Cyber Insurance Requirements for Small Business

Contact Your Best Consultants

Cyber insurance requirements for small businesses now include multi-factor authentication, endpoint detection and response, verified backups, and a documented incident response plan. Insurers have tightened their standards significantly since 2022. Businesses that cannot demonstrate these controls face policy denials, higher premiums, or reduced coverage limits.

What Is Cyber Insurance

Cyber insurance is a financial protection policy that covers costs a business incurs after a cyberattack. Covered expenses typically include data recovery, legal fees, regulatory fines, breach notification costs, ransomware response, and business interruption losses.

Two types of coverage exist. First-party coverage pays for direct losses to your business, including data restoration, system downtime, and ransomware negotiation costs. Third-party coverage protects against liability claims made by customers or partners whose data was compromised in an incident involving your systems.

Most policies sold to small businesses include both types. Cyber insurance helps your business respond to threats like data breaches, ransomware attacks, compromised business emails, network intrusions, and computer viruses.

Why Cyber Insurance Requirements Have Gotten Stricter

Insurers paid out heavily on claims during the 2020 to 2022 ransomware surge. That forced a fundamental shift in how policies are underwritten. Carriers moved from self-reported checklists to verified proof of security controls.

75%

of system-intrusion breaches linked to ransomware (Verizon DBIR 2025)

$4.4M

global average breach cost (IBM Cost of a Data Breach 2025)

99%

reduction in hack risk with MFA enabled (CISA study)

days minimum before renewal to start the application process

Small businesses are now equally scrutinized. As cyber threats become more costly and complex, insurers are raising their standards for all policyholders. Applications missing core controls are routinely denied or returned for remediation before coverage is offered.

The 5 Core Cyber Insurance Requirements

Every major carrier uses a questionnaire before approving coverage. Five controls appear on virtually every application. Missing any one of them leads to denial, a premium surcharge, or a coverage exclusion.

Multi-Factor Authentication (MFA)

Required on email, VPN, remote desktop, admin consoles, and privileged accounts. Conditional MFA is increasingly preferred for remote workforces.

Non-negotiable

Endpoint Detection and Response (EDR)

Legacy antivirus does not satisfy requirements. EDR tools like SentinelOne, Microsoft Defender for Endpoint, and CrowdStrike Falcon provide the behavioral analysis insurers require.

Non-negotiable

Verified Backups — Immutable and Offsite

Backups must be immutable, stored offsite or in a separate cloud environment, and tested for restoration within the past 12 months. The 3-2-1 rule satisfies most carrier standards.

Documented proof required

Email Security and Security Awareness Training

Carriers require DMARC, DKIM, SPF configuration and documented employee training programs. Mock phishing campaigns are viewed favorably during underwriting.

Reduces premiums

Incident Response Plan

A documented plan covering the first 72 hours after breach detection. Includes named contacts, legal counsel, breach notification steps, and system isolation procedures.

Written document required

Requirement 1 — Multi-Factor Authentication

MFA is the most universally required control. Every major carrier now mandates it on email accounts, VPN access, remote desktop tools, administrator consoles, and privileged accounts. Applications missing MFA are routinely denied or flagged for exclusions.

MFA reduces the likelihood of businesses being hacked by 99%, according to a U.S. Cybersecurity and Infrastructure Security Agency study. Conditional MFA adds an extra layer by triggering additional verification when a login comes from an unfamiliar location or device. Carriers increasingly prefer conditional MFA for businesses with remote workforces.

Requirement 2 — Endpoint Detection and Response

Basic antivirus software no longer satisfies underwriting requirements. Carriers require endpoint detection and response tools that monitor device behavior in real time, detect suspicious activity, and contain threats before they spread.

EDR tools like SentinelOne, Microsoft Defender for Endpoint, and CrowdStrike Falcon provide the behavioral analysis and automated response capabilities insurers look for. Businesses running legacy antivirus-only solutions will be asked to upgrade before coverage is approved.

Learn how cybersecurity services from Infinity Technology Consulting cover EDR deployment and management for Atlanta businesses.

Requirement 3 — Verified Backups

Carriers require backups that ransomware cannot reach or encrypt. That means backups stored in an immutable format, kept offsite or in a cloud environment separate from your primary network, and tested regularly for restoration.

The 3-2-1 backup rule satisfies most carrier requirements: 3 copies of data, stored on 2 different media types, with 1 copy stored offsite. Insurers now require documented proof that restore tests have been completed within the past 12 months.

Backup and disaster recovery services built to this standard protect Atlanta businesses both from ransomware attacks and from failing an insurance application.

Requirement 4 — Email Security and Training

Business email compromise (BEC) is the most financially damaging attack vector for small businesses. Carriers require email security tools including spam filtering, domain-based message authentication (DMARC, DKIM, SPF), and phishing detection, alongside documented employee training programs.

Training reduces premium costs. Businesses with documented training programs consistently report lower policy quotes because insurers price based on demonstrated risk reduction.

Requirement 5 — Incident Response Plan

An incident response plan documents exactly what your business does in the first 72 hours after detecting a breach. It names the people responsible for each action, identifies your legal counsel and breach notification obligations, and defines how systems are isolated and restored.

Carriers ask for this plan by name on questionnaires. Businesses without one face coverage gaps because insurers classify them as higher risk. A managed IT services provider can build and document this plan as part of a broader cybersecurity engagement.

Additional Controls for Higher-Risk Businesses

Businesses in regulated industries or those handling sensitive data face extended requirements beyond the 5 core controls.

Advanced controls carriers require for regulated industries

Privileged Access Management (PAM) for business-critical systems, Security Information and Event Management (SIEM) tools, and a 24/7 Security Operations Center (SOC) are now standard asks for regulated verticals.

Healthcare — HIPAA Legal — Client Data Finance — SOC 2 PAM SIEM 24/7 SOC

Atlanta businesses in these verticals benefit from working with an IT consulting partner who understands both the technical requirements and the documentation insurers expect.

How Cyber Insurance Questionnaires Work

Every carrier uses a questionnaire to evaluate your security posture before approving coverage. The questions are increasingly technical and require documentation rather than yes-or-no answers. Most applications now ask for screenshots or policy exports instead of verbal attestations.

Common questions on carrier questionnaires

1Is MFA enabled on all email accounts and remote access systems?

2What EDR solution is deployed on all endpoints?

3How frequently are backups tested for restoration?

4When did your last security awareness training program occur?

5Do you have a documented incident response plan?

6Who is your legal counsel for breach notifications?

The process can take several weeks to a few months depending on the business’s readiness and the insurer’s requirements. It is recommended that the application be started at least 30 days before renewal.

What Cyber Insurance Covers

Understanding coverage scope helps businesses evaluate policy limits against their actual risk profile.

Cost Type	First-Party	Third-Party
Data breach investigation and forensics	Covered	Covered
Legal fees and regulatory fine defense	Covered	Covered
Customer breach notification costs	Covered	Covered
Ransomware extortion payments and negotiations	Covered	Not covered
Business interruption losses during downtime	Covered	Not covered
Public relations costs after a breach	Covered	Covered
Pre-existing vulnerabilities	Excluded	Excluded

How to Prepare Before Applying

Businesses that complete a security readiness assessment before applying qualify faster, pay lower premiums, and avoid surprises during underwriting. The preparation process covers four areas.

Verify MFA is enabled across every system that touches the network, including cloud platforms, remote access tools, and email.
Confirm your EDR solution is deployed on every endpoint, not just servers.
Document your backup schedule, storage locations, and restore test results from the past 12 months.
Create or update your incident response plan with named contacts and a written procedure.

A managed IT services provider handles all four areas and produces the documentation carriers require. Businesses with an active MSP relationship consistently report smoother underwriting processes because control evidence is already documented and current.

Frequently Asked Questions

The most common requirements are multi-factor authentication, endpoint detection and response software, verified offsite backups, email security controls, employee security training, and a written incident response plan. Carriers require documented proof of each control, not self-attestation.

Yes. Small businesses are frequently targeted because they present lower security barriers than enterprise organizations. A single ransomware attack can cost between $150,000 and $1.2 million in recovery costs for a business with 50 employees. Cyber insurance limits those losses.

On average, small business customers pay about $320 annually for data breach coverage. Premiums vary based on revenue, industry, data types handled, and the security controls in place. Businesses with strong security postures pay lower premiums.

Yes. Businesses missing MFA, running legacy antivirus without EDR, or lacking a documented backup strategy are routinely denied or offered limited coverage. Implementing the 5 core controls before applying resolves most denial scenarios.

An incident response plan is a documented procedure that defines what your business does after detecting a cyberattack. It includes roles and responsibilities, steps for isolating affected systems, legal counsel contact information, breach notification procedures, and restoration priorities. Carriers require this document during underwriting. Learn more about what a disaster recovery plan covers and how it connects to incident response.

Yes. Ransomware coverage specifically requires immutable backups stored separately from primary systems, EDR on all endpoints, and MFA on all remote access points. Without these three controls, carriers either exclude ransomware from coverage or add a separate ransomware sublimit. Read more about what ransomware is and how to prevent it.

Ready to Qualify for Cyber Insurance?

Infinity Technology Consulting implements and documents the security controls Atlanta businesses need to qualify, maintain coverage at renewal, and reduce premiums.

Schedule a Free Assessment View Cybersecurity Services