Cyber insurers underwrite risk based on a small set of high-impact security controls because these controls correlate directly with claim frequency and loss severity. For SMBs with 25–250 employees - the same segment Sourcepass typically supports in managed and co-managed models - the control list is tight, practical, and measurable.
The most common insurer asks align to three foundational actions:
Require multifactor authentication (MFA) everywhere, especially for email, remote access, and administrative roles. Legacy authentication should be phased out in favor of policy-enforced access rules, including Conditional Access for sensitive applications and high-risk sign-ins.
Deploy endpoint detection and response (EDR) across endpoints and servers with evidence that shows coverage, agent health, and update status. Mature programs also measure detection and isolation performance, such as mean time to detect and isolate for recent incidents.
Back up critical systems and data using immutable or offline copies and test restore success regularly. Recovery runbooks should be documented and accessible to avoid unplanned or inconsistent response methods during a crisis.
Although insurer questionnaires differ by carrier, control requirements increasingly converge. Coalition’s summary of essential cyber insurance requirements highlights MFA, identity access management, employee training, and backups as core levers for lowering underwriting risk. See the overview here: 5 Essential Cyber Insurance Requirements.
For a neutral, cross-industry benchmark, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) publishes Cross-Sector Cybersecurity Performance Goals (CPGs) that map directly to implementable business controls. These goals provide a consistent reference for both security and governance planning: CISA Cross-Sector CPG Overview.
CISA also provides a checklist that helps SMBs document control progress in a format that aligns well to renewal evidence packages: CISA CPG Checklist.
Beyond the foundational three, insurers increasingly look for evidence of email security hygiene and privileged identity discipline. SMBs should:
Tune anti-phish and link inspection policies
Disable automatic external mailbox forwarding by default
Monitor for suspicious mailbox rules and identity behavior
Separate standard and admin accounts using just-enough privilege principles
Require phishing-resistant MFA methods for privileged identities
Segment networks to contain ransomware impact
Perform vendor risk checks for remote access and file transfer tools
These actions shrink the likelihood of compromise and reduce the impact radius if an event occurs.
Evidence is now central to underwriting discussions. SMBs should maintain centralized logging with retention policies that cover identity, email, endpoint, and backup job results. CISA includes logging and backups in its short list of top-tier business best practices: Level Your Defenses: 4 Cybersecurity Best Practices.
Dashboards should show:
MFA coverage rates
EDR deployment and agent health
Patch levels
Backup job success and restore test history
Identity risk detections
Mail rule anomalies
Save monthly exports or screenshots to prove historical adherence at renewal.
Quarterly tabletop exercises that simulate business email compromise (BEC) and ransomware are now table stakes. For restore evidence, track:
Time to list restore points
Time to mount a backup
Time to restore full service
Include proof of phishing simulations and targeted micro-trainings with trend lines for report rates, click rates, and median time-to-report. Maintain a register of exceptions (e.g., a legacy app that temporarily requires basic authentication) with compensating controls and expiration dates.
When possible, organize a renewal evidence package that includes:
Policy documents
Identity and backup architecture diagrams
Sample audit logs
EDR coverage reports
Recent tabletop summaries
Phishing simulation outcomes
Exception register
If your insurer provides a portal for artifact uploads, use it. When a breach trend appears in the market, re-validate exposure and document accelerated fixes to show responsive governance.
Cyber insurance readiness must balance risk reduction and financial outcomes. Establish a quarterly steering cadence that includes IT/security, finance, and legal stakeholders. Review:
Loss drivers (BEC, ransomware, vendor breaches)
Control maturity
Exceptions
Evidence packages
Insurance premium trends
Translate technical outcomes into financial terms, such as reduced downtime hours from faster restore tests or fraud avoided by early mail rule detection.
Fund in order of underwriting impact:
Identity upgrades with policy-enforced Conditional Access
Phishing-resistant MFA for administrators
Full EDR coverage with health proof
Immutable backups with restore test evidence
Use neutral frameworks like CISA’s CPGs to justify spend: CISA Cross-Sector CPGs.
Track improvements in a one-page executive dashboard showing:
Control coverage
Restore drill times
Phishing resilience metrics
Exception register trending down
Premium or underwriting credit estimates
Add revealed gaps to a tracked backlog with due dates, owners, and budget allocations. Retire exceptions aggressively and re-test risky areas post-remediation. SMBs that pair documented controls with measurable outcomes secure coverage at better terms and reduce real business risk.
The highest-impact controls for SMB underwriting are MFA for email and remote access, phishing-resistant MFA for administrators, EDR coverage with agent health proof, and immutable backups with restore test evidence. These controls directly reduce claim frequency and loss severity.
SMBs should be prepared to provide centralized security logs with retention, MFA and EDR coverage dashboards, backup job success history, documented restore tests, tabletop incident summaries, an exception register with compensating controls, and architecture diagrams. Renewal packages should be organized and auditable.
Yes. Phishing simulations paired with adaptive micro-training can demonstrate improved employee resilience, which reduces identity compromise risk and BEC claim likelihood. Include evidence of simulations, training completion, report rate trends, click rate reductions, and median time-to-report improvements.
Prioritize identity policy upgrades, full EDR coverage, and immutable backups. Track mean time to detect, isolate, and restore. Reduce exceptions on a documented backlog with owners and due dates. Share underwriting credits and reduced downtime hours on a single executive dashboard for traceable ROI discussions.
A neutral benchmark for SMB control maturity is CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and its official checklist. These frameworks map directly to practical SMB security actions and provide a shared language for finance, IT, and underwriting stakeholders.
Quarterly reviews are recommended. These reviews should assess control maturity, test evidence, exceptions, incident simulations, backlog progress, and premium credit opportunities. Tie governance cadence to budgeting cycles for predictable premiums and targeted risk reduction.