-2-1 backup rule: 3 copies, 2 different media types, 1 offsite
• Use immutable backups (can’t be modified or deleted for a set period)
• Test restores regularly – at least quarterly
• Keep backup credentials separate from main admin credentials
• Document your backup and recovery procedures

Timeline: 1-2 weeks to set up properly with testing.

---

4. No Endpoint Detection and Response (EDR)

The Problem: Traditional antivirus isn’t enough anymore. Insurers increasingly require EDR – software that actively monitors for suspicious behaviour, not just known malware signatures.

Why it matters to insurers: EDR can detect and stop ransomware before it spreads. Traditional AV often misses zero-day attacks entirely.

The Fix:

• Deploy EDR on all endpoints (Microsoft Defender for Endpoint, SentinelOne, CrowdStrike)
• Ensure 24/7 monitoring (either in-house or via managed service)
• Configure automated response rules for common attack patterns
• Keep all devices enrolled – no exceptions for “trusted” machines

Timeline: 1-2 weeks for deployment and configuration.

---

5. Unpatched or End-of-Life Systems

The Problem: Running Windows 7? Server 2012? Office 2010? That’s an automatic red flag. Unpatched systems are sitting ducks for known exploits.

Why it matters to insurers: Most ransomware exploits known vulnerabilities with patches available. If you’re not patching, you’re choosing to stay vulnerable.

The Fix:

• Audit all systems and create an inventory
• Replace or upgrade end-of-life operating systems
• Implement automatic patching with a 30-day maximum delay for critical patches
• If you can’t replace legacy systems, document compensating controls (network isolation, extra monitoring)

---

6. No Security Awareness Training

The Problem: Your staff are your first line of defence – and your biggest vulnerability. Insurers want to see you’re training them to spot threats.

Why it matters to insurers: Human error causes most breaches. A trained workforce is dramatically less likely to fall for phishing or social engineering.

The Fix:

• Implement regular security awareness training (at least annually, ideally quarterly)
• Run phishing simulations to test and reinforce training
• Include training on password hygiene, spotting phishing, and reporting suspicious activity
• Keep records of training completion for the application

---

7. No Incident Response Plan

The Problem: When something goes wrong, do you know who to call? What to do first? Insurers want to see you have a plan, not just hope.

Why it matters to insurers: Companies with incident response plans contain breaches faster and at lower cost. Panic makes everything worse.

The Fix:

• Create a written incident response plan covering common scenarios
• Define roles and responsibilities (who decides what, who contacts whom)
• Include contact details for your IT support, insurer, legal advisor
• Test the plan at least annually with a tabletop exercise

---

Quick Checklist: Are You Insurance-Ready?

Before your next application, make sure you can answer “yes” to all of these:

• ✅ MFA enabled on all email, VPN, and admin accounts
• ✅ Advanced email security with DMARC/DKIM/SPF configured
• ✅ Offline or immutable backups tested within the last 90 days
• ✅ EDR deployed on all endpoints with 24/7 monitoring
• ✅ No end-of-life operating systems in production
• ✅ Security awareness training completed within the last 12 months
• ✅ Written incident response plan in place

---

The Bottom Line

Cyber insurance isn’t optional anymore, especially if you handle client data, financial information, or have contractual obligations.

The good news is that the security controls insurers want aren’t just checkboxes for an application. They’re the same controls that actually protect your business. Getting insurance-ready means getting secure.

Most of these fixes can be implemented in 4-8 weeks with the right support. And once they’re in place, you’ll not only get better insurance terms, you’ll be far less likely to need to make a claim in the first place.

---

Need Help Getting Insurance-Ready?

We help businesses implement the security controls they need to pass cyber insurance applications — without the jargon or overselling.

Book a 15-minute call. We’ll review your current setup against typical insurer requirements and tell you exactly what needs fixing.

No audit fee. No pressure. Just a clear list of what you need.