Pumpkin
    Cyber Insurance Requirements: What Firms Need in Place First
    Security

    Cyber Insurance Requirements: What Firms Need in Place First

    July 30, 20247 min read

    Cyber insurance used to be simple. Fill out a short questionnaire, pay a modest premium, and get coverage. That era is over.

    Insurance carriers have been hammered by ransomware claims, business email compromise losses, and data breach payouts. In response, they have dramatically tightened their requirements. Premiums have increased. Coverage has narrowed. And the application process now looks more like a security audit than an insurance form.

    For professional services firms, cyber insurance is not optional. It is a business necessity that clients, regulators, and partners increasingly expect. But getting coverage, and keeping it valid, requires meeting specific security benchmarks.

    Why Cyber Insurance Matters for Professional Firms

    The numbers tell the story. The average cost of a data breach for small to mid-sized businesses exceeded $150,000 in 2025. For firms handling sensitive client data (tax returns, legal documents, financial records), the total cost including notification, forensics, legal defense, and business interruption can easily exceed $500,000.

    Without insurance, a breach can be an existential threat. With insurance, it is a serious but survivable event.

    Beyond financial protection, many clients now require their professional service providers to carry cyber insurance. Especially large corporate clients, government entities, and clients in regulated industries. Not having coverage can disqualify you from lucrative engagements.

    What Insurers Require Now

    Every insurer is different, but the following requirements have become nearly universal. If you do not have these in place, expect either a denial, a significantly higher premium, or exclusions that gut your coverage.

    Multi-Factor Authentication

    MFA is the single most common requirement and the most common reason for claim denials. Insurers typically require MFA on:

    • All email accounts (not just some)
    • All remote access points (VPN, Remote Desktop, cloud applications)
    • All accounts with administrative privileges
    • All accounts accessing financial systems

    Not all MFA is treated equally. Some insurers now specify that SMS-based MFA is insufficient and require authenticator apps or hardware tokens. See our article on why MFA alone is not enough, but understand that it is the minimum starting point.

    Endpoint Detection and Response

    Basic antivirus no longer satisfies most insurers. They want to see EDR solutions that:

    • Monitor endpoint behavior in real time
    • Can automatically isolate compromised devices
    • Provide forensic data for investigation
    • Are centrally managed (not just installed on individual machines)

    Email Security

    Given that email is the primary attack vector, insurers look for:

    • Advanced threat protection (not just spam filtering)
    • Phishing detection and prevention
    • Email encryption capabilities
    • DMARC enforcement

    Backup and Recovery

    Insurers want to know you can recover without paying a ransom. They look for:

    • Regular automated backups (at least daily for critical data)
    • Backups stored separately from the primary network
    • Immutable or air-gapped backups that ransomware cannot encrypt
    • Documented and tested recovery procedures

    Patch Management

    Unpatched systems are a leading cause of breaches. Insurers look for:

    • A documented patch management process
    • Critical patches applied within 30 days (some require 14 days)
    • Automatic updates enabled where possible
    • Regular vulnerability scanning

    Security Awareness Training

    Most insurers require evidence of regular security awareness training:

    • At least annual training for all employees
    • Phishing simulation testing
    • Documentation of training completion
    • New hire security orientation

    Incident Response Plan

    Having a written breach response plan is increasingly required for coverage:

    • Documented incident response procedures
    • Defined roles and responsibilities
    • Communication templates
    • Contact information for response resources
    • Evidence of annual testing (tabletop exercises)

    Privileged Access Management

    Insurers are paying more attention to how administrative access is managed:

    • Separate admin accounts from daily-use accounts
    • Logged and auditable admin actions
    • Minimal number of admin accounts
    • Admin access protected by strong MFA

    The Application Process

    Modern cyber insurance applications are detailed. Expect questions about:

    • Your annual revenue and number of employees
    • Types of data you handle (PII, financial, legal, health)
    • Number of records you maintain
    • Whether you have experienced prior incidents
    • Specific security controls in place
    • Third-party vendors with access to your data
    • Remote work policies and security measures

    **Be truthful.** Misrepresenting your security posture on an insurance application can void your coverage entirely. If a breach occurs and the insurer discovers that you claimed to have MFA everywhere but did not, they can deny your claim.

    **Get help if needed.** If the application asks technical questions you cannot answer, involve your IT provider. Some insurance brokers specialize in cyber insurance for professional services firms and can guide you through the process.

    Coverage Types to Understand

    **First-party coverage** protects your firm directly:

    • Incident response and forensic investigation costs
    • Data recovery and system restoration
    • Business interruption and lost income
    • Ransomware payment (if you choose to pay)
    • Notification costs and credit monitoring for affected clients
    • Crisis communications and public relations

    **Third-party coverage** protects against liability to others:

    • Client lawsuits resulting from a breach
    • Regulatory fines and penalties
    • Legal defense costs
    • Payment Card Industry (PCI) fines if payment data is involved

    **Social engineering coverage** is often a separate endorsement:

    • Wire fraud resulting from business email compromise
    • Invoice manipulation schemes
    • Impersonation attacks

    Pay attention to coverage limits, deductibles, and exclusions. A $1 million policy with a $100,000 deductible and exclusions for unpatched systems might not provide the protection you expect.

    Common Reasons Claims Get Denied

    Understanding why claims are denied helps you avoid those pitfalls:

    **Failure to maintain security controls.** If you had MFA when you applied but disabled it later, and then a breach occurred, the claim may be denied.

    **Late notification.** Most policies require notification within 24-72 hours of discovering a breach. Missing this window can jeopardize coverage.

    **Pre-existing conditions.** If a breach started before your policy took effect, it is not covered. This is why continuous monitoring matters.

    **War and terrorism exclusions.** Some policies exclude state-sponsored attacks. Given the geopolitical landscape, this exclusion is increasingly relevant.

    **Failure to follow the plan.** If your incident response deviated significantly from the procedures you represented to the insurer, they may question the claim.

    Steps to Get Ready

    If you are preparing to apply for cyber insurance or renew your policy:

    1. **Conduct a security assessment.** Use our cybersecurity checklist to identify gaps. 2. **Implement MFA everywhere.** This is non-negotiable. 3. **Deploy EDR.** Replace basic antivirus with a modern EDR solution. 4. **Verify your backups.** Test restores. Implement immutable backups. 5. **Document your controls.** Insurers want evidence, not just claims. 6. **Train your team.** Conduct and document security awareness training. 7. **Write your incident response plan.** Build a breach response plan and test it. 8. **Review your compliance.** Address common compliance gaps before they become issues.

    Working With an Insurance Broker

    A broker who specializes in cyber insurance for professional services can:

    • Help you understand what coverage you need
    • Shop your application across multiple carriers
    • Identify gaps in your security that could affect your application
    • Negotiate terms and pricing on your behalf
    • Assist with the claims process if you need to file

    The investment in a knowledgeable broker often pays for itself through better coverage, lower premiums, and smoother claims processing.

    For a comprehensive approach to protecting your firm, visit our cybersecurity guide for professional services. The security controls that qualify you for insurance are the same ones that reduce your risk of ever needing to file a claim.

    Related Articles

    Cybersecurity for Accounting Firms: The Essentials
    Security

    Cybersecurity for Accounting Firms: The Essentials

    A practical guide to the cybersecurity essentials every accounting firm needs to protect client financial data and stay compliant.

    Cybersecurity for Law Firms: How to Protect Client Data
    Security

    Cybersecurity for Law Firms: How to Protect Client Data

    Law firms face unique cybersecurity challenges due to attorney-client privilege. Here is how to protect sensitive client data effectively.

    A Practical Cybersecurity Checklist for Professional Services Firms
    Security

    A Practical Cybersecurity Checklist for Professional Services Firms

    A no-nonsense cybersecurity checklist designed for accounting, law, and advisory firms that need actionable security steps.