Cyber insurance is getting stricter. Here’s the checklist most firms miss.
Cyber insurance used to feel optional.
Now, for many firms, it’s becoming table stakes.
Insurers aren’t just asking if you have protection anymore. They’re asking how you’re protecting yourself. And they’re getting specific, and they want you to be doing it in specific ways. Antivirus isn’t enough. Good intentions aren’t enough. You’re expected to show that real safeguards are already in place.
If you’ve ever opened a cyber insurance application and thought, “I understand every word in this sentence, but not in this order,” (ha!) you’re not alone.
Most applications boil down to the same six requirements. The tricky part is that each one sounds technical, even when the concept is pretty simple.
So we made a one-page checklist you can use to see what’s required, what Nimbl IT services already cover, and what might still need attention.
The six requirements insurers ask about (and what they actually mean)
1) Endpoint Detection & Response (EDR/MDR)
What it’s asking: “Do you have serious protection on every computer?”
This is the modern version of “antivirus,” but it’s smarter than the old-school pop-up antivirus most of us grew up with.
- Endpoint = each laptop/desktop (every device people work on)
- Detection & Response = it doesn’t just spot threats, it’s built to stop them
- Managed (MDR) = there’s oversight/monitoring behind it, not just software installed and forgotten
Plain English: If someone clicks a bad link or ransomware tries to run, EDR is one of the controls that can catch it fast and shut it down before it spreads.
How Nimbl fits: This is included on all our managed devices.
2) Multi-Factor Authentication (MFA)
What it’s asking: “If a password gets stolen, do you still have a second lock on the door?”
MFA means you need two things to log in:
- Something you know (password)
- Something you have (an app code, push notification, token, etc.)
Why insurers care: passwords get leaked constantly. MFA is what keeps a leaked password from turning into a full email takeover, payroll fraud, or vendor payment reroute.
Plain English: Passwords are like house keys. MFA is the deadbolt.
How Nimbl Tech fits: We can guide and advise, but MFA ultimately has to be enabled inside your systems (email, payroll, banking, etc.) as a firm policy. This one can’t be “outsourced” in the same way device monitoring can.
3) Vulnerability Management & Patch Management
What it’s asking: “Are you keeping devices updated so known holes get closed?”
A huge percentage of cyber incidents happen because something wasn’t updated—operating systems, browsers, Microsoft Office, QuickBooks-related tools, and so on.
- Patch management = keeping devices updated on a schedule
- Vulnerability management = identifying known weak spots and fixing them
Plain English: Updates aren’t just new features. Most updates are quietly fixing security problems that are already public knowledge.
How Nimbl Tech fits: Weekly patching is part of device management. (If a firm needs deeper scanning across the network, that can be added.)
4) Secure Data Backups (Off-site / Air-gapped)
What it’s asking: “If ransomware encrypts your files, can you restore all those files from a clean copy?”
Backups aren’t just about accidental deletion anymore. Insurers want to see that backups are:
- Recent (not “we backed up last quarter… probably”)
- Recoverable (you’ve tested restores)
- Isolated from the main network (so ransomware can’t encrypt the backups too)
Off-site means stored somewhere separate (often cloud).
Air-gapped means there’s a separation barrier. So even if your main environment is compromised, the backup stays safe.
Plain English: A backup that gets encrypted by the same ransomware isn’t really a backup. It’s just a second copy of the problem.
How Nimbl Tech fits: We can set this up and manage it, but it’s not included in every standard engagement by default because backup needs vary a lot by firm (storage, systems, compliance, recovery expectations).
5) Security Awareness Training (including phishing simulations)
What it’s asking: “Are you training your team for the stuff that actually happens?”
Most successful attacks don’t start with Hollywood hacking. They start with an email that looks normal enough to click.
Training typically includes:
- Short, ongoing education (not one annual video everyone ignores)
- Phishing simulations (safe test emails that teach pattern recognition)
- Coaching around what to do if something feels off
Plain English: This is teaching your team how to pause before clicking the thing that looks urgent, weird, or “too normal.”
How Nimbl Tech fits: Included. We run monthly phishing simulations and quarterly micro-trainings.
6) Written Security Policy & Incident Response Plan (WISP + IR Plan)
What it’s asking: “If something happens, do you have a plan or are you improvising?”
Insurers want to know you’ve documented two things:
- Security policy / WISP (Written Information Security Plan): The “how we operate” document. Who has access, how passwords are handled, what devices are allowed, how data is protected, etc.
- Incident response plan: The “what we do when it goes wrong” document. Who gets called first, what systems get shut down, how you communicate internally and externally, what gets documented for insurance/legal, and how you restore operations.
Plain English: This is the difference between “everyone panics and starts changing passwords” and “we follow the playbook.”
How Nimbl Tech fits: We can create these as project-based engagements. They’re not included by default for most firms, but they’re very common insurance requirements.
Use this as a checklist, not a reason to get anxious
We’re not interested in turning cybersecurity into doom and gloom. This is just reality: insurers want proof that basic controls are in place.
We created a one-page checklist you can use in two ways:
- As a self-assessment before applying for cyber insurance
- As a reference to share with your insurance broker or carrier
If you review it and realize you’re missing one or two pieces, that’s fixable. The goal is clarity and fewer surprises when you’re trying to get coverage.
