If your cyber insurance premium has gone up significantly at the last one or two renewals, you're not alone and you're not imagining it. The cyber insurance market experienced rate increases of 50% or more between 2020 and 2023 across nearly all business segments, driven by an explosion in ransomware claims, rising incident severity, and the market's scramble to properly price cyber risk after years of undercharging for it.
The increases are real. But here is what many business owners don't know: the premium you pay is not simply a market rate applied uniformly to businesses of your size and industry. It is a risk-adjusted price, and the technical controls you have — or don't have — in your IT environment directly determine where you fall in the underwriter's pricing model.
Businesses with strong security controls documented and deployed correctly pay materially less than businesses without them, even at the same revenue and headcount. The difference isn't marginal. On specific controls, premium impact is measured in 20- to 30-percentage-point reductions. In aggregate, the spread between a well-secured business and a poorly-secured one of the same size can represent tens of thousands of dollars in annual premium.
This guide explains exactly which controls underwriters care about most, how they assess them, how to document them effectively, and how IT Center's managed security posture directly addresses the requirements that drive your cyber insurance cost. We'll also address the economics of the investment itself — because the math almost always resolves in favor of doing this right.
The core insight: Cyber insurance underwriters are not guessing about your security posture. They're building a risk model, and your technical controls are inputs into that model. The better your controls, the lower your modeled risk, and the lower your premium. IT security and insurance cost are the same variable measured in two different units.
What Underwriters Actually Assess
Modern cyber insurance underwriting has become significantly more rigorous since 2021. Carriers who once accepted checkbox applications are now conducting technical assessments, asking detailed follow-up questions, and in some cases running external scans of your internet-facing infrastructure before binding coverage.
When an underwriter evaluates your application, they are building a mental model of your incident probability and your incident severity. Every control question they ask maps to one of those two dimensions. Here is what they are actually evaluating across the major control categories:
Multi-Factor Authentication (MFA)
MFA is the single most scrutinized control in cyber underwriting, full stop. Virtually every current cyber application asks about it explicitly, and many carriers will decline to quote or will apply a significant surcharge if MFA is not deployed on email, remote access, and privileged accounts. This is not an overreaction — Microsoft's own data shows that MFA prevents over 99.9% of automated account compromise attacks, which represent a massive proportion of the initial access events that lead to ransomware and data breach claims.
Underwriters want to know not just that MFA is enabled, but where it's enforced. The key coverage areas they assess: email (Microsoft 365 or Google Workspace), VPN and remote access, administrative and privileged accounts, cloud platforms, and your key business applications. An MFA deployment that covers email but leaves VPN and admin accounts unprotected gets less credit than a comprehensive deployment.
Endpoint Detection and Response (EDR)
Traditional antivirus is no longer considered adequate security by the vast majority of cyber underwriters. They want EDR — a behavioral detection platform that watches endpoint activity in real time and can respond to threats that signature-based antivirus would miss entirely. Questions about EDR appear on virtually every current cyber application, and the answer directly affects both your premium and in some cases whether coverage will bind at all.
The underwriter assessment goes further than yes/no. They want to know whether EDR is actively monitored (meaning someone reviews alerts) and whether monitoring occurs 24/7. An EDR tool deployed but not monitored provides less underwriting credit than one actively managed by a security operations team.
Backup Frequency and Testing
Backups are directly tied to incident severity. A business with tested, recent, isolated backups has a ransomware recovery pathway that doesn't require paying the ransom and doesn't involve weeks of downtime. That makes them a dramatically better risk than a business whose backups are infrequent, untested, or connected to the primary network in a way that allows ransomware to encrypt them as well.
Underwriters ask about backup frequency, retention period, whether backups are stored offline or in immutable storage, and critically, whether backups are tested. A business that can demonstrate quarterly restore testing with documented results gets meaningfully better terms than one that has backups in place but has never verified they actually work.
Patch Management
Known, unpatched vulnerabilities are the entry points for a significant percentage of successful attacks. Underwriters want assurance that your business has a formal process for identifying and applying patches within defined timeframes — not "we patch when we think of it." They're particularly concerned about critical security patches for operating systems, network infrastructure, and remote access tools, where unpatched vulnerabilities have been weaponized in high-profile campaigns that affected thousands of businesses simultaneously.
Privileged Access Management and Access Controls
How are administrator-level accounts managed in your environment? Are admin credentials shared? Is the principle of least privilege enforced — meaning users have access only to the systems and data they actually need for their work? What happens to access when employees leave? Underwriters are building a picture of your lateral movement risk: if an attacker compromises one account, how easily can they move through your environment to reach your most valuable systems and data?
Email Security Controls
Email is the primary attack delivery mechanism for phishing, business email compromise, and malicious attachments. Underwriters assess whether you have SPF, DKIM, and DMARC configured — the email authentication standards that prevent domain spoofing — and whether you have advanced email security beyond the default filtering included with Microsoft 365 or Google Workspace. Anti-phishing technology, impersonation protection, and sandboxing of attachments and links are all positive signals in the underwriting process.
Incident Response Plan
A documented incident response plan is a strong underwriting signal. It tells the carrier that you have thought through what happens when an incident occurs — who to call, what authority exists to take systems offline, how to communicate with stakeholders, and what your recovery priorities are. Businesses without any documented plan are treated as higher severity risks because their response to an incident will be slower and more chaotic, which means larger losses.
The Controls With the Biggest Premium Impact
Not all security controls carry equal weight in the underwriting model. Based on how carriers have structured their questionnaires and the credits they document in their rate filings, here are the controls with disproportionate impact on your premium:
MFA on Email and Remote Access
The highest single-factor premium driver in the current market. Carriers have explicitly stated that absence of MFA on email is grounds for declination or surcharge. Full MFA deployment across email, VPN, and admin accounts is documented to reduce premiums by 20–30% in carrier rate models. This is the most high-leverage security investment available to any business, and it costs almost nothing beyond the discipline to enforce it.
EDR with Active Monitoring
EDR deployment — particularly when paired with 24/7 monitoring — signals to underwriters that your organization has the capability to detect and contain threats before they escalate into full-scale incidents. Many carriers now treat EDR as a binary qualifying criterion. Businesses without it pay higher base rates; in some market segments they're declined outright.
Immutable or Offline Backups with Tested Recovery
Backups that ransomware cannot encrypt are the difference between a contained incident and a catastrophic one. Immutable cloud backups or air-gapped offline storage, combined with documented successful restore tests, directly reduce the maximum probable loss in an underwriter's model — which translates into lower severity load in your premium calculation.
Formal Patch Management Program
A documented patch management process with defined SLAs (critical patches within 14 days, standard patches within 30) and a tracking mechanism demonstrating compliance signals risk maturity that underwriters reward. This control is particularly relevant for businesses in sectors that have been targeted through specific known vulnerabilities — healthcare, legal, professional services, and manufacturing are all on that list.
Email Authentication (SPF/DKIM/DMARC)
These three DNS-based email authentication standards prevent your domain from being spoofed in phishing attacks targeting your clients and vendors. DMARC in enforcement mode (p=reject) is particularly valued by underwriters because it closes a specific attack vector used in business email compromise schemes — one of the top dollar-loss categories in cyber claims.
Documented Incident Response Plan
A written IR plan — even a concise one — demonstrates organizational preparedness. It reduces the expected severity of any incident because businesses with a plan respond faster, make better decisions under pressure, and contain incidents more effectively. Carriers recognize this in their models and reward it in pricing.
Security Awareness Training with Phishing Simulations
Employee training with documented phishing simulation results demonstrates active effort to reduce your most common attack vector. Carriers want to see training frequency (quarterly is better than annual), participation rates, and improvement trends in phishing simulation click rates. Businesses that show declining click rates over time are demonstrating measurable security culture improvement.
How to Document Your Controls for the Application
One of the most avoidable reasons businesses pay more than they should for cyber insurance is poor documentation. The controls might be in place — but if they can't be demonstrated clearly on the application, the underwriter has to assume the worst.
Here is how to document your key controls effectively:
MFA documentation. Provide a screenshot or configuration export showing the conditional access policy or MFA enforcement setting in Microsoft 365 Admin Center or Google Workspace Admin. Show that MFA is required (not just enabled optionally) and that it covers the scope stated on the application. If there are break-glass accounts or service accounts excluded from MFA, document what compensating controls exist for them.
EDR documentation. Provide the EDR platform name, version, and coverage report showing the percentage of endpoints with the agent installed and active. Include the monitoring arrangement — who receives and responds to alerts, and what the expected response time is. If your MSP provides monitoring, include a brief statement or documentation of the monitoring SLA.
Backup documentation. Provide the backup policy configuration showing frequency, retention, and storage location (with confirmation of whether it's offline/immutable). Include the most recent backup restore test record — the date, what was restored, and whether it was successful. A one-page restore test log is more persuasive than any verbal assurance.
Patch management documentation. Provide your patch management policy (even a brief written one stating the patching SLAs) and a recent patch compliance report from your RMM platform showing the percentage of endpoints at current patch levels. If you use an MSP, request this report — it's a standard deliverable and your MSP should be able to provide it in under 24 hours.
Incident response plan. Provide the plan document itself. It does not need to be long. A 2–3 page document covering roles, escalation contacts, system isolation authority, carrier contact procedures, and communication templates demonstrates the organizational maturity underwriters are looking for.
"Underwriters are building a risk model from your application answers. The better you document your actual controls, the more accurately that model reflects your real security posture — and the lower the risk premium you pay. Vague answers get priced conservatively. Documented answers get priced on the facts."
IT Center's Managed Security Posture and Underwriter Requirements
When a business joins IT Center's managed IT and cybersecurity program at $300 per computer user per month, they receive a security posture that is specifically designed to satisfy the requirements that drive cyber insurance underwriting — not as an afterthought, but as a structural component of what we deliver.
Here is how the IT Center managed program maps to the underwriter checklist:
| Underwriter Requirement | IT Center Delivers |
|---|---|
| MFA on email and remote access | Configured and enforced on day one of onboarding |
| EDR on all endpoints | Enterprise EDR deployed to every workstation and server, actively monitored |
| 24/7 EDR monitoring | Alert monitoring and response, on-call coverage after hours |
| Formal patch management | Automated patching with defined SLAs, compliance reports available on request |
| Tested backup and recovery | Offsite/cloud backup with documented quarterly restore verification |
| Email security controls | SPF/DKIM/DMARC configuration, advanced email security layer |
| Incident response plan | Maintained and updated for each client, includes carrier contact info |
| Security awareness training | Quarterly phishing simulations with completion tracking |
| Documentation for application | Full control evidence package available for insurance renewals |
None of these are optional add-ons or premium tiers within our program. They are the standard delivery for every managed client because a security posture that has gaps is not a managed security posture — it's managed IT with some security sprinkled on top.
The practical consequence: when an IT Center managed client renews their cyber insurance, they can answer every underwriter control question accurately and affirmatively, with documentation to support every answer. That's a materially different negotiating position than a business that has to answer "partially" or "we believe so" to key questions.
The Math: $300/computer user/Month vs. Premium Savings
Let's put numbers on this for a concrete example.
Consider a 25-person professional services firm in the Inland Empire. They currently have a $1 million cyber policy with a $10,000 annual premium. Their security posture is typical for businesses without a managed IT provider: MFA on email but not on VPN, consumer-grade antivirus (not EDR), backups that haven't been tested in over a year, no formal patch management process, and no written IR plan.
At renewal, with the current market's scrutiny of security controls, that policy may well be rated higher — not lower — if the carrier's underwriting team identifies the gaps. A 20–30% rate increase on a business with a weak posture is not unusual.
Now, the same firm engages IT Center's managed program at $300 per computer user per month. For 25 employees, that's $7,500 per month — $90,000 annually. Within 90 days of onboarding, their posture transforms: MFA fully enforced, EDR deployed and monitored, patching automated, backups tested and documented, IR plan written. They renew their cyber policy with comprehensive documentation of every control.
Based on the underwriting impact of those controls — particularly MFA (20–30% reduction) and EDR with monitoring (15–25%) — a reasonable premium reduction at renewal would put that $10,000 premium at $6,500–$7,500. That's an annual premium saving of $2,500–$3,500 for a single policy.
The argument here is not that managed IT pays for itself through insurance savings alone — the math obviously doesn't work that way at that scale. The argument is that the security posture IT Center builds has real, measurable financial value beyond the operational benefits of having technology that works reliably. The insurance premium reduction is one concrete, dollars-on-the-table expression of that value. Reduced incident probability, faster response when something does occur, and avoided downtime costs are others.
Working With a Broker Who Understands IT Security
The broker relationship matters enormously in cyber insurance, and most businesses are not working with the right broker for this coverage.
A generalist property and casualty broker who adds cyber as an afterthought to your business owner policy is not equipped to navigate the current cyber underwriting market. They don't speak the technical language fluently, they often don't know which carriers are most competitive for businesses with your specific control profile, and they may not know how to present your security documentation in ways that generate the best underwriting outcome.
A specialist cyber broker — one whose practice is centered on technology and cyber risk — brings fundamentally different value. They know which carriers are currently offering favorable terms for businesses with strong managed security programs. They know how to structure the application narrative to highlight your controls. They know which endorsements to push for (social engineering sublimit increases, extended reporting periods, vendor/supply chain coverage) and which coverage gaps are worth additional premium. And they can serve as a liaison to your underwriter throughout the policy relationship — not just at renewal.
When you're evaluating brokers, ask these specific questions: How many cyber-specific clients do you manage? Which carriers have you placed cyber coverage with in the last 12 months? Can you describe the last time you helped a client improve their underwriting outcome by documenting their security controls? If the answers are vague or uncomfortable, keep looking.
For businesses working with IT Center, we actively support the broker relationship. When a client's renewal comes up, we can brief the broker on the specific controls in place, provide the documentation package, and answer technical questions that arise during underwriting. The goal is that the broker presents the most accurate, complete, and favorable picture of your security posture — because accuracy and favorability are the same thing when your controls are actually strong.
Starting from Where You Are
If your current security posture doesn't match the underwriter ideal described in this guide, the right move is not to simply check boxes on your application that don't reflect reality. Misrepresentation on a cyber insurance application is grounds for claim denial at precisely the moment you need the coverage most.
The right move is to close the gaps — genuinely — before your next renewal. The controls that matter most are the ones that are hardest to fake: MFA is either enforced or it isn't. EDR is either deployed and monitored or it isn't. Backups either have a documented successful restore test or they don't.
For most businesses, closing these gaps with internal resources is difficult. It requires sustained attention, technical expertise, and ongoing management — all of which compete for priority with actually running the business. That's why managed IT exists. The value proposition isn't just that someone else handles the technology. It's that someone else maintains the security posture continuously, so you don't have to choose between operating your business and securing it.
IT Center has been building and maintaining exactly this kind of security posture for Southern California businesses since 2012. If you're approaching a cyber insurance renewal, or if your last renewal came with a premium increase that surprised you, the time to have a conversation about your security controls is now — not 30 days before the policy expires.
Let's Build the Security Posture Your Insurer Wants to See
IT Center provides a free assessment for Southern California businesses. We'll map your current security controls against underwriter requirements, identify the gaps that are costing you premium, and show you exactly what it would take to close them — at a predictable flat rate.
Get Your Free Security AssessmentOr call us directly: (888) 221-0098