What controls do carriers expect in 2025?

Most carriers require MFA on all critical access, EDR/MDR on endpoints, immutable/offline backups, defined patch SLAs, phishing awareness training, least privilege/PAM, and vendor access controls.

How fast can we get bind-ready?

Many SMBs can reach bind-ready in about 30 days by prioritizing MFA, EDR/MDR, and immutable backups first, then closing gaps on patching, training, and vendor access.

What evidence do underwriters want to see?

Policy documents and screenshots/reports proving controls are in place: MFA enforcement, EDR/MDR deployment status, backup immutability and recent restore tests, patch cadence, phishing training completion, and PAM/vendor access settings.

Will implementing these controls reduce our premium?

Generally yes—strong controls can improve eligibility and pricing. Carriers increasingly price risk based on verifiable security posture and loss history.

Do we need both EDR and MDR?

EDR provides detection/response capability on endpoints; MDR adds 24/7 expert monitoring and containment. Many carriers prefer MDR for higher-risk environments or limited internal coverage.

What is 3-2-1-1-0 backup strategy?

Keep 3 copies of data on 2 different media, 1 offsite, 1 immutable/air-gapped, and 0 errors after regular restore testing. Immutability (e.g., object lock/WORM) is key to ransomware recovery.

September 16, 2025

Cyber Insurance in 2025: The 7 Controls Carriers Expect (and How to Get Bind-Ready in 30 Days)

Bind-ready in 30 days: the 7 carrier-required controls—MFA, EDR/MDR, immutable backups, patch SLAs, phishing training, least privilege, and vendor access—plus the proof underwriters want.

TL;DR:

Want a lower premium or any quote at all on Cyber-Insurance? Most carriers now require proof of seven basics: MFA everywhere, EDR/MDR, immutably stored backups, patch SLAs, phishing simulations, admin-privilege limits, and vendor access controls. This post shows what “good” looks like, the evidence underwriters ask for, and a 30-day action plan to get bind-ready.

Why carriers got strict

Losses from ransomware and email-driven fraud pushed insurers to tighten underwriting. Today’s applications look less like insurance forms and more like a lightweight security audit. If your answers are “no,” quotes get expensive or evaporate. The good news: the same controls that satisfy carriers also reduce real-world risk.

The 7 controls (and what “good” looks like)

1) MFA Everywhere

What it is: Multi-factor authentication for users and admins.Good looks like:

Enforced for email, VPN/remote access, privileged roles, and all external SaaS.
Phishing-resistant methods (FIDO2/passkeys or platform authenticators) preferred for admins.
Legacy protocols (IMAP/POP/SMTP basic auth) blocked.

Proof you’ll be asked for: Screenshots/policies from Microsoft Entra/Okta, VPN, firewalls; a list of admin accounts with MFA status.

2) EDR/MDR on All Endpoints

What it is: Endpoint Detection & Response with 24/7 monitoring (MDR optional but favored).Good looks like:

EDR deployed to 100% of servers and workstations (Windows/macOS).
Centralized visibility, alerting, and containment (isolation) capability.
A defined after-hours escalation path.

Proof: EDR console screenshot showing deployment %, last-seen activity, and isolation/containment logs.

3) Immutably Stored, Tested Backups

What it is: Backups that ransomware can’t change or delete.Good looks like:

3-2-1-1-0: 3 copies, 2 media, 1 off-site, 1 immutable/air-gapped, 0-error restore test.
Quarterly restore tests with documented RTO/RPO results.
Backup admin accounts separated from domain/SSO where possible.

Proof: Vendor settings showing immutability/air gap, last successful restore test, and backup job status.

4) Patch SLAs (and Proof You Hit Them)

What it is: Service-level targets for applying security updates.Good looks like:

Critical OS/app patches within 7–14 days; emergency out-of-band patches documented.
An exception process for OT/line-of-business systems that can’t patch fast, mitigations listed.
Monthly patch compliance report with % by severity.

Proof: Patch compliance reports, change tickets, and exception/mitigation list.

5) Phishing Simulations & Security Awareness

What it is: Continuous training so people spot and report attacks.Good looks like:

Quarterly phishing sims (varied templates) + 100% enrollment in training.
A one-click “Report Phish” button integrated into mail.
KPIs: report rate ↑, click rate ↓, repeat-clickers coached.

Proof: Program reports (enrollment, completion, click rates) and policy.

6) Admin-Privilege Limits (Least Privilege)

What it is: Keep admin rights rare, tracked, and temporary.Good looks like:

No standing local admin for regular users; PAM/JIT for elevated tasks.
Admin accounts MFA-enforced, separate from email.
Quarterly review of privileged groups and removal of stale access.

Proof: Screenshots of admin groups, PAM/JIT configuration, recent access review records.

7) Vendor Access Controls (Third-Party Risk)

What it is: Guard the doors partners use.Good looks like:

MFA and least privilege for MSPs and vendors; no shared accounts.
Vendor remote access through audited tools or jump hosts; access disabled when projects end.
A simple vendor-risk checklist: data they touch, contracts, SLAs, security attestations.

Proof: Access lists for vendors, termination logs, and the policy/checklist you use.

The “Bind-Ready” checklist (skim-friendly)

MFA on email, VPN/remote access, and all admin roles
EDR on 100% of endpoints with isolation capability
Backups: 3-2-1-1-0 with a successful quarterly restore test
Patch SLAs defined and met (reports to prove it)
Quarterly phishing sims and training; report-phish button in mail
No standing local admin; PAM/JIT for elevation; quarterly access reviews
Vendors on MFA and least privilege; onboarding/offboarding documented

What underwriters actually want to see

Bring these to the first call and you’ll stand out:

Screenshots/reports: MFA status, EDR deployment %, backup immutability and last restore test, patch compliance, training metrics.
Policies/SOPs: Incident response, backup/restore testing, patching SLAs, access reviews, vendor access.
Network diagram: High-level is fine, just show remote access paths and where backups live.

A 30-day plan to get there

Week 1 - Assess & Prioritize

Rapid gap check against the 7 controls.
Lock down remote access (VPN, RDP, vendor tools) and enforce MFA everywhere.

Week 2 - EDR & Admin Hygiene

Deploy EDR to all endpoints; verify isolation works.
Remove standing local admin; enable PAM/JIT for IT staff.

Week 3 - Backups & Patching

Turn on immutability/air-gap; run and document a restore test.
Set patch SLAs; generate your first monthly compliance report.

Week 4 - People & Partners

Launch phishing training and report-phish button.
Review vendor accounts; disable stale access; document your vendor checklist.

Deliverables at day 30: completed checklist, evidence bundle (screenshots/reports), and a short “bind-ready” letter for your broker.

Common pitfalls that block quotes (and how to fix them fast)

“MFA is on… except for email/IMAP.” Block legacy auth; require modern auth everywhere.
“We have backups, but no restore tests.” Run a timed restore drill this week; save the report.
“Users need local admin.” 99% don’t. Replace with self-service installs + JIT elevation.
“Our MSP has a shared admin.” Split accounts, enable MFA, and log all vendor access.
“Macs are exempt.” They aren’t, deploy EDR and enforce updates on macOS too.

FAQs

Is EDR really required if we have next-gen AV?Carriers increasingly expect EDR/MDR because it provides continuous monitoring and rapid isolation. “AV-only” is a common reason for higher premiums or rejections.

What if our OT or line-of-business software can’t patch quickly?Use compensating controls: network segmentation, strict allow-lists, application control, jump hosts, and documented emergency procedures.

Do we need immutable backups if we use a reputable cloud backup?Yes—turn on immutability/retention lock (object lock/WORM) and prove it with settings + a restore test report.

How often should we run phishing simulations?Quarterly is typical; monthly for higher-risk roles. Track results over time and coach repeat clickers.

Next step: Get your Bind-Ready Assessment (free, 20 minutes)

We’ll map your environment against the seven controls, highlight quick wins, and send you a carrier-friendly evidence bundle checklist. If you’re close, we’ll tighten the last gaps and coordinate with your broker.

Interested?

Let's Meet and Talk