Guide Cybersecurity Risk Management

What your cyber insurer expects before paying a claim

The cyber insurance market changed between 2020 and 2022 more than it had in the previous two decades combined. Carriers that once offered broad coverage with minimal controls questions now require detailed questionnaires, technical attestations, and in some cases external audits. And if you file a claim without the controls you said you had, the insurer will look for reasons not to pay.

CT
Cyvra Team
Cyvra Consultancy
3 May 2026
8 min read
Key takeaways
  • The hardening cycle of 2021 made technical controls mandatory, not optional, for most cyber policies
  • MFA on remote access is the single most common reason carriers decline to quote
  • Post-breach forensics will check whether your controls match what you stated on the application
  • Lloyd's of London now excludes state-sponsored attacks from standalone cyber policies
  • First-party and third-party sublimits in your policy schedule often differ from the headline limit

Why cyber insurance underwriting changed

The ransomware epidemic of 2020 and 2021 cost insurers more than they had modelled. Colonial Pipeline, JBS Foods, and dozens of hospital systems filed multi-million dollar claims within months of each other. The combined loss ratio across the market reached unsustainable levels: carriers were paying out more in claims than they collected in premium, with overhead on top.

Premiums rose sharply. Marsh McLennan reported average increases of 130% for some segments in Q4 2021. Carriers also introduced sublimits specifically for ransomware, so a policy with a headline limit for any cyber event might cap ransomware recovery at half that amount, with a higher deductible.

$1.54M
Average ransomware payment in 2024 per Sophos State of Ransomware report
$2.73M
Average total cost of a ransomware attack, including recovery (Sophos 2024)
130%
Peak average premium increase in Q4 2021 per Marsh Global Insurance Market Index

The market has since stabilised. Average premium increases dropped to around 3% in 2023 as carriers adjusted their books and controls requirements tightened. But the controls that emerged from that hardening cycle are now permanent fixtures. They are not going away when the market softens further.

The five controls underwriters check first

Modern underwriting applications run to 40 or more questions. Five controls carry more weight than all the others combined. If you cannot demonstrate these five, expect either a declined quote or coverage with significant carve-outs.

1
Multi-factor authentication (MFA)
Specifically on email, VPN, remote desktop access, privileged accounts, and cloud admin portals. MFA on email alone is not sufficient. Many carriers will decline to quote if MFA is absent from remote access, regardless of other controls.
2
Endpoint detection and response (EDR)
Not traditional antivirus. EDR tools detect behavioural anomalies and can isolate compromised endpoints before lateral movement occurs. Underwriters want EDR deployed across all endpoints, not just servers.
3
Immutable, offline backups
Backups that attackers cannot reach and encrypt. Tested regularly, with a written restoration test report. Without verified backups, ransomware recovery costs rise sharply and the pressure to pay the ransom increases.
4
Privileged access management (PAM)
Controls on who holds admin credentials, with time-limited access sessions and credential vaulting. Domain admin accounts are the primary ransomware lateral movement route after an initial foothold is established.
5
Patch management with documented SLAs
Critical and high-severity vulnerabilities patched within defined timeframes. Many policies require patches within 30 days of release; some specify 14 for critical CVEs. Known unpatched vulnerabilities can void a claim if they were the attack vector.

Beyond the five, carriers increasingly ask about DMARC, DKIM, and SPF email authentication (reduces phishing and business email compromise exposure), network segmentation, and whether you have a documented incident response plan that has been tested in the past 12 months.

What the application process looks like

The accuracy of your answers matters more than the quality of your controls. Post-breach forensics will check what was actually in place, not what you said was in place. If there is a gap between the two, the insurer has grounds to challenge the claim on misrepresentation.

Typical application questions cover:

  • Whether MFA is deployed on email, VPN, remote access, cloud services, and privileged accounts separately, not as a single yes/no answer
  • The percentage of endpoints covered by EDR
  • Your patch management SLA for critical vulnerabilities
  • Whether you have a documented incident response plan and when it was last tested
  • Whether backups are tested for restoration and how frequently
  • Whether you have PAM controls, and whether privileged accounts are vaulted
  • Annual revenue, number of employees, data types processed (PII, payment card, health), and sector

Do not complete the questionnaire from memory. Build a controls inventory before you start: map each required control to the system or user group it covers, the person responsible, and the last review date. Bring documentation to the application process. If you discover gaps during this exercise, address them before applying rather than after.

Practical tip

Request a copy of last year's application from your broker. Comparing year-on-year answers against your current posture is one of the fastest ways to identify where your documentation does not match your controls.

How insurers evaluate claims

When you file a claim, your insurer appoints a forensic firm. That firm's primary function is to determine root cause, scope, and whether your controls matched your application. They will review Active Directory logs and firewall records, assess whether MFA was enforced at every authentication point you described, examine backup logs, and check whether the initial attack vector was a known unpatched vulnerability.

The forensic report goes to the insurer before the claim is settled. If it contradicts your application, the insurer will use that to challenge the claim. This is not theoretical: denial rates on cyber claims have been climbing.

The second thing that determines claim outcomes is notification timing. Most policies require you to notify your insurer promptly after becoming aware of an incident, typically within 72 hours. Late notification is itself a grounds for claim reduction, independent of whether your controls were in place.

Important

Contact your insurer and legal counsel before engaging a public relations firm or making external statements after a breach. Many policies cover crisis communication costs, but only if the insurer approves the communications firm. Engaging one independently can void that element of coverage.

Exclusions you need to understand

Read your policy schedule, not just the marketing summary. The exclusions that matter most are not prominently featured.

!
State-sponsored and war exclusions
In 2023, Lloyd's of London required all syndicates to exclude losses attributable to state-sponsored cyber operations from standalone cyber policies. Given that a significant proportion of ransomware infrastructure is linked to state-backed groups, this exclusion has practical reach beyond state-on-state conflict. Check how your policy defines attribution and what burden of proof applies.
!
Ransomware sublimits
Many policies cap ransomware-related losses at a sublimit below the total policy limit. A policy with a €5 million headline limit might cap ransomware payments at €1 million. Read the schedule carefully.
!
Prior known events
If you experienced a breach before your policy inception date and did not disclose it, coverage for related claims will be excluded. Ongoing incidents or known vulnerabilities that predate the policy are typically excluded too.
!
Failure to maintain controls
If you attested to having a control at application and then removed or disabled it before an incident, your insurer has grounds to reduce or deny the claim. Controls must remain in place throughout the policy period.

Preparing for renewal

The best time to prepare for renewal is six months before it happens. Most brokers will give you a pre-renewal questionnaire two to three months out. By that point, any gaps you find will take longer to close than you have.

1
Complete a controls inventory
Document what you have, where it is deployed, who is responsible, and when it was last reviewed. Do this for every control the application asks about, not just the five above.
2
Test your backups
Run a full restoration test and produce a written report with date, scope, and outcome. A backup log showing scheduled runs is not the same as a tested recovery.
3
Audit your MFA coverage
Log into each remote access system, cloud console, and privileged account interface and verify that MFA is enforced, not merely available. Note any gaps.
4
Update your incident response plan
Include named contacts for your insurer, legal counsel, and approved PR firm. Add the 72-hour notification step. Document the last review date.
5
Conduct a tabletop exercise
Simulate a ransomware incident with your core team. Document the exercise date, participants, and findings. Carriers increasingly ask whether this has been done in the past 12 months.
6
Run a vulnerability scan before applying
Export a current scan showing your patch status against known CVEs. This gives you documentation to back your patch management SLA claims, and it reveals any critical exposures you should close before submitting the application.

An organisation that arrives at renewal with a completed controls inventory, a tested backup report, and a documented tabletop exercise is in a fundamentally different position from one that relies on memory. The documentation is also what survives a post-breach forensic review.

Frequently asked questions

What controls do cyber insurers require as a minimum?

Most carriers now require, at minimum: MFA on all remote access and email, endpoint detection and response (EDR) across all endpoints, tested immutable backups, a documented incident response plan, and a patch management process with SLAs. Many also require privileged access management (PAM) controls and DMARC email authentication. Some carriers will decline to quote at all without MFA on remote access, regardless of other controls in place.

Can a cyber insurer deny my claim after a breach?

Yes. Insurers can deny or reduce claims on several grounds: misrepresentation on the application (stating you had controls that post-breach forensics show you did not have); failure to maintain controls between application and the incident; failure to notify within the required window; or because the loss falls within a policy exclusion such as the war or state-sponsored attack exclusion. The most common cause of claim complications is a gap between what was stated on the application and what the forensic investigation found.

What is the Lloyd's of London state-sponsored attack exclusion?

In 2023, Lloyd's of London required all syndicates to exclude losses attributable to state-sponsored cyber operations from standalone cyber policies. The exclusion applies when the insured cannot demonstrate the attack was not state-sponsored. Given that a significant proportion of ransomware infrastructure is linked to state-backed groups, this exclusion has practical reach. Some carriers apply it only above a certain loss threshold; others apply it more broadly. Check your policy wording carefully.

How do I document my security controls for a cyber insurance application?

Build a controls inventory that maps each required control to the system or user group it covers, the person responsible, and the last review or test date. For MFA, log into each system and verify enforcement rather than just availability. For backups, run a test restoration and produce a written report. For patch management, export a current vulnerability scan to show your patch status against known CVEs. For your incident response plan, note when it was last reviewed and whether a tabletop exercise has been conducted in the past 12 months.

What is the difference between first-party and third-party cyber coverage?

First-party coverage pays for losses your organisation suffers directly: incident response costs, forensic investigation, ransom payments (where covered), business interruption, data restoration, and notification costs. Third-party coverage pays claims made against you by others as a result of your breach, including customers, partners, and regulators. Most policies include both. Check your policy schedule for sublimits on each category, since a policy with a high headline limit may cap ransomware payments or third-party liability at significantly lower amounts.

Talk to Cyvra

Is your security posture ready for cyber insurance renewal?

We help organisations in the Netherlands and UK close the controls gaps that affect insurability and premium costs, with documentation that survives a post-breach forensic review.

Get in Touch Our Cybersecurity Services