⚠ Why This Matters Right Now
Cyber insurance carriers denied 38% more claims in 2024 than 2023 — most commonly for missing MFA, absent EDR, and untested backups. These are controllable gaps. The checklist below shows you exactly where you stand.
Your Readiness Score
0 / 23
Check each item your business has in place to calculate your score.
Section 1 — Identity & Access Control
Multi-Factor Authentication (MFA) on all email accountsCRITICALEvery user's email requires MFA. Carriers treat email MFA as table stakes — missing it can void your policy at claim time.
MFA on all remote access (VPN, RDP, remote desktop)CRITICALRemote access without MFA is the #1 ransomware entry point. Most carriers now require this as a coverage condition.
MFA on all cloud services (Microsoft 365, Google Workspace, etc.)CRITICALCloud account takeover via password spray is among the most common BEC vectors.
Privileged Access Management — admin accounts separated from daily useHIGHAdmin accounts should not be used for email or browsing. Carriers increasingly ask about this during underwriting.
Offboarding process — access revoked within 24 hours of employee departureHIGHUnrevoked access from former employees is a documented breach vector that carriers investigate in claims.
Section 2 — Endpoint & Network Security
Endpoint Detection & Response (EDR) on all company devicesCRITICALBasic antivirus is no longer acceptable to most carriers. EDR with behavioral detection is now a standard underwriting requirement.
All endpoints running current, supported operating systemsHIGHEnd-of-life OS (Windows 7, Server 2008, etc.) creates an automatic coverage gap at many carriers.
Automated patch management — critical patches applied within 14 daysHIGHUnpatched systems are the most common technical gap carriers find in denied claims.
DNS filtering / web security blocking malicious domainsREQUIREDDNS filtering prevents command-and-control communication from ransomware even after initial infection.
Email security with anti-phishing and attachment scanningREQUIREDEmail is the #1 ransomware delivery vector. Carriers specifically ask whether advanced email security is in place.
Section 3 — Backup & Business Continuity
Backups tested and verified within the last 90 daysCRITICALUntested backups are considered functionally absent by carriers. Document your most recent restore test.
Backups stored offline or air-gapped (isolated from production network)CRITICALRansomware specifically targets and destroys network-connected backups. Offline/immutable backups are now a standard carrier requirement.
Documented Recovery Time Objective (RTO) and Recovery Point Objective (RPO)HIGHDo you know how long recovery takes and how much data you could lose? Carriers ask this to assess your real-world recovery capability.
Business continuity plan — employees can continue working during an outageHIGHA documented BCP demonstrates organizational resilience and is increasingly required for higher coverage limits.
Section 4 — Policies, Training & Governance
Written Information Security Policy (WISP) — current and signedREQUIREDA WISP is explicitly required by GLBA Safeguards Rule and referenced by most carriers in application questionnaires.
Annual security awareness training for all employeesREQUIREDTraining documentation is reviewed in claim investigations. Annual training with completion records is the minimum standard.
Phishing simulation testing — employees tested at least quarterlyHIGHCarriers increasingly ask whether employees are tested, not just trained. Simulated phishing demonstrates a proactive program.
Written Incident Response Plan (IRP) — current and testedREQUIREDAn IRP directly affects claim payout speed and size. Without one, breach costs typically run 3–4x higher.
Vendor / third-party risk management process documentedHIGHThird-party breaches are now among the most common claim triggers. Carriers want to see documented vendor oversight.
Section 5 — Monitoring & Detection
24/7 security monitoring — someone is watching your environment around the clockHIGHCarriers favor insureds with continuous monitoring. The average dwell time for ransomware before detection is 21 days — 24/7 SOC collapses this dramatically.
Formal annual security assessment by a qualified third partyREQUIREDSelf-assessments are not sufficient. An independent assessment demonstrates due diligence and is increasingly required for coverage above $1M.
Documented process for detecting and reporting a breach within required timeframesREQUIREDHIPAA (60 days), GLBA (30 days), and state breach notification laws require documented detection and reporting processes.
What To Do With Your Results
Items you couldn't check represent real gaps that could result in a denied claim, premium increase, or reduced coverage limits at renewal. Securafy can address most of them in 30–90 days. Start with a free 30-minute strategy call — no obligation, just a clear plan.
Book My Free Strategy Call →