The cyber insurance landscape is shifting like sand dunes in a desert storm. With ever-evolving threats and an increasing number of data breaches, insurance companies are tightening their policies and raising the bar for what it takes to qualify for coverage. Businesses that fail to adapt to the changing winds may find themselves left out in the cyber wilderness.

Article content

The New Cyber Insurance Minimum Thresholds

The cyber insurance landscape is shifting like sand dunes in a desert storm. With ever-evolving threats and an increasing number of data breaches, insurance companies are tightening their policies and raising the bar for what it takes to qualify for coverage. Businesses that fail to adapt to the changing winds may find themselves left out in the cyber wilderness. While you’re out in the cold, you will be without public relations support, breach notification, credit monitoring, privacy counsel, forensic investigation, system recovery, ransomware negotiation, and plethora of other expensive services required to recover that your cyber insurance would normally pay for today.

Imagine a fortress built to withstand the medieval era's battle tactics; now imagine that same fortress facing modern warfare. This is the predicament many businesses find themselves in when it comes to cybersecurity. The old defenses are no longer enough to protect against the sophisticated tactics of cyber criminals. And in response, insurance companies are strengthening their defenses to match the changing times. As a result, the qualifications for a cyber insurance policy are becoming more rigorous, and companies that fail to adapt may find themselves exposed to a greater degree of risk from the digital world, and without the safety net of a cyber insurance policy.

What Controls are Insurance Companies Becoming Tougher On?

Getting cyber insurance, specifically ransomware insurance, is like trying to get into a VIP club with a fake ID. You may have fancy clothes and the right attitude, but without the right credentials, you're not getting in. Cyber insurance companies are becoming the bouncers of the cyber security world, and they're checking IDs at the door. To get past the bouncer, you'll need to show that you have the standards controls you already checked yes to, but also:

A modern backup strategy

  • The backup is managed with unique credentials
  • Backup servers are not joined to the domain
  • Backup servers are segmented from the rest of the network
  • Backups are stored in an immutable format
  • Access to backup servers require Multi-Factor Authentication (MFA)

Implement an email security solution

  • The solution must block executable attachments
  • The solution must block macro enabled Microsoft Office documents
  • The solution must identify and block spam and phishing emails
  • The solution must be configured to monitor for suspicious links

Implement an Endpoint Detection and Response (EDR) solution

  • The EDR should be deployed on all endpoints including servers
  • The solution must automatically detect, block, initiate investigations across the network

Implement segmented network access controls

  • Identity-based network access controls
  • MFA for network access
  • Segmentation of sensitive resources
  • Continuously monitoring and assessing network access

Using MFA to access sensitive data

  • Requiring at least two forms of authentication
  • Requiring non-phishable (non-SMS based) second factor authentication
  • Using a combination of something you know, something you have, and something you are
  • Enabling MFA for all remote access and privileged access

Logging and monitoring access to sensitive data stores

  • Keeping track of who accesses sensitive data and when
  • Detecting and alerting any unusual activity
  • Auditing and reporting on access to sensitive data

Separate privileged accounts from user accounts

  • Implementing the principle of least privilege
  • Creating separate, privileged accounts for system administrators
  • Rotating and revoking privileged credentials regularly

Remove local administrative rights for users who do not require it

  • Removing the ability for users to install software or make changes to their system
  • Limiting access to sensitive resources
  • Implementing application control or whitelisting software to ensure only approved software can run
  • Using AppLocker or software restriction policies to deny execution of unwanted software

Vulnerability management and attack surface testing

  • Periodically scan for and remediate against exploitable vulnerabilities
  • Prioritize the backlog of exploitable vulnerabilities
  • Perform annual deep penetration testing on targeted services

Bottom line - if you can't demonstrate to insurance companies that the right controls are in place, they're not letting you in.

How can your organization quickly adapt before renewal?

The changing landscape of cyber insurance requirements presents a unique opportunity for organizations to align their cybersecurity posture with regulatory frameworks such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and the General Data Protection Regulation (GDPR), industry specific regulations (HIPAA, GLBA, FTC), and others. By implementing controls that meet the standards set forth by these laws, organizations can not only secure coverage from cyber insurance providers, but also instill a greater sense of trust and confidence among their customers and stakeholders.

Partnering with a reputable consulting firm, like BD Emerson, can assist organizations in ensuring that they are not only meeting the requirements set forth by cyber insurance providers, but also adhering to the stringent regulations outlined by privacy laws. Such a partnership can provide valuable guidance in identifying and mitigating potential risks, implementing best practices and protocols, and maintaining ongoing compliance. By taking a holistic approach to cybersecurity, organizations can not only meet the demands of the insurance industry, but also safeguard the sensitive data of their customers and clients.

About the BD Emerson – Blue INK Security Partnership

BD Emerson specializes in building end-to-end privacy and security programs that cover the entire spectrum of an organization's needs, from strategy to implementation. By taking a comprehensive approach to privacy and security, we work closely with our clients to understand their unique requirements and tailor our services to their specific needs.

Our team of experts has the knowledge and experience to guide organizations through the complex landscape of privacy and security regulations, helping them to identify and mitigate potential risks, implement best practices and protocols, and maintain ongoing compliance. We also have a deep understanding of the specific controls and requirements that insurance companies look for and can help organizations to meet these standards in an efficient and cost-effective manner.

In order to provide our clients with the best possible service and to ensure that they are able to meet the insurance companies’ requirements in an expedient and affordable manner, BD Emerson has partnered with Blue INK Security. Blue INK Security is a leading provider of cybersecurity services and specializes in helping organizations implement and certify the top ten controls insurance companies require. Together, we can offer our clients the expertise and resources they need to protect their sensitive data and meet the demands of the insurance industry.

If you believe your organization needs support in ensuring that your organization can renew its cyber insurance policy this year, or if you believe that your organization may need to quickly become compliant to new regulations and laws, please reach out to us at to set up a discovery call and a free risk assessment now.

New Cyber Insurance Requirements Revealed: Is Your Business at Risk of Losing Coverage?

About the author



Managing Director


Drew spearheads BD Emerson's Governance, Risk, Compliance, and Security (GRC+Sec) division, where he channels his expertise into guiding clients through the labyrinth of Information Security, Risk Management, Regulatory Compliance, Data Governance, and Privacy. His stewardship is key in developing tailored programs that not only address the unique challenges faced by businesses but also foster a culture of security and compliance.

All articles