Data Protection · · 7 min read

5 Things Your Cyber Insurer Wishes You Had Done Before the Breach

cyber insurance breach prevention due diligence

The five security controls that cyber insurers wish every policyholder had in place before a breach: a recent penetration test, a documented incident response plan, multi-factor authentication on all remote access, tested and verified backups and comprehensive logging with adequate retention. These controls reduce claims frequency, accelerate investigation timelines and strengthen the insured's coverage position. Do these five and your insurer loves you. Skip them and your claim gets complicated.

Do These 5 and Your Insurer Loves You. Skip Them and Your Claim Gets Complicated.

After 20 years of forensic investigations, we have seen hundreds of breaches from the inside. And in every post-incident conversation with the carrier, the same five questions come up. Did they have a recent pentest? Was there an IR plan? Was MFA enabled? Were the backups good? Were the logs there?

Organizations that can answer yes to all five have smoother claims, faster recoveries and stronger coverage positions. Organizations that cannot answer yes to any of them face coverage disputes, delayed payouts and sometimes denied claims. Here are the five things your cyber insurer wishes you had done.

1. A Recent Penetration Test

When a breach occurs, one of the first questions the carrier asks is: "When was the last penetration test?" A recent test, conducted within the past 12 months, demonstrates that the organization took active steps to identify and address vulnerabilities. It shows due diligence.

More importantly, a recent pentest changes the narrative of the claim. If the breach exploited a vulnerability that was tested for and remediated, the insured is in a strong position. If the breach exploited a vulnerability that a pentest would have found but no test was ever conducted, the insured is in a much weaker position.

Many policies now require annual penetration testing as a condition of coverage. If yours does and you have not done it, you have a gap that could affect your claim. Penetration tests from qualified vendors like Sherlock Forensics start at $1,500 CAD. Compared to the potential impact on a six-figure claim, this is not an expense. It is insurance for your insurance.

2. A Documented Incident Response Plan

An incident response plan does two things during a breach. First, it tells your team what to do in the first critical minutes, reducing panic-driven mistakes that make the situation worse. Second, it tells your insurer that you prepared for this possibility and took it seriously.

The plan does not need to be a 200-page document. It needs to include:

  • Who to call first (carrier claims hotline, legal counsel, forensic vendor)
  • Who makes decisions during an incident (incident commander)
  • Containment procedures (isolation, credential rotation, communication protocols)
  • Evidence preservation steps (do not reboot, do not delete, do not wipe)
  • Communication templates for employees, customers and regulators

The organizations that have an IR plan respond faster, preserve more evidence and give the forensic investigator a cleaner starting point. The organizations that do not have one make mistakes in the first hour that take weeks to undo.

3. Multi-Factor Authentication Enabled

MFA is the single most effective control against credential-based attacks. Business email compromise, VPN intrusion, RDP brute force, cloud account takeover - MFA stops or significantly complicates all of them. Insurers know this, which is why MFA is now a condition of coverage on virtually every cyber policy issued in Canada.

The requirement is not just "have MFA somewhere." It is MFA on all remote access, all privileged accounts and all email accounts. Every forensic investigation we conduct includes an assessment of MFA coverage. When we find that the breach vector was an account without MFA, the carrier takes note. And it rarely works in the insured's favor.

If you have MFA on your VPN but not on your email administrator accounts, you have a gap. If you have MFA on your cloud platform but not on your legacy VPN, you have a gap. Close the gaps before the breach reveals them.

4. Tested and Verified Backups

Every organization backs up data. Far fewer verify that those backups can actually be restored. The difference between a backup and a tested backup is the difference between a ransomware incident that costs you two days of downtime and one that costs you two months.

What your insurer wants to see:

  • Backups stored offline or in an immutable format that ransomware cannot encrypt
  • Regular restoration tests, at least quarterly, with documented results
  • Backups that cover critical systems, not just file shares
  • Retention periods long enough to recover from incidents with extended dwell times (90+ days)

During a ransomware investigation, one of our first questions is: "Are the backups clean and can they be restored?" When the answer is yes, the recovery timeline drops from weeks to days. When the answer is no or "we think so but we have never tested," everyone in the room knows the recovery just got much more expensive.

5. Comprehensive Logging Enabled

Logging is the least glamorous control on this list and possibly the most important for claims purposes. Without logs, the forensic investigation is working blind. We cannot determine when the attacker entered, what they accessed or whether data was exfiltrated. And if we cannot determine the scope of compromise, the carrier cannot determine the scope of coverage.

What your insurer wants to see:

  • Authentication logs for all systems, especially VPN, cloud and email
  • Firewall and network logs with at least 90 days of retention
  • Endpoint logs or EDR telemetry that captures process execution and file access
  • Cloud audit trails (AWS CloudTrail, Azure Activity Log, Google Cloud Audit)
  • Centralized log management so that logs survive even if the source system is compromised

We have worked cases where the lack of logging made it impossible to determine whether customer data was accessed. In those cases, the insured had to notify all potentially affected individuals, not just the confirmed ones. The notification cost alone can be the difference between a $50,000 incident and a $500,000 incident. All because the logs were not there.

Start Today

None of these five items requires a massive budget. A penetration test starts at $1,500 CAD. An incident response plan can be drafted in a day. MFA is free or near-free on most platforms. Backup testing takes a few hours per quarter. Logging configuration is a one-time setup with ongoing storage costs.

The total investment to check all five boxes is a fraction of what a single denied claim would cost. And your insurer will notice. Better security posture means smoother claims, lower premiums at renewal and stronger coverage when you need it most.

Order a Penetration Test Breach Response Services

FAQ

Cyber Insurance Readiness Questions

What security controls do cyber insurers require?
Most cyber insurers require or strongly recommend five core controls: regular penetration testing, a documented incident response plan, multi-factor authentication on all remote access and privileged accounts, tested backup systems and comprehensive logging with adequate retention.
Can my claim be denied if I did not have MFA enabled?
Yes. If your policy includes MFA as a condition of coverage and the breach occurred through an account without MFA, the carrier has grounds to deny or reduce the claim. MFA is one of the most commonly cited conditions in cyber insurance policies.
How often should I test my backups for cyber insurance purposes?
Test backup restoration at least quarterly. Document every test with dates, systems tested and restoration results. Many organizations back up daily but never verify that backups can be restored, which turns a recoverable event into a catastrophe.