Cyber Insurance Checklist — What Insurers Actually Check (2026)

Email is the #1 attack vector. Credential stuffing, phishing, and password spraying all target email accounts. Without MFA on email, an attacker who gets your password has full access — and most underwriters treat this as a hard requirement.

Critical — some underwriters decline coverage without it

RDP with only a password is one of the most exploited entry points for ransomware operators. Insisting on MFA for all remote access has become standard practice for insurers following a wave of ransomware claims.

Critical — specifically asked on most cyber application forms

Admin accounts with standing privileges that are used for day-to-day tasks dramatically increase breach impact. Attackers move laterally using stolen admin credentials. Insurers look for separation between standard and admin accounts.

High — affects premium and scope of coverage

Unique, strong passwords across all systems reduce credential reuse attacks. Documented policies show the insurer your controls are intentional and auditable — not ad hoc.

Medium — demonstrates maturity

EDR tools (SentinelOne, CrowdStrike, Microsoft Defender for Endpoint) detect attacker behaviour patterns, not just known malware signatures. They catch ransomware in the early stages and can contain attacks before they spread. Traditional AV doesn't.

High — increasingly required for higher coverage limits

Most successful attacks exploit known vulnerabilities that have patches available. Insurers want to know your patching cadence — particularly how quickly you apply critical patches. A 30-day window is often considered reasonable; longer creates exposure.

High — slow patching is a major risk factor for underwriters

Flat networks allow ransomware to spread from one infected device to everything else. Segmentation limits the blast radius of a breach. Insurers see good segmentation as evidence of mature security architecture.

Medium-High — critical for businesses with OT/IoT or large networks

Documented, maintained firewall configurations show that network access is controlled intentionally. Insurers look for evidence that internet-facing services are minimised and access is controlled.

Medium — table stakes, but documented controls matter

These three DNS-based email authentication controls prevent attackers from spoofing your domain in phishing emails targeting your customers and partners. DMARC in particular (with a reject or quarantine policy) is increasingly expected by underwriters.

High — easy to check externally, frequently asked on applications

BEC attacks impersonate executives or suppliers to redirect payments. Controls include dual-approval for transfers above a threshold, out-of-band verification for payment changes, and email filtering that flags external sender impersonation.

High — BEC claims are among the most frequent and expensive

Technical controls only go so far. Regular phishing simulation training demonstrably reduces click rates. Insurers see it as evidence that your human layer is actively managed — not just your technology.

Medium-High — increasingly asked on applications

Advanced email filtering (Microsoft Defender for Office 365, Proofpoint, Mimecast) blocks malicious attachments and links before they reach users. Combined with user training, this reduces the success rate of phishing campaigns significantly.

Medium — expected as baseline

Daily backups are considered the minimum for most business data. Backups that run weekly or less frequently create large recovery point gaps — meaning you could lose up to a week of data if attacked at the wrong time.

Critical — directly affects your recovery options and claim outcome

Backups stored only on-site are often encrypted along with live data in a ransomware attack. Insurers want to see at least one copy stored offsite or in cloud storage — separate from your primary environment.

Critical — on-site-only backups are treated as a significant gap

Modern ransomware specifically seeks out and encrypts backup systems before triggering the visible attack. Immutable storage (where backups can't be modified or deleted for a set period) and air-gapped backups are the most resilient defence.

High — increasingly expected, especially for higher coverage limits

An untested backup is an assumption. Many businesses discover their backups are corrupted, incomplete, or take far longer to restore than expected — only when they actually need them. Insurers want evidence that restoration has been tested, not just assumed.

High — lack of testing is a major flag at claim time

A written IR plan that covers roles, communication procedures, containment steps, and recovery processes shows the insurer that your response will be structured — not panicked. It also helps establish the sequence of events during a claim investigation.

High — asked on most application forms, critical for claims

Underwriters look at your prior insurance history — previous claims, previous coverage, and any lapses. First-time buyers may be asked more questions. Businesses with prior claims may face higher premiums but can demonstrate what improved since.

Medium — informs underwriting assessment

Under Australia's Notifiable Data Breaches scheme, eligible businesses must notify the OAIC and affected individuals within 30 days of identifying an eligible breach. Insurers want to know you understand these obligations and have a process to meet them.

Medium-High — regulatory non-compliance creates additional liability

Third-party breaches are a growing source of incidents. Underwriters increasingly ask about your awareness of key vendor risks — especially cloud providers, IT managed service providers, and payment processors with access to your systems.

Medium — growing area of underwriter scrutiny