Live
450,000+ new malware samples created dailyAV-TEST·Ransomware attack occurs every 11 secondsCybersecurity Ventures·43% of cyberattacks target small businessesVerizon DBIR·Average SMB breach costs $200,000IBM Cost of Data Breach Report·95% of breaches are caused by human errorIBM·Only 14% of SMBs are prepared to defend themselvesPonemon Institute·450,000+ new malware samples created dailyAV-TEST·Ransomware attack occurs every 11 secondsCybersecurity Ventures·43% of cyberattacks target small businessesVerizon DBIR·Average SMB breach costs $200,000IBM Cost of Data Breach Report·95% of breaches are caused by human errorIBM·Only 14% of SMBs are prepared to defend themselvesPonemon Institute·
KD
Kapagate Digital
Compliance7 min read

Cyber Insurance Is Getting Harder to Get — Here's What Insurers Are Requiring in 2025

After years of sky-high claim payouts, cyber insurers have dramatically raised the bar. Businesses that don't meet the new requirements are being denied coverage — or having claims rejected when they need it most.

Kapagate Digital

Security Research Team

Not long ago, getting cyber insurance was relatively straightforward. Answer a few basic questions, pay a premium, and you were covered. That era is over.

After years of enormous claim payouts — driven by ransomware attacks, data breaches, and business email compromise — insurers have fundamentally changed their approach. They now conduct detailed technical assessments, require specific security controls to be in place, and include exclusions and sub-limits that can leave businesses severely underprotected.

Worse: some businesses are only discovering these requirements exist when they try to file a claim — and find it denied.

Why the Market Has Changed

Between 2019 and 2022, cyber insurance claims skyrocketed. Ransomware alone became so profitable that criminal gangs turned it into a service industry. Insurers paid out hundreds of millions in claims and, in response, did what any rational business does: they changed the terms.

Premiums increased by as much as 50–100% in some years. Coverage limits were reduced. New exclusions were added. And most significantly, minimum security requirements were introduced — controls that businesses must have in place to be eligible for coverage at all.

What Insurers Now Require

While specific requirements vary by insurer and policy, the following controls are now standard expectations across the market:

Multi-Factor Authentication (MFA)

Required on all email accounts, remote access, and admin systems. This is now a hard requirement — not a recommendation.

Endpoint Detection & Response (EDR)

Many insurers now specifically require EDR rather than standard antivirus on all business devices.

Offsite Data Backups

Backups must be stored separately from your main systems and tested regularly. Backups on the same network as your data don't count.

Email Security Controls

DMARC, DKIM, and SPF records must be configured. Advanced email filtering is increasingly expected.

Patch Management

Systems, software, and devices must be kept up to date. Unpatched known vulnerabilities are a common reason for claim denial.

Employee Security Training

Documented, regular security awareness training is now expected by most insurers. Ad-hoc or one-time training doesn't satisfy this requirement.

Incident Response Plan

A documented plan for responding to a security incident is increasingly required — even for small businesses.

Common Reasons Claims Are Being Denied

Even when a business has coverage, claims are increasingly being contested or denied. The most common reasons:

MFA was not enabled on the compromised account

Systems were running unpatched software with known vulnerabilities

Backups were stored on the same network as the affected systems (and were also encrypted)

The business couldn't demonstrate that basic security controls were in place at the time of the incident

The incident involved a system or account that wasn't disclosed during the application process

What You Should Do Now

Review your current policy carefully. Understand exactly what it covers, what the sub-limits are, and what exclusions apply. Many businesses discover significant gaps only when they need to make a claim.

Check whether you meet the requirements your insurer has set — both for maintaining your current policy and for renewal. Some insurers now conduct annual re-assessments.

Implement the missing controls before renewal or application. Insurers increasingly verify claims about security controls through technical assessments — not just self-attestation.

Document everything. Having records of your security practices, training sessions, and incident response procedures is essential if you ever need to demonstrate compliance after an incident.

The Bottom Line

Cyber insurance is not a substitute for good security — but it is a valuable safety net when incidents occur despite your best efforts. The key is making sure that safety net is actually there when you need it. That means having the right controls in place, understanding your policy terms, and keeping your coverage up to date as the requirements evolve.

Meet Your Insurer's Requirements

Our managed security services cover all the controls insurers now require — MFA, EDR, backups, training, and more. Get a free assessment to see where you stand.

Get Free Assessment
← Back to Security Insights