If you have renewed your business insurance in the last two years, you have probably noticed something new: your insurer is asking a lot of questions about cybersecurity. How do you handle passwords? Do you use multi-factor authentication? When was your last security assessment? These are not optional questions anymore. Get them wrong, and your claim gets denied.

Why Insurance Companies Started Caring About Your IT

The cyber insurance industry lost money for years. Insurers were paying out more in claims than they were collecting in premiums. Ransomware attacks alone cost insurers billions. So they did what any business would do: they got smarter about who they covered and what they required.

Today, most cyber insurance policies require a formal security assessment before they will issue or renew your policy. And if you suffer a breach, the first thing the claims adjuster checks is whether you actually did what you said you did on that questionnaire. If you checked "yes" on multi-factor authentication but you were not actually using it? Claim denied.

This is not hypothetical. We have seen it happen to two businesses in the last year alone. One was a medical practice that checked all the right boxes on their insurance application but had never actually implemented the controls. When they got hit with ransomware, the insurer denied their $340,000 claim. The practice had to pay out of pocket.

What We Actually Check During a Security Assessment

A real security assessment is not someone walking around your office and nodding approvingly. It is a structured review of your technology, your processes, and your people. Here is what we look at:

Access Controls: Who Can Get Into What

We start with the basics. Who has access to your systems, and do they need it? We routinely find employees who left the company months ago still with active accounts. We find interns with the same level of access as the CEO. We find shared passwords written on sticky notes attached to monitors.

This is not about shaming anyone. It is about closing doors that should not be open. Every unnecessary account is a potential way in for an attacker.

Network Security: What Is Your Perimeter

We examine how your network is set up. Is your guest Wi-Fi separated from your business network? (You would be amazed how often it is not.) Are your firewalls configured correctly? Are there devices on your network that nobody recognizes?

We scan for open ports, which are like unlocked doors on the outside of your building. Many small businesses have services exposed to the internet that have no reason to be there, leftover from some configuration change years ago that nobody remembered to undo.

Email Security: Your Biggest Attack Surface

Over 90% of cyberattacks start with an email. We test whether your email system is properly configured to filter out malicious messages, whether your domain is protected against spoofing (someone sending email that looks like it comes from your company), and whether employees can recognize a phishing attempt.

That last part is important. Technology can only block so much. We typically send a simulated phishing email to your team as part of the assessment. The results are always eye-opening. Industry averages show that 20 to 30% of employees will click a well-crafted phishing link. We have seen it as high as 45% in companies with no prior training.

Data Protection: Where Your Sensitive Information Lives

We map where your business-critical data lives. Client files, financial records, employee information, intellectual property. Then we check how that data is protected. Is it encrypted? Who can access it? Is it backed up? Can you recover it if something goes wrong?

We often find sensitive data in places nobody expected. Client Social Security numbers in a shared spreadsheet. Financial records in a folder that the entire company can access. Backups stored on the same server as the original data, meaning a single ransomware attack takes out both.

Software and Updates: The Patching Gap

Software companies release security updates for a reason. Every update fixes known vulnerabilities. Every delay in applying that update is a window of opportunity for an attacker. We check every system and application for missing updates and create a priority list for remediation.

The typical small business we assess is running software that is 60 to 90 days behind on critical security patches. That is not unusual, but it is dangerous.

What We Typically Find: The Common Problems

After performing assessments for dozens of small and mid-sized businesses, we see the same issues over and over:

  1. No multi-factor authentication (MFA) on critical systems like email and cloud platforms. This single control prevents the vast majority of account-takeover attacks.
  2. Former employees with active accounts. The average company has 3 to 5 old accounts that should have been deactivated.
  3. No documented incident response plan. If you get breached at 2 AM on a Saturday, who do you call? What is the first step? Most businesses have no answer.
  4. Backups that have never been tested. Backing up is only half the job. If you have never tested a restore, you do not know if it works.
  5. Flat network architecture. Everything on one network means that if one machine gets compromised, the attacker can reach everything.

The 3 Things Insurers Check First

When a cyber insurance underwriter evaluates your application, or when a claims adjuster investigates after a breach, there are three controls they look at before anything else. These are the non-negotiables. Failing any one of them can be enough to void your entire policy or deny a claim outright.

1. Multi-Factor Authentication on ALL Accounts

Not just some accounts. Not just admin accounts. All accounts that have access to email, cloud services, financial systems, and remote access tools. Insurers have learned that stolen passwords are the number one entry point for ransomware and data breaches. MFA stops the vast majority of these attacks cold. If you told your insurer you have MFA enabled but it is only turned on for a few executives, that gap is enough for a claim denial. Insurers are now specifically asking for proof that MFA is enforced across the entire organization, including service accounts and third-party vendor access.

2. Regular Patch Cadence

Insurers want to know how quickly you apply security updates when software vendors release them. A critical vulnerability that sits unpatched for 90 days is not just a technical risk. It is evidence of negligence in the eyes of an insurance adjuster. The expectation is that critical security patches are applied within 14 to 30 days of release, and that you have a documented process for tracking and deploying updates. If a breach exploits a known vulnerability that had a patch available for months, expect the insurer to argue that the loss was preventable and therefore not covered.

3. Tested Backup and Recovery Plan

Having backups is not enough. Insurers now specifically ask whether you have tested restoring from those backups. The distinction matters enormously. We have seen businesses that dutifully ran backups every night for years, only to discover during an actual ransomware attack that the backups were corrupted, incomplete, or stored on the same network that got encrypted. A tested recovery plan means you have actually performed a full restore drill, documented the results, and confirmed that your business-critical data and systems can be recovered within an acceptable timeframe. If you cannot demonstrate this during a claim, the insurer has grounds to argue you did not maintain adequate controls.

A Real Example: The Accounting Firm That Almost Lost Their Policy

An accounting firm with 22 employees came to us last spring in a panic. Their cyber insurance was up for renewal, and the insurer sent a 47-question security questionnaire. They did not know how to answer half the questions, and they were pretty sure the honest answers to the other half would get their policy canceled.

We did a full assessment. The findings were not great but they were not unusual either. No MFA on their email. Three former employees still had remote access. Their backup was going to an external drive that sat on the same desk as the server, and it had not been tested in over a year. Their firewall was using factory-default settings.

Here is the important part: we fixed all of it in under three weeks. MFA was turned on in an afternoon. Old accounts were disabled the same day. We set up proper cloud backups with automated testing and reconfigured the firewall. We created a written incident response plan.

The firm renewed their policy with no premium increase, and their insurer actually noted that their security posture was now above average for their industry. More importantly, they are genuinely more secure. The insurance requirement was the push they needed, but the real benefit is that their client data and their business are actually protected now.

What a Security Assessment Gets You

When the assessment is done, you get three things:

  1. A clear picture of where you stand. No vague warnings. Specific findings with specific risk levels. "Here is what is wrong, here is how bad it could be, here is how to fix it."
  2. An insurance-ready report. Documentation you can hand directly to your insurer that shows what you have in place, what you are working on, and your timeline for improvements.
  3. A prioritized action plan. Not everything needs to be fixed at once. We rank issues by risk so you can tackle the most dangerous ones first and work through the rest on a realistic timeline.

The Bottom Line

A security assessment is no longer optional for most businesses. Your insurer requires it, your clients expect it, and the threat landscape demands it. But beyond checking a box, a good assessment gives you something valuable: the truth about where your business is vulnerable and a clear path to fixing it.

You do not need to be perfect. You need to be honest, deliberate, and making progress. That is what insurers want to see, and it is what actually protects your business.