Multi-factor authentication (MFA) 

MFA is a top requirement for most carriers, yet adoption is still low. According to the Cyber Readiness Institute SMB MFA Survey, 65% of global small and medium-sized businesses don’t use MFA, and 58% of those aren’t even aware of its security benefits. Carriers won't accept simple attestations about MFA use. Expect detailed inquiries about deployment rates, enforcement policies, and even proof that privileged accounts are covered. 

Endpoint detection and response (EDR)

Underwriters expect EDR solutions to be in place and actively monitored. They’ll inquire about detection rates, response times, and even proof that your team reviews alerts.

Security awareness training & 24/7 monitoring

Security awareness training completion rates, phishing simulation results, and ongoing education logs are now standard proof points. Similarly, insurers expect documented alert logs, response times, and SOC reports showing that threats are actively detected and mitigated around the clock. 

Email security 

Email remains a prime attack vector, with phishing-related incidents costing an average of $4.88 million USD. Underwriters expect documented evidence that email security controls, including anti-phishing measures, quarantine policies, and user reporting mechanisms, are effectively protecting your organization.

Backups  

Backups must exist, but so must documented testing schedules, offline storage, and restoration procedures. 

That renewal questionnaire is a direct line to your premiums. Each question on the form maps to particular security controls that they’re trying to validate. 

For example, if they ask, “Do you have 24/7 security monitoring?” then they’ll want SOC reports, evidence of response to alerts, and response time metrics. If they ask about ransomware insurance requirements for things like backup testing, they’ll want to see retention policies, restoration SLAs, and test results with dates

Getting ready for renewal

If you’re building out cyber insurance evidence for compliance, the week before your policy expires, it’s already too late. Successful organizations maintain evidence packs throughout the year, not just in the week before the renewal date.

Your evidence pack should include:

• Security assessment reports (quarterly is ideal)

• Incident response runbooks with review dates

• Tabletop exercise notes proving your incident response plan isn't theoretical

• Log retention policies with actual retention proof

• Security awareness training completion rates

• Vendor risk assessment documentation

Cyber insurance trends indicate that organizations that maintain an active program to continuously stay in compliance with their policy language renew faster and get better rates because the underwriter doesn’t have to hunt to find missing documentation.

Misrepresentation. It’s the single leading cause of claim denials. Often, it starts with good intentions but fails in documentation. “We have MFA” sounds simple, but do you enforce it on all accounts, service accounts, or third-party access? The difference between “configured MFA” and “enforced MFA across 100% of privileged accounts” could mean the difference between a covered claim and a denied one.

SOC 2 reports and third-party attestations add credibility. If you rely on an MSP or third-party provider, use their compliance documentation to back up your claims. Point to what’s deployed, not what’s planned.

What’s the minimum viable stack? Let's start here:

1. Universal MFA on all privileged accounts and remote access

2. EDR with 24/7 monitoring and response

3. Email security with anti-phishing controls

4. Tested, offline backups with documented restoration procedures

5. Patch management with defined SLAs for critical vulnerabilities

6. Security awareness training with measurable completion rates

7. Incident response plan with tabletop exercises

Quick wins to make life easier: automated patch management (reduces manual scrambling), managed SIEM for log retention and evidence generation, and identity threat detection for monitoring identity and account compromise. Stack these together, and you’ve got continuous evidence generation instead of scrambling for documents at renewal.

But before you stack MFA, EDR, and SIEM, carriers expect you to have the fundamentals locked down. Key foundational controls include:

• Data classification and asset inventory (so underwriters know what you’re protecting)

• Strong password policies and account hygiene (weak credentials are still the primary entry points)

• Firewalls, antivirus, and network segmentation (the baseline of perimeter defense)

The Huntress Platform provides  Managed EDR, Managed ITDR, Managed SIEM, and Managed Security Awareness Training with a 24/7 AI-assisted SOC detecting and responding to threats. D, It gives you endpoint,  identity, and employee coverage, and log retention that bolsters your organization’s cybersecurity resilience and supports cyber insurance underwriting.

The time to prepare for your cyber insurance renewal was twelve months ago, but in case you missed it, the next best time is right now. Get a demo of the Huntress Platform today.