A practical checklist of IT controls cyber insurers commonly review, including MFA, backups, endpoint protection, logging, email security, and incident response.
Cyber insurance applications are getting more technical
Cyber insurers increasingly ask specific IT control questions before issuing or renewing coverage. They may ask about MFA, endpoint protection, backups, administrator access, email security, encryption, patching, and incident response.
The application is not just paperwork. If answers are inaccurate, coverage can become difficult when a claim happens.
- MFA for email, VPN, and admin access
- Endpoint protection on workstations and servers
- Tested backups with protected retention
- Written incident response process
MFA is usually the first control
Multi-factor authentication is one of the most common requirements. Insurers want to know whether it protects email, remote access, privileged accounts, and sometimes all users.
Partial MFA can still leave gaps. The review should identify who is excluded and why.
- Require MFA for Microsoft 365
- Protect administrator accounts first
- Review remote access and VPN logins
- Document exceptions and remove them when possible
Backups need proof
It is not enough to say backups exist. Insurers may ask whether backups are encrypted, monitored, separated from the network, and tested. A backup that has never been restored is an assumption, not a recovery plan.
Backup documentation should show what is protected, how often it runs, and when restores were tested.
- Test restores on a schedule
- Protect backup admin credentials
- Keep immutable or isolated copies where possible
- Document recovery time expectations
Endpoint and email controls matter
Endpoint protection, patching, email filtering, and phishing training are common questions because they reduce the likelihood of ransomware and business email compromise.
The controls should be paired with monitoring and response. Alerts that nobody reviews are not much protection.
- EDR or modern endpoint protection
- Patch management for systems and apps
- Email filtering and authentication
- User reporting path for suspicious messages
Prepare before renewal
Do not wait until the insurance questionnaire arrives. Review controls ahead of renewal, identify gaps, and fix the highest-risk items first.
NHM can help Ohio businesses translate insurance requirements into practical IT work so the answers are accurate and defensible.
- Review last year’s application
- Collect evidence before renewal
- Prioritize gaps by risk and insurer requirement
- Keep written notes of changes and exceptions