Skip to content
TECNICODESK

Resources

Cyber Insurance Requirements: A Small Business Checklist

Insurers now require specific security controls before they will quote or renew. Here is what they ask about and how to be ready.

Updated June 2026 · 6 min read

Cyber insurance used to be a short form and a signature. After several years of ransomware claims, insurers tightened their underwriting. Today the application is effectively a security questionnaire, and the answers change whether you get covered, what you pay, and whether a future claim is honored.

If your business has 10 to 75 employees and runs on Microsoft 365 or Google Workspace, the controls below are the ones carriers ask about most often. Use this as a checklist before your next renewal.

The controls almost every application asks about

  • Multi-factor authentication (MFA): on email, remote access, and administrator accounts at a minimum. This is the single most common requirement.
  • Endpoint detection and response (EDR): modern protection on laptops and servers, not just consumer antivirus.
  • Tested backups: backups that are recent, stored separately, and actually restored on a schedule. Insurers increasingly ask whether you have tested a restore.
  • Email security: SPF, DKIM, and DMARC for your domain, plus phishing protection. See our DMARC and email security work for detail.
  • Access control: least-privilege access, prompt removal of departing employees, and limited use of administrator accounts. Our offboarding security page covers the leaver side.
  • Patching: a routine for keeping operating systems and key applications up to date.
  • Security awareness: basic training so staff can recognize phishing and payment fraud.
  • Incident response plan: a written, basic plan for who does what if something goes wrong.

What insurers mean by evidence

Answering yes is not enough if you cannot show it. Evidence usually means a screenshot of a setting, a short written policy, or a report from a tool. The goal is to answer the questionnaire accurately and to have something on file if the carrier asks. Organizing that evidence ahead of time is most of the work, and it is exactly what a Tecnico Ready security review produces.

Common reasons coverage is declined or priced higher

  • MFA is missing on email or administrator accounts, or it is inconsistent across the company.
  • Backups exist but have never been tested with a real restore.
  • Consumer antivirus is in place instead of endpoint detection and response.
  • Former employees still have active accounts or mailbox access.
  • The questionnaire is answered optimistically rather than accurately, which can create problems at claim time.

How Tecnico Desk helps

Tecnico Desk is a security-first IT and cloud security partner. We help you put the required controls in place, then organize the evidence so you can answer a cyber insurance questionnaire accurately. We do not provide legal or insurance advice, and we cannot guarantee approval or pricing, because the carrier makes that call. What we can do is close the gaps that cause most denials. Start with cyber insurance readiness or a Tecnico Ready review.

Key takeaways

  • The application is now a security questionnaire. Treat it like one.
  • MFA, tested backups, and EDR are the controls that matter most.
  • Answer accurately and keep evidence. Optimistic answers can void a claim.
  • You do not need SOC 2 for most small business cyber insurance.
FAQ

Cyber insurance questions

Do I need a SOC 2 report for cyber insurance?

No. Most small business cyber insurance applications do not require SOC 2. They ask whether specific controls are in place, such as multi-factor authentication, backups, and endpoint protection. SOC 2 is a separate, larger audit that most small businesses do not need for insurance.

Does cyber insurance require multi-factor authentication?

In most cases, yes. MFA on email, remote access, and administrator accounts is one of the most common requirements, and missing it is a frequent reason an application is declined or priced higher.

What is the most common reason an application is declined?

Missing or inconsistent MFA, no tested backups, and no endpoint detection and response are the most common gaps. Inaccurate answers on the questionnaire can also cause problems at claim time.

Can Tecnico Desk guarantee my application is approved?

No. No provider can guarantee approval or pricing, because the insurer makes that decision. Tecnico Desk helps you put the required controls in place and organize the evidence so you can answer the questionnaire accurately.

Get ready for your renewal

Book a Security Fit Call to review where you stand against common cyber insurance requirements.

Book a Security Fit Call View cyber insurance readiness