Free Checklist

CYBER INSURANCE READINESS CHECKLIST

Prepare for your cyber insurance application or renewal with the controls underwriters scrutinize most. Use this checklist to identify gaps before your broker asks — and document the evidence you'll need to support your submission.

How to use this checklist

  • Mark each item as Implemented, In Progress, or Not Started.
  • Assign an owner and target date to every gap before your renewal window.
  • Retain the evidence items — underwriters and brokers increasingly request documentation.
  • The underwriter note on each section explains how carriers weight that control.
  1. 1

    Multi-Factor Authentication (MFA)

    Underwriter lens: Nearly universal requirement — missing MFA is the most common cause of application denial.

    Readiness checks

    • Enforce MFA on all email accounts (Microsoft 365, Google Workspace, etc.).
    • Require MFA for all VPN and remote access connections.
    • Apply MFA to all privileged and administrative accounts.
    • Document any exceptions with compensating controls and expiration dates.

    Evidence to retain

    • Identity provider MFA enforcement screenshot or policy export.
    • Exception register with approvals.
    • Privileged access control documentation.
  2. 2

    Endpoint Detection and Response (EDR)

    Underwriter lens: Required by most carriers, especially for organizations with 50+ employees or sensitive data.

    Readiness checks

    • Deploy EDR to all endpoints — workstations, servers, and laptops.
    • Track coverage; remediate gaps within a defined SLA.
    • Configure alerting for suspicious behavior with documented response procedures.
    • Test detection capability periodically and document results.

    Evidence to retain

    • EDR deployment report showing coverage percentage.
    • Vendor contract or license agreement.
    • Sample alert response log.
  3. 3

    Privileged Access Management

    Underwriter lens: Increasingly required, particularly for organizations with complex environments or service accounts.

    Readiness checks

    • Inventory all privileged accounts — admin, service, and shared.
    • Use a PAM tool or enforce strict controls for privileged credential storage.
    • Prohibit shared admin credentials without audit logging.
    • Review privileged access at least quarterly.

    Evidence to retain

    • Privileged account inventory.
    • PAM tool configuration or access control policy.
    • Quarterly review records.
  4. 4

    Email Security Controls

    Underwriter lens: Core expectation for phishing and business email compromise (BEC) risk reduction.

    Readiness checks

    • Enable SPF, DKIM, and DMARC for all sending domains.
    • Deploy advanced email filtering or an anti-phishing gateway.
    • Configure quarantine policies and alerts for suspicious messages.
    • Enable time-of-click URL scanning to block links that weaponize after delivery.

    Evidence to retain

    • DMARC/DKIM/SPF record publication (verify with MXToolbox or similar).
    • Email filtering platform configuration.
    • Anti-phishing policy documentation.
  5. 5

    Backup and Recovery Capability

    Underwriter lens: Audited closely for ransomware claim response — backup isolation is the critical factor.

    Readiness checks

    • Maintain backups isolated from production systems (offline, immutable, or air-gapped).
    • Test backup restoration at least annually with documented results.
    • Define and document Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
    • Store at least one backup copy off-site or in a logically separate cloud environment.

    Evidence to retain

    • Backup solution configuration and coverage report.
    • Restoration test results with date.
    • RTO/RPO documentation.
    • Off-site or cross-account backup confirmation.
  6. 6

    Vulnerability and Patch Management

    Underwriter lens: Insurers want evidence that critical CVEs are addressed on a predictable timeline.

    Readiness checks

    • Run authenticated vulnerability scans on a regular, documented schedule.
    • Remediate critical findings within 30 days; high findings within 60 days.
    • Track open findings with assigned owners and target dates.
    • Apply OS and application patches on a defined cadence.

    Evidence to retain

    • Vulnerability scan reports with dates.
    • Patch management policy and SLA documentation.
    • Remediation tracking log.
  7. 7

    Incident Response Plan

    Underwriter lens: Required by most carriers; quality and completeness are evaluated, not just existence.

    Readiness checks

    • Maintain a written Incident Response Plan (IRP) with defined roles and escalation paths.
    • Include breach notification obligations and carrier notification requirements.
    • Conduct at least one tabletop exercise per year and document results.
    • Review and update the IRP after significant changes or any actual incidents.

    Evidence to retain

    • Current written IRP with version date.
    • Tabletop exercise agenda and findings summary.
    • Carrier notification contact list.
  8. 8

    Security Awareness Training

    Underwriter lens: Expected baseline; phishing simulation frequency influences underwriter scoring.

    Readiness checks

    • Provide formal security awareness training to all employees at least annually.
    • Run phishing simulations at least quarterly.
    • Track completion rates and report outcomes to leadership.
    • Follow up with targeted training for employees who repeatedly fail simulations.

    Evidence to retain

    • Training platform completion report.
    • Phishing simulation frequency and results summary.
    • Curriculum and annual schedule.
  9. 9

    Network Segmentation

    Underwriter lens: Scrutinized for organizations handling regulated data, payment card data, or operational technology.

    Readiness checks

    • Separate sensitive environments (PII, financial, cardholder data) from general network traffic.
    • Restrict lateral movement between segments using firewall rules or microsegmentation.
    • Isolate backup infrastructure from the primary network.
    • Review segmentation policy after significant architecture changes.

    Evidence to retain

    • Network topology diagram showing segmentation.
    • Firewall rule review documentation.
    • Backup network isolation evidence.
  10. 10

    Vendor and Third-Party Risk

    Underwriter lens: Supply chain incidents have increased underwriter focus — vendor inventory is frequently requested.

    Readiness checks

    • Maintain an inventory of vendors with access to your systems or data.
    • Require contractual security obligations and breach notification clauses.
    • Assess critical vendors annually using a security questionnaire or review.
    • Revoke vendor access promptly when relationships end.

    Evidence to retain

    • Vendor inventory with access classification.
    • Sample vendor contract security addendum.
    • Annual vendor reassessment records.

Need help closing gaps before renewal?

Prometheus helps organizations prepare for cyber insurance renewals and applications — from gap assessment to control implementation and evidence documentation.

Request a consultation