Years ago, insurance carriers were not as adept at cyber insurance underwriting as they are today. But with each passing year, they learn more about the realities of the cybersecurity landscape. And in order to mitigate their own losses, everything they learn causes them to reevaluate underwriting requirements.
Stricter Requirements in 2025
Carriers finally understand the risks and costs of cybercrime. As a result, their underwriting requirements have become stricter. What are they for 2025? Carrier requirements are not uniform, but we see some commonalities. Below is a list of requirements typical of most carriers.
1. Fundamental Technical Controls
At bare minimum, insurance carriers are requiring policy holders to maintain fundamental technical controls. Examples of such controls include:
- Multi-factor authentication (MFA)
- Endpoint detection and response (EDR)
- Managed detection and response (MDR)
- AI-powered threat detection
A network and its data are only as secure as the technology deployed to keep it secure. Without the right technology in place, cyber insurance underwriting becomes riskier. It is no wonder insurance carriers are forcing policy holders to up their technology games.
2. Third-party Risk Management
Cyber threats impact both policy holders and their third-party partners. Unfortunately, third parties represent an extra level of risk because organizations do not have much control over how such parties maintain their own security. That being the case, cyber insurance underwriting almost always includes a requirement for third-party risk management (TPRM).
TPRM combines vendor security assessments with continual dark web monitoring. DarkOwl, a company that specializes in darknet intelligence, views continual monitoring as non-negotiable. Organizations need to diligently pay attention to potential threats coming at them through third parties.
3. Proactive Risk Mitigation
Insurance carriers expect policy holders to practice proactive risk mitigation. It is not enough to wait until an incident occurs to respond. Instead, organizations are expected to embrace:
- Security awareness training among employees
- Incident response plans that are documented and tested
- Vulnerability management practices
Being proactive in cybersecurity is similar to being a defensive driver. Proactive behavior reduces risks and makes cyber insurance underwriting more palatable to carriers.
4. Compliance and Documentation
Policy holders hoping to continue with coverage must document compliance with both regulations and industry standards. For example, many carriers require that their policy holders adhere to NIST Cybersecurity Framework or ISO 27001 standards. Claims can be denied when organizations cannot provide documentation demonstrating their compliance.
Improving Cyber Insurance Underwriting
Carriers are always looking to improve cyber insurance underwriting for themselves and their clients. With that in mind, we are seeing a number of emerging requirements just beginning to show themselves in the marketplace. AI risk prioritization is a good example. Supply chain resilience is another emerging trend we’re seeing.
The big question for policy holders is this: what happens if they don’t meet insurance carrier requirements? In many cases, carriers will refuse to renew policies. In other cases, policies will be renewed but with significant premium increases.
Policy exclusions are another option for carriers. They can offer coverage but exclude claims based on weaknesses a policy holder knew about but failed to address.
Expect More Requirements in the Future
Cyber insurance is a new form of insurance that carriers are still trying to work out. The more they learn about cyber threats and their impacts, the more sophisticated their policies become. Here is the bottom line: organizations can expect even more requirements in the future.
Cyber insurance underwriting will inevitably become more complicated as time goes on. That translates into more requirements for insured parties. Hopefully, it all results in fewer losses among carriers and their policy holders.