Cyber Insurance Readiness Checklist
Prepare for your next policy application or renewal — LevoySec
Why this matters: Cyber insurance carriers have dramatically tightened their requirements. Applications that would have been approved in 2021 are now routinely denied. Having these controls in place before you apply can mean the difference between coverage and rejection — and can significantly reduce your premium.
Identity & Access Management
- Multi-factor authentication (MFA) on all remote access
- MFA on email accounts (all users, not just admins)
- MFA on privileged/admin accounts
- Unique credentials for each user (no shared accounts)
- Privileged access management (PAM) for admin accounts
- Regular access reviews (quarterly recommended)
Endpoint Security
- Endpoint detection and response (EDR) on all endpoints
- Automated patch management (OS and third-party)
- Full disk encryption on all laptops and portable devices
- Mobile device management (MDM) for company devices
- Application whitelisting or control on critical systems
Network Security
- Next-generation firewall with active threat prevention
- Network segmentation (separate guest, IoT, and production)
- Secure remote access (VPN or ZTNA)
- DNS filtering to block known malicious domains
- Wireless network security (WPA3, segmented SSIDs)
Email Security
- Advanced email filtering (anti-phishing, anti-spoofing)
- DMARC, DKIM, and SPF records configured
- Security awareness training with phishing simulations
- Policies for handling sensitive information via email
Backup & Recovery
- Regular automated backups (at least daily)
- Offsite or cloud backup copies (air-gapped from production)
- Backup encryption
- Regular backup restoration testing (quarterly)
- Documented recovery time objectives (RTO) and recovery point objectives (RPO)
Incident Response & Governance
- Written incident response plan
- Incident response team identified (internal or outsourced)
- Tabletop exercises conducted (at least annually)
- Written information security policies
- Annual risk assessment
- Vendor/third-party risk management program
Documentation to Have Ready
- Most recent risk assessment report
- Security policy documents
- Incident response plan
- Business continuity / disaster recovery plan
- Employee training records
- Penetration test or vulnerability scan results
- Prior claims history (if applicable)