Cyber insurance: what your insurer will demand from your IT

· 3 min read · SOVALYX Technologies

SHARE

Buying or renewing cyber insurance increasingly looks like a security audit: a detailed questionnaire, supporting evidence, and a premium indexed on your answers. The requirements converge from one insurer to the next — MFA, isolated backups, a tested DR plan, EDR, access management — and the good news is that they describe exactly what a well-run IT department should already be doing.

Why the questionnaire got tougher

Cyber insurers learned that good-faith declarations were not enough: ransomware put their business model under pressure, and the market responded by tightening risk selection. Today's questionnaire no longer asks "do you have antivirus?" but "what proportion of your remote access is protected by multi-factor authentication, and can you prove it?".

The stakes go beyond the premium. An inaccurate answer — ticked "yes" in good faith but wrong on the ground — can justify a reduced payout, or an outright denial, at the exact moment you need the cover. The real risk is not filling in the questionnaire: it is filling it in without checking.

The five requirements you will find everywhere

MFA everywhere it matters

Email, VPN and remote access, admin accounts, cloud consoles: multi-factor authentication has become the first question, and often a condition of eligibility. MFA "deployed at 80%" reassures no one: the remaining accounts are precisely the ones an attacker will go after.

Isolated, tested backups

A backup reachable from the production network will be encrypted along with everything else during an attack. Insurers expect an offline or immutable copy, credentials separate from production, and documented restore tests. A backup that has never been restored is a hypothesis, not a protection.

A written, dated, rehearsed DR plan

The disaster recovery plan they ask for is not a theoretical document: it names roles, sets recovery objectives, and above all rests on evidence of a recent drill. A DR plan that has never been tested is worth roughly zero — to an insurer and in real life.

Detection beyond antivirus

EDR on workstations and servers detects behaviours, not just signatures. But detection without response is worthless: questionnaires increasingly ask who watches the alerts, at what hours, and how fast a compromised machine can be isolated. Managed monitoring under contract answers that question.

Access and privilege management

Least privilege, periodic account reviews, immediate deactivation of leavers, an inventory of service accounts, controlled third-party access: it is the least spectacular chapter and one of the most scrutinised, because most intrusions ride on a legitimate account.

The evidence file to prepare

Rather than enduring the questionnaire, build a standing file, kept current all year round:

This file serves the policy renewal, but not only that: large enterprise customers now ask the same questions in their tenders, and any compliance audit will ask them again. The work is done once.

Requirements that protect you, policy or not

Let's be clear: insurance compensates, it restores neither your data nor your reputation. The required measures — MFA, isolated backups, a rehearsed DR plan, detection, access management — are precisely the ones that lower the odds a ransomware attack succeeds, and its impact if it does. Putting them in place for the insurer means protecting yourself first.

It is the kind of groundwork a partner like SOVALYX carries out ahead of the questionnaire, with dated evidence as the deliverable: an initial conversation is enough to measure the gap between the answers you would like to tick and your technical reality.

Summary table: requirement, expectation, evidence

RequirementWhat the insurer expectsEvidence to provide
MFAGeneralised across remote access, email and admin accountsConfiguration export, coverage rate
BackupsIsolated or immutable copy, tested restoresDated restore test report
DR planWritten plan with recovery objectives, recent drillDrill report, versioned plan
DetectionEDR deployed, alerts watched, organised responseDeployment rate, monitoring contract
AccessLeast privilege, periodic review, controlled leaversAccount register, leaver procedure

How SOVALYX can help

SOVALYX gets your IT ready for the questionnaire before the insurer sends it: immutable, isolated backups, an automated DR plan with documented drills, 24/7 monitoring under SLA and access reviews. You answer with dated evidence instead of declarations — and the same measures reduce the odds the policy ever has to pay out.

Talk compliance with an engineer

🧰 The companion tool: Are you ready for the AI Act? — free · 2 minutes.

Reviewed and optimised by AI.