Underwriters stopped taking your word for it. What they verify now, what "proof" means, and the calendar that makes renewal boring — in the good way.
Two years ago, a cyber insurance application was a questionnaire. Do you have multi-factor authentication? You checked yes, someone in IT nodded, and the policy renewed.
That era is over. Renewals landing on mid-market desks this spring come with a different posture: the underwriter wants evidence. Exports from your identity platform showing MFA coverage. Reports from your endpoint tooling. Backup test results with dates on them. The renewal, in short, has become an audit — and the mid-market is exactly where underwriting has tightened hardest.1
Here's the nuance the scary headlines miss: the market as a whole is actually competitive — capacity is up, and buyers who can evidence their controls are seeing flat or even declining rates.2 The tightening is selective. Companies that can't produce the evidence face carve-outs for the missing controls, tighter sub-limits, or non-renewal — which lands them in surplus markets at multiples of standard pricing. Security-industry reporting puts the premium penalty for control laggards as high as 40–100%;3 the precise figure matters less than the pattern, which is that the same market cutting rates for well-run programs is walking away from the rest. Here's what carriers actually check now, and how to make next renewal uneventful.
Multi-factor authentication — everywhere, with receipts. Not just email. VPN and any remote access, cloud admin consoles, privileged accounts, service accounts where technically possible. Proof means a coverage report from your identity provider — and a documented list of exceptions with compensating controls, because the forgotten firewall admin portal is precisely what underwriters have learned to ask about.
Endpoint detection and response on every endpoint. "We have antivirus" no longer clears the bar. Proof is a deployment report showing coverage percentage — and an answer for the machines that aren't covered.
Tested, separated backups. Backups an attacker can encrypt along with production don't count. Carriers want copies that are offline or otherwise isolated, and evidence of an actual restore test — with a date, a duration, and a result.
A documented, exercised incident response plan. A PDF nobody has opened is decoration. A tabletop exercise with attendance and findings, in the last 12 months, is evidence.
Privileged access management. Who holds admin rights, why, and what watches those accounts. Compromised admin accounts drive some of the largest insured losses precisely because of their unrestricted reach — which is why underwriters have learned to read this control closely.3
Buried in most current policies is language about maintained systems — and this is where insurance quietly connects to your software calendar. If an incident is traced to a system past its end of support running without a documented exception, the carrier has grounds to contest the claim. Not the premium. The claim — the entire reason the policy exists.
Which means every end-of-life date in your stack is now, functionally, an insurance date. An inventory of what's approaching retirement isn't just an IT hygiene exercise; it's claims protection. (This is precisely what EOL Radar tracks, and if the vocabulary needs untangling first, start with the plain-English guide.)
The difference between a bruising renewal and a boring one is almost entirely preparation lead time:
120 days out: run the gap assessment against the five controls above. Anything missing still has time to be fixed and produce evidence — a control implemented the week before renewal, with no operating history, persuades no one.
60 days out: assemble the evidence package — coverage reports, test results, the IR plan and tabletop findings, the exception list. One folder, current dates, no scrambling.
30 days out: brief whoever faces the broker. Inconsistent answers between the application and a follow-up call are how easy renewals become hard ones.
It's easy to read all this as one more compliance burden — an insurance product that now requires a security program to buy. But look at it from the other side: the carrier has effectively handed you a prioritized, market-tested list of the controls that most reduce real-world loss, and attached a financial incentive to each one.
That's a free maturity assessment with a deadline. Companies that treat it that way — rather than as paperwork — come out of renewal season with better security and better pricing, which is the rare outcome everyone's CFO approves of.
Building the program behind the evidence is what our cybersecurity and governance work exists for — board-ready, sized for a mid-market budget, and run by people who've answered to underwriters before.
Our cybersecurity & governance work builds the program behind the evidence — sized for a mid-market budget, run by people who've answered to underwriters before.
No SDR layer. We sell expertise, not products.