If your cyber insurance policy is renewing in 2026, you're about to fill out a controls questionnaire that looks nothing like the one you completed three years ago. Underwriters tightened dramatically after the 2024 surge in ransomware payouts and the AI-accelerated phishing wave of 2025 — and Florida small businesses are seeing the results in the form of 60-question technical-control assessments, sharper renewal rate increases, and outright denials for businesses that can't demonstrate basic security hygiene. This post walks through the ten controls underwriters now require, what evidence they expect to see, and how to prep before your renewal hits.
10
Controls underwriters now require
30-60%
Typical premium increase 2024-2026
MFA
Single biggest disqualifier when missing
$48K
Avg BEC loss per Florida SMB incident
Why Insurers Tightened (And Why It's Not Easing)
Through 2020-2022, cyber insurance was cheap and easy to qualify for. Most small business policies came with a 10-question application and an annual premium under $1,500. That market collapsed. Ransomware payouts ballooned to billions, business-email-compromise (BEC) wire fraud became the most-reported financial crime in the FBI's IC3 data, and AI-generated phishing pushed click-rates on social-engineering attacks to historic highs.
Insurers responded the only way they could: by treating cyber coverage like fire insurance. You wouldn't expect a carrier to write a fire policy on a building with no extinguishers, and they no longer write cyber policies on businesses without the equivalent — documented MFA, tested backups, EDR, awareness training, and an incident response plan. The technical-control questionnaire is the underwriter's equivalent of an inspection.
// Warning
Misrepresenting your controls on the application is the worst possible move. If you check "yes" to MFA on email and a claim later reveals you didn't actually have it, carriers can deny the claim outright or invoke a co-insurance / subrogation clause that leaves you on the hook for a significant share of the loss. Answer honestly — if a control isn't in place, get it in place before you sign the renewal.
The controls assessment is the underwriter's equivalent of a fire inspection.
The 10 Controls Underwriters Require
These are the controls we see consistently across Travelers, Chubb, AmTrust, Hartford, Beazley, and the AIG / Coalition cyber-specialty carriers. Wording varies; substance doesn't. If you can answer "yes, with evidence" to all ten, you'll pass underwriting and likely qualify for the carrier's better rate tier.
01. Multi-Factor Authentication (MFA) — everywhere it matters
Required on: email (Microsoft 365 / Google Workspace), all admin accounts, all remote access (VPN, RDP, Citrix), all privileged cloud consoles, and any system that holds regulated data. "Some users have MFA" is the most common honest-mistake fail — underwriters want 100% coverage, not 90%. Evidence: a screenshot of your conditional-access policy or a vendor report showing enrollment by user.
02. Endpoint Detection and Response (EDR) — not just antivirus
Traditional antivirus is no longer sufficient. Underwriters require EDR or extended detection and response (XDR) on every endpoint — Bitdefender GravityZone, SentinelOne, CrowdStrike, Microsoft Defender for Business, or equivalent. Evidence: deployment report showing coverage across all endpoints with last-check-in dates.
03. Backup — with at least one immutable or air-gapped copy
Three-copy backup rule: production + a second on-network copy + a third copy that ransomware physically cannot reach (immutable cloud, S3 Object Lock, tape, or air-gapped local appliance). Tested monthly with a documented restore. Evidence: latest restoration test report with date, restored file count, and validator signoff.
04. Email Security — anti-phishing, anti-spoofing, attachment scanning
Mailbox-level threat protection (Microsoft Defender for Office 365, Proofpoint, Mimecast, Intermedia) plus DMARC / SPF / DKIM records configured to reject spoofed senders. BEC accounts for more SMB cyber losses than ransomware in 2025 IC3 data — this is where insurers tighten the most.
05. Patch Management — documented cadence
Operating-system + third-party patches applied on a documented schedule. Critical / zero-day patches within 14 days; high-severity within 30. Evidence: patch-management platform report (NinjaOne, Datto RMM, ConnectWise, Intune) showing compliance percentages over the last 90 days.
06. Security Awareness Training — annual, documented, simulated
Required for every employee who handles email or accesses business systems. Annual baseline training, quarterly simulated phishing campaigns, and documentation of completion per employee. Evidence: KnowBe4 / Proofpoint / Hoxhunt training records or equivalent.
07. Written Incident Response Plan
A documented procedure for what happens when something goes wrong — who declares an incident, who notifies the insurer, who contacts law enforcement, who handles communications. Insurers require this exist on paper. Evidence: the actual document, dated within the last 12 months.
08. Privileged Access Management (PAM) — for IT and admin accounts
Separate accounts for everyday work vs administrative work. No one logs into their email and their domain controller from the same account. For larger SMBs, a PAM platform (CyberArk, Delinea, Microsoft PIM); for smaller, documented account separation + MFA enforcement. Evidence: account inventory showing role separation.
09. Network Segmentation — especially with regulated data
Critical systems (servers holding ePHI, payment systems, EHR) isolated from general workstation traffic via VLAN or firewall rules. Required for HIPAA, PCI, and FTC Safeguards-aligned underwriting. Evidence: network diagram showing the segmentation boundary.
10. Vendor Risk / Third-Party Agreements
Documented inventory of vendors that touch your data, BAAs in place for those handling PHI, SOC 2 review or attestation for cloud vendors. Insurers ask because supply-chain compromise (a vendor breached, your data leaked) is one of the fastest-growing claim types.
The Most Common Application Mistakes (And What They Cost)
| Application Mistake | Underwriting Consequence |
|---|
| "Yes, we have MFA" — but only on a few accounts | Denial of coverage on email-related claims; rate hike or non-renewal |
| Saying you test backups when you actually don't | Subrogation clause invoked if ransomware claim — carrier pursues you for recovery |
| Listing an old / stale incident response plan as "current" | Coverage limit reduction; some carriers void notification-cost coverage |
| Skipping the BAA / vendor-risk section because "it's a small vendor" | Third-party / supply-chain claim path becomes uninsured |
| Not separating admin accounts from daily-use accounts | Limit reduction; certain ransomware-recovery sub-limits drop to $0 |
| Letting the policy lapse and re-binding with the same controls gaps | Retroactive date resets — anything that happened before re-bind is uninsured |
"Cyber insurance carriers are now in the business of inspecting your IT environment. The policy isn't the document you sign — it's the controls behind it."
Steve Condit, Simply IT
How to Prep Before Your Renewal
Most renewals land 60-90 days before the policy date. Use that window. The order below is roughly fastest-impact first:
01
Inventory your current controls — honestly
Walk the 10 controls above. For each one, write down: (a) is it in place, (b) where's the evidence, (c) when was it last reviewed. Don't check boxes you can't prove.
02
Close the MFA gap
Single biggest disqualifier. Enable MFA on every email account, every admin account, every remote-access path. Microsoft 365 admins: turn on Security Defaults or build a Conditional Access policy. Google Workspace: enforce 2-step verification org-wide. This is non-negotiable and takes hours, not weeks.
03
Get an EDR deployment report
If you're still running consumer-grade antivirus, upgrade to a business EDR (Microsoft Defender for Business is included with M365 Business Premium). Pull a coverage report after rollout that shows every endpoint protected and checking in.
04
Run a backup restoration test
Not a fake test — an actual restore of a critical file to a workstation. Document the date, the source backup, the restored file, and who validated it. This single piece of evidence answers three different underwriter questions.
05
Document the incident response plan
Even a one-page plan beats nothing. Roles (who declares an incident, who contacts the insurer, who handles comms), notification list (insurer's claim hotline, law enforcement, key vendors), and a basic playbook. Date it within the last 12 months.
06
Schedule security awareness training
If you don't have a platform (KnowBe4, Hoxhunt, Proofpoint), most cyber-insurance carriers will accept a documented one-time vendor session as the baseline. Schedule quarterly phishing simulations going forward.
07
Audit your vendor BAAs and SOC 2 attestations
Make a list of every vendor that touches your business data. For each, note whether you have a current BAA (regulated industries) or SOC 2 review on file. Get the missing ones before renewal.
BEFORE-RENEWAL CHECKLIST
✓
MFA enabled on email + admin + remote access for 100% of users✓
EDR or XDR deployed on every endpoint with current check-in reports✓
Backup with immutable / air-gapped copy + monthly restore test on file✓
Email security: DMARC, SPF, DKIM + advanced threat protection✓
Patch management report covering the last 90 days✓
Security awareness training completed in the last 12 months✓
Written incident response plan dated within the last 12 months✓
Admin accounts separated from daily-use accounts✓
Network segmentation documented (especially regulated environments)✓
Vendor inventory with BAAs / SOC 2 attestations on fileWhat This Costs vs What a Claim Costs
The standard objection: "all of these controls cost money." They do. They cost roughly $112-$150 per user per month wrapped into managed IT (depending on the compliance tier), or a one-time security stack deployment if you're going DIY. That's the input.
The output: the average reported business email compromise loss to a Florida small business in IC3 data is roughly $48,000. The average ransomware recovery cost is more than $250,000 once you include downtime, forensic investigation, notification expenses, and lost productivity. Cyber insurance covers some of that — but only if your application was honest and your controls match what you said they were. A denied claim leaves you covering the full number out of pocket.
// Key Takeaway
The technical controls cyber insurers now require aren't a separate purchase — they're what good managed IT and cybersecurity programs have always included. If you already have those programs in place, your renewal is paperwork. If you don't, your renewal is the prompt to get them in place. Either way, the path is the same.
Simply IT runs cyber-insurance-readiness assessments for North Central Florida businesses heading into a renewal. We walk the 10 controls, document the gaps, and produce the evidence package the underwriter is going to ask for — usually within 30 days. If you're renewing in the next quarter, schedule a free assessment and bring your last application; we'll map the gaps before you fill it out again.
Schedule a Cyber-Insurance-Readiness Assessment →
