Manage your risk with Coverwatch
Risk management for growing businesses, powered by insurance experts and world-class technology
Cyber insurance requirements come down to a baseline of security controls underwriters verify before they bind coverage: multi-factor authentication, endpoint detection, tested offline backups, email filtering, and patch management. Miss one and you face a higher premium, a coverage sublimit, or a flat decline. The catch most applicants miss is that partial counts as missing. MFA on email but not your VPN or admin accounts reads as a gap, because underwriters score the surfaces you actually cover.
This checklist walks through each required control, what to put on the application, and the gaps that get direct-to-consumer (DTC) brands declined.
To qualify for cyber insurance, underwriters require a baseline of security controls: multi-factor authentication (MFA) on email and admin accounts, endpoint detection and response (EDR), tested offline backups, email filtering, and patch management. These are the controls a carrier checks on the application before agreeing to bind a policy.
The full baseline most carriers score runs longer than the headline three. Expect questions about MFA, EDR, and tested offline backups. Carriers also ask about email filtering, patch and vulnerability management, least-privilege access, encryption, security-awareness training, a written incident response (IR) plan, and network segmentation.
MFA means a second proof of identity beyond a password, like a code from an authenticator app. EDR is always-on software that watches your laptops and servers for malicious behavior and can isolate a machine the moment it sees something wrong. An IR plan is a written playbook for who does what when an incident hits.
These cyber insurance requirements are the binding gate, not a generic security wish list. Carriers map their applications to the NIST Cybersecurity Framework 2.0 and CIS Controls v8.1, so the questions you answer are pulled straight from those frameworks. This matters most for a scaling DTC brand, the same operator who needs online store insurance for Shopify sellers.
One supplements brand doing about $12M told their broker they had MFA and assumed they were ready, but it ran on email and not on the VPN or admin consoles. That gap surfaced the moment they filled out the application, the same surprise that hits brands wanting the full picture of ecommerce business risks.
Insurers require MFA, EDR, and backups because those controls map directly to how breaches actually happen and how expensive they get. Stolen credentials and ransomware drive most claims, so carriers price the specific controls that blunt them.
In the Verizon 2025 DBIR, credential abuse was the most common way attackers got in at 22% of breaches, with vulnerability exploitation at 20% (up 34% year over year) and phishing at 16%. Ransomware showed up in 44% of breaches and in 88% of breaches at small and mid-sized businesses, though 64% of victims didn't pay. The same report found 60% of breaches involved a person doing something attackers exploited, and 30% involved a third party.
Each required control answers one of those numbers. MFA blunts stolen credentials, since a password alone no longer opens the door. EDR plus offline backups limit ransomware, catching the intrusion early and giving you a clean copy to restore from. Email filtering and staff training cut the phishing and human-element exposure, and patching closes the vulnerabilities attackers exploit.
(This is also why cyber coverage and theft of money are different policies: cyber addresses the breach itself, while commercial crime insurance covers stolen funds from wire, ACH, or vendor-email fraud.) Carriers underwrite these controls because claim frequency has climbed, so coverage now depends on what you can actually prove.
The cyber insurance readiness checklist is the set of controls to evidence before you apply, and the proof each one requires. For every control an underwriter wants two things: the scope you cover and the artifact that backs it up, like an MFA policy export, an EDR coverage report, or a dated restore-test log.
The shift that catches DTC brands off guard is the move from attesting to evidencing. Applications used to ask yes-or-no boxes. They increasingly ask for the config exports and reports behind the answer, because a false attestation turns into a coverage dispute the day you file a claim. The table below maps each of the cyber insurance controls an underwriter scores to what they ask, the evidence that satisfies it, and what happens if it is missing.
| Control | What underwriters ask | Evidence to provide | If missing |
|---|---|---|---|
| Multi-factor authentication (MFA) | Email, VPN, cloud admin, privileged accounts | Identity-provider policy export | Common decline |
| Endpoint detection and response (EDR) | Coverage %, servers included, 24/7 monitored | Console coverage report | Decline or surcharge |
| Tested offline or immutable backups | Frequency, offline copy, last restore test | Backup config plus restore-test date | Ransomware sublimit or decline |
| Email filtering / DMARC | Secure email gateway, DMARC enforced | Gateway name plus DMARC status | Surcharge |
| Patch and vulnerability management | Patch cadence, any end-of-life software | Patch SLA plus EOL inventory | EOL is often a knockout |
| Least-privilege / privileged access | Admin inventory, MFA on admin | Admin account list | Surcharge or condition |
| Encryption at rest and in transit | Disk and database encryption, TLS | Encryption config plus TLS status | Surcharge |
| Security-awareness training | Cadence, phishing simulations | Completion records | Surcharge |
| Written incident response plan | Plan exists, last tabletop test | Plan document plus last tabletop date | Condition or surcharge |
| Network segmentation | Production separated from general network | Network diagram | Surcharge or condition |
It tracks the hygiene floor in frameworks like the NIST Cybersecurity Framework 2.0, and CIS Controls v8.1 (IG1) is the version most carriers treat as the baseline for a small or scaling brand.
When one supplements brand pulled its EDR console, it found agents running on every laptop. Two production servers had none. That's the exact gap the application's "percentage of endpoints" question is designed to surface, and it's why two of the heaviest-scored controls deserve a closer look.
Underwriters don't score whether you have MFA so much as where it runs. The four surfaces they care about are email, VPN or remote access, cloud admin consoles, and privileged accounts, and a gap on any one reads as an open door.
Authenticator apps beat SMS codes, which attackers can intercept by hijacking a phone number, and CISA goes further by pushing phishing-resistant MFA that a fake login page can't replay. The proof an underwriter credits is an export from your identity provider showing the policy applied to each surface.
A backup only counts here if ransomware can't reach it. That means an offline or immutable copy, segmented from production, plus a documented restore test proving the copy actually comes back. The common miss is a network-attached storage device that domain admin accounts can reach. The same credentials ransomware steals will encrypt that backup along with everything else, so it doesn't satisfy the question.
Your evidence is the backup config plus your last successful restore date, because an untested backup is just a theory, and underwriters price theories as risk.
Cyber liability insurance cost for a small or mid-sized ecommerce brand typically runs in the low four figures a year for a $1M limit. The figure swings widely with revenue, the volume of customer data you hold, and your controls. Stronger controls move you toward better pricing and higher available limits.
Typical industry ranges put a $1M-limit standalone policy at roughly $1,000 to $7,500 per year, with lower-risk small firms often clustering around $1,500 to $2,000. Treat those as medium-confidence market estimates rather than a single regulator figure.
Five factors set your number. They are revenue, the volume of sensitive customer records you hold, your industry, prior incident history, and the security controls already in place. A DTC brand sitting on years of payment and personal data lands in a higher-rated bucket than a B2B service firm at the same revenue, simply because it has more to lose.
Controls work on the price through the underwriter's loss math. Better controls lower your expected breach frequency and severity, which shows up as a lower rate, a higher limit you can actually buy, and a higher ransomware sublimit. No single percentage captures this, because the effect is the mechanism itself.
Sizing the limit is where most brands get it wrong, anchoring to revenue when the real question is what a breach would actually cost. The US average data breach cost reached $10.22M in 2025, per IBM. Against that figure, a single $1M limit often underprotects a data-holding ecommerce brand.
A beauty brand around $30M held years of customer payment and order data and was set on a $1M limit. The breach-cost math reframed it. They moved up once they saw the average US breach runs into eight figures.
Cyber applications get declined at underwriting for a short list of reasons. The big ones are no MFA, or MFA missing on VPN, admin, or email, and no EDR or EDR not deployed to servers. Unsupported end-of-life software, no tested offline backups, and a prior unremediated incident round out the list. Each one is fixable, and each maps to a control on the checklist.
| Decline reason | Fix | Typical time |
|---|---|---|
| No MFA, or MFA missing on VPN, admin, or email | Enforce phishing-resistant MFA across every login surface | 2 to 4 weeks |
| No EDR, or EDR not on servers | Deploy EDR agents to every endpoint, servers included | 2 to 6 weeks |
| End-of-life or unsupported software (often an automatic knockout, since the vulnerability cannot be patched) | Upgrade the software or fully segment the system off the network | 4 to 12 weeks |
| No tested offline backups (pushes ransomware to a low sublimit or a decline) | Stand up an offline or immutable backup and document a restore test | 3 to 6 weeks |
| Prior unremediated incident | Close the root cause and document the remediation | Varies |
| Internet-exposed unpatched edge devices or VPNs | Patch or retire the gateway and put it behind MFA | 1 to 4 weeks |
Internet-exposed edge devices and VPNs sit high on that list now. The Verizon 2025 DBIR found edge-device and VPN exploitation grew to 22% of exploitation actions, with a median 32 days to patch. Carriers scrutinize any unpatched gateway as a result.
An apparel brand we worked with was declined outright because its order-management system ran on an end-of-life server OS. The carrier treated the unpatchable software as an open door and wouldn't quote until the brand retired or fully segmented it.
Plan roughly 60 to 90 days before you apply, because enforcing MFA everywhere, deploying EDR to every endpoint, and standing up a tested offline backup all take time. Your application answers have to be true and backed by evidence.
Separate from a decline, some policies carry a failure-to-maintain exclusion. It can let a carrier deny at claim time if your controls didn't match what you attested. That's its own topic, covered in what happens when you file a cyber claim.
To get ready for a cyber insurance application, self-assess against a free baseline like CIS Controls Implementation Group 1, close the knockout gaps first (MFA everywhere, EDR on every endpoint, an offline tested backup, no end-of-life software), then assemble the evidence the application will demand before a carrier ever sees a gap. IG1 is the baseline-hygiene set scoped to small and mid-sized firms, and both NIST Cybersecurity Framework 2.0 and CISA's performance goals map to it.
That sequence is the work Coverwatch runs as a pre-application gap analysis. We match a brand's actual control scope to a carrier's appetite across many cyber markets before submission, so the brand applies to a carrier likely to say yes instead of guessing and absorbing a decline.
If you want help mapping your stack and choosing the right ecommerce insurance coverage, that's where it starts. Begin the gap analysis 60 to 90 days before you need to bind. That runway is enough to enforce MFA, deploy EDR, and stand up a tested backup before you have to qualify for cyber insurance.
Yes. Missing multi-factor authentication (MFA), especially on email, VPN, or admin accounts, is the most common single reason a cyber application gets knocked out before binding. Carriers treat MFA as a baseline control rather than an upgrade, so a gap on any of those surfaces can stop a quote. Confirm your MFA scope covers every login surface before you apply.
Underwriters ask where MFA is enforced by surface, which endpoint detection (EDR) product you run and what percentage of endpoints it covers, your backup frequency and whether a copy is immutable and recently restore-tested, your patch cadence, and whether any end-of-life software is still in use. Most applications also ask about email security, your incident response plan, and any prior incidents. If you request a larger limit, expect a separate supplemental ransomware application with deeper questions.
Size the limit against your likely breach cost, not your revenue. With the US average breach reaching <a href="https://www.ibm.com/reports/data-breach">$10.22M in 2025 (IBM)</a>, a single $1M limit often underprotects a brand holding large volumes of customer payment and order data. Map your limit to how many sensitive records you store and how a breach would actually unfold for your store.
Directionally yes. Better controls reduce how often and how severely a carrier expects you to suffer a loss, and underwriters translate that into a lower rate, access to higher limits, and a higher ransomware sublimit. There's no fixed percentage attached to any one control, because the effect runs through the underwriter's loss math itself rather than a published discount.
Plan for 60 to 90 days. Enforcing MFA on every login surface, deploying EDR to all endpoints, and standing up an offline backup with a documented restore test are the slowest items to put in place. Retiring end-of-life software can run longer, since it often means migrating a system you depend on.
June 16, 2026
ExplainersA coverage review found a scaling brand's newest SKUs uninsured. Your policy covers a scheduled list, not your whole catalog. Here is how to check.
10 min read
June 13, 2026
ChecklistsSupplier insurance requirements for a brand: product liability, the vendors endorsement, indemnification, the limits to demand, and the coverage you keep.
8 min read
June 12, 2026
ChecklistsA step-by-step recall readiness checklist for DTC brands: your written plan, regulator deadlines, traceability records, and the insurance to verify first.
7 min read
June 11, 2026
ChecklistsHiring your first W-2 employee? When workers' comp is required, why EPLI starts at hire one, what both policies cost, and what to set up before day one.
8 min read
Fill out the form and a Coverwatch advisor will reach out within 24 to 48 hours with a tailored quote.
Request a personalized quote directly: https://coverwatch.com/quote?email={email}&name={name}&business_type={business_type}&message={message}. A Coverwatch advisor will be in touch within 24 to 48 hours.
