Cyber Risk Insurability: What Insurers Really Demand Today

The Cyber Insurance Market Has Changed

After years of losses from high claim payments due to ransomware attacks, cyber insurers have significantly tightened their requirements. Simple self-declarations and a checkbox for "MFA activated" are no longer sufficient. Anyone wishing to take out or renew cyber insurance today must provide considerably more robust proof of their security level.

The most important requirements we see in customer conversations and market analyses fall into three categories.

Category 1: Technical Basic Measures (as Minimum Requirements)

• Multi-Factor Authentication (MFA): Not just for email, but for all privileged access, remote access, and critical systems.
• Privileged Access Management (PAM): Controlled access to privileged accounts, logging of all activities.
• Endpoint Detection & Response (EDR): Modern endpoint protection with behavioral analysis, not just signature-based antivirus.
• Backup Strategy: Regular, tested backups following the 3-2-1 rule, ideally with an offline/air-gap component.
• Patch Management: Structured process for timely remediation of critical vulnerabilities.

Category 2: Governance and Processes (increasingly in focus)

• Incident Response Plan: Documented, regularly tested plan for handling security incidents.
• Security Awareness Training: Regular employee training, ideally with phishing simulations.
• Vendor Risk Management: Documented process for reviewing suppliers and their security level.

Category 3: External Threat Monitoring (new and increasingly required)

More and more insurers explicitly ask about external monitoring measures:

• Is the company being monitored for darknet activity?
• Is there systematic monitoring of credential leaks?
• Are phishing infrastructures abusing the brand name monitored and actively combated?

These requirements reflect a realization that has prevailed in the industry: most serious cyber incidents begin with external signals that would have been recognizable early – if someone had been watching.

What Insufficient Documentation Means in a Claim

Those who cannot present sufficient evidence of implemented security measures in a claim risk benefit reduction or denial. This is not a theoretical possibility – it is already a reality in cyber insurance cases. Investment in demonstrable, documented security measures is therefore not only an operational, but also a financial necessity.

Note: This article provides a general market overview. For the specific requirements of your insurance, please refer to your insurance contract or speak directly with your insurance broker.