Free tool
Expand any control to read what it is and why the insurer asks for it.
What it is. Multi-factor authentication adds a second check beyond a password, usually a one-time code or an app approval. Carriers commonly want it enforced on email, on remote access such as VPN or remote desktop, and on administrator accounts at a minimum.
Why the insurer wants it. Stolen passwords and remote-access compromise are among the most common ways a claim starts. MFA blocks most password-based intrusions, so many carriers will not quote without it and some make it a condition of the policy.
What it is. EDR is security software on every computer and server that watches for malicious behavior, not just known virus signatures, and can isolate a machine that looks compromised.
Why the insurer wants it. Carriers want evidence that an intrusion can be detected and contained quickly, before it spreads into network-wide ransomware. Basic consumer antivirus is increasingly treated as not enough on its own.
What it is. Regular backups of your systems and data, kept offline or in an immutable form that cannot be altered or deleted, plus restore tests that prove the backups actually work.
Why the insurer wants it. Backups are what let you recover from ransomware without paying. Carriers want them isolated from the main network so attackers cannot encrypt them too, and tested, because untested backups often fail at the worst moment.
What it is. A documented plan for how you detect, contain, and recover from a security incident, including who to call and the order of the first steps.
Why the insurer wants it. Carriers and their breach-response teams want a client who can act in the first hours rather than improvise. A plan tends to shorten both the incident and the claim.
What it is. Spam and phishing filtering on inbound email, sender authentication (SPF, DKIM, and DMARC), and protection against spoofed or malicious messages.
Why the insurer wants it. Most intrusions and most wire-fraud losses begin with a phishing email. Filtering and sender authentication cut down the attacks that ever reach your staff.
What it is. Regular training so staff can recognize phishing, social engineering, and unsafe data handling, often paired with simulated phishing tests.
Why the insurer wants it. People are the most targeted layer. Carriers treat trained staff as a real reduction in the most common cause of claims, and many ask about training frequency on the application.
What it is. Each person has their own account with only the access their job needs, administrator rights are limited and kept separate from daily-use accounts, and access is removed promptly when someone leaves.
Why the insurer wants it. Limiting privilege limits how far a single compromised account can reach. Standing admin rights on every machine turn one compromise into a full breach.
What it is. Keeping operating systems, software, and firmware updated on a schedule, and prioritizing fixes for known-exploited vulnerabilities, especially on anything exposed to the internet.
Why the insurer wants it. Unpatched internet-facing systems are a frequent entry point. Carriers want evidence that critical updates get applied promptly rather than left for months.
What it is. Encryption of data at rest (laptops, servers, backups) and in transit (email, file transfer, remote access), so intercepted or stolen data is unreadable.
Why the insurer wants it. Encryption lowers the severity of a lost device or intercepted data, and under many breach-notification rules, stolen data that was encrypted may not even trigger a notice.
Requirements vary by carrier and by policy, so this is general guidance on what is commonly asked, not a guarantee of coverage or a substitute for your actual policy and application. Important: misrepresenting your controls on an insurance application can void your coverage, so answer the application truthfully.
Most of these are the same controls the FTC Safeguards Rule asks for.
The free 14-Point Safeguards Gap Report shows which of these you already have and which are missing, in a written findings list. It is a gap report and a plan, not a certification.
Get my free gap report