Cyber insurance wants proof, not promises

Major carriers list a short set of underwriting must-haves—MFA, endpoint detection and response (EDR), immutable backups, identity and access management, and documented incident response—as the core controls they expect before issuing cyber policies. (coalitioninc.com) Underwriters are requesting technical artifacts during review: MFA enforcement logs, EDR agent telemetry, backup-restore test reports, phishing-simulation results and dated tabletop after-action notes rather than checkbox answers. (portnox.com) Industry reporting shows claim denials have climbed; multiple analyses put denial rates in the 25–40% range or note “nearly one in four” claims rejected in 2024 for failing to meet policy conditions. (teisoftllc.com) A high‑profile loss underscored the risk: the City of Hamilton’s post‑ransomware recovery bill reached about CAD $18.3 million after its insurer denied the claim citing incomplete MFA deployment at the time of the breach. (globalnews.ca) Vendors and niche tools now position themselves to produce insurer‑ready evidence packs—Komplynt advertises automated binder exports that verify MFA, EDR and backup artifacts, while SaaS‑discovery tools like Waldo surface unmanaged apps and SSO/MFA gaps for audits. (komplynt.com) Practical underwriting artifacts recommended by brokers and MSP advisory guides include date‑stamped MFA export reports, EDR health/coverage exports, patch‑SLA dashboards, immutable backup restore logs and tabletop exercise reports for the prior 12 months. (insurancecurator.com) Carriers are shifting toward continuous validation—periodic telemetry, third‑party scans and broker pre‑validation of a consolidated “underwriter cyber binder” are becoming routine steps to secure coverage and avoid renewal friction. (datawiza.com)