Last updated October 29, 2025.
Cybersecurity insurance provides coverage for losses incurred by a cyberattack. Given the high cost of a data breach, many organizations are turning to this specialized insurance to protect their financial wellbeing.
Whether you’re renewing your existing insurance policy or attempting to qualify for the first time, there’s a lot to know. Luckily, there are specific steps you (or your managed cybersecurity service provider) can take to qualify for cyber insurance.
Here are 9 actions you can take to help you get the insurance you need.
Key takeaways:
- A recent pentest and regulatory compliance gap assessment are crucial for getting insured.
- MFA and cybersecurity awareness training are also critical.
- You should also have backup and recovery, MDR, and vulnerability scanning in place.
1. Make sure you have a pentest on file within the last 12 months.
When’s the last time your organization used penetration testing services?
A penetration test is a rigorous process in which ethical hackers scope out your network for vulnerabilities, then try to exploit them as a real hacker would. You get a detailed report of any weaknesses found—plus a clear plan to mitigate them.
It’s best to hire a third party to conduct a penetration test. You want to use technicians who have no vested interest in the outcome of the test. Even the best internal teams aren’t a good fit for penetration testing.
Cyber insurers typically want to see that you’ve conducted a pentest in the last 12 months. It’s a shorthand way for them to assess your network vulnerabilities (and your commitment to regular pentests).
2. Make sure you have a HIPAA or PCI-DSS gap assessment on file, if applicable.
If your organization falls under HIPAA regulation, or if you process credit card information, cyber insurers may want to see the results of your most recent gap assessment for the applicable regulatory framework. If the assessment turned up any issues, the insurer will want to see documentation of all steps you’ve taken to mitigate the gap and achieve compliance.
If it’s been a while since you did a gap assessment, it may be time to repeat the process. Cybersecurity risks evolve quickly, and insurers will want to see that you’re up to date.
Hint: A partner like Corsica Technologies can help you with your compliance gap assessment.
3. Implement MFA for email security.
Email security is a core component of your overall cybersecurity standing.
At the minimum, you should have MFA (multifactor authentication) enabled for all email accounts. MFA is a cybersecurity control that won’t grant access to a system until the user has passed two (or more) types of authentication.
For example, MFA for email might require both a password and secondary verification through an authentication app on a mobile device.
MFA is a powerful control that stops over 99.9% of password attacks. In today’s cyber threat landscape, MFA is a must—and cyber insurers will be glad to see it in place.
4. Conduct regular security awareness training and testing.
Do your employees know how to spot a phishing email?
What about a spear phishing attack—or a criminal who impersonates your CEO with an urgent request?
As a general rule, ISACA recommends that organizations provide cybersecurity awareness training every 4-6 months.
If that seems too frequent, consider the fact that cybercriminals are constantly inventing new schemes. Their goal is to trick employees who have good intentions. This is easy when their victims don’t know what they’re looking at.
Continuous phishing training really is essential to prevent your company from becoming a statistic. This is why many insurers want to see a cybersecurity training program in place when they consider your application.
5. Implement an incident response process.
Has your organization defined the processes that kick in when a security incident happens?
Do you know who to call?
Do you know who will remediate the situation?
An incident response plan is an essential component of a robust cybersecurity program. You need clearly defined processes, communication chains, and responsibilities for mitigating the unthinkable. Cyber insurers will want to see this plan to help quantify your risk.
6. Implement backup and disaster recovery.
What happens if your database server gets hacked and held for ransom?
Even if it doesn’t get hacked, what happens if a team member accidentally deletes essential data from that server?
Backup and disaster recovery is essential to safeguarding your data and systems—and to providing business continuity. Cyber insurers typically want to see that you have processes, systems, and people in place to back up critical data.
Learn more here: Backup and Disaster Recovery Services.
7. Implement EDR (or even better, MDR).
Are you monitoring every endpoint for intrusion?
(For reference, an endpoint is any device connected to a network. PCs, mobile devices, servers, and virtual machines are all endpoints.)
EDR (endpoint detection and response) is a software solution that protects a particular endpoint.
MDR (managed detection and response) is a service in which a trusted partner monitors and protects your endpoints with their software. MDR is typically a better value because it comes with a team of experts ensuring full coverage, monitoring your endpoints, and mitigating threats.
Cyber insurers love to see MDR in place. It signals that your organization is serious about cybersecurity—and it provides a powerful defense against endpoint attacks.
8. Conduct regular vulnerability scanning and mitigation.
Does your network present vulnerabilities that an external actor can exploit? This question is answered in part by external vulnerability scanning. (Note that vulnerability scanning only detects weaknesses. A penetration test, already covered above, shows whether an attacker can actually gain entrance through a particular vulnerability.)
External vulnerabilities aren’t the full picture, though. You also need to answer the question, “How easy is it for someone with legitimate access to exploit our internal vulnerabilities?” This question is answered by internal vulnerability scanning.
Cyber insurers will want to see that you’re 1) scanning regularly for vulnerabilities, and 2) mitigating any weaknesses found.
9. Implement appropriate access controls.
Does every user in your organization have the appropriate access on every system?
For example, the clerk at the front desk shouldn’t have the ability to delete essential internal documents from your SharePoint. Even if this person will never commit a cybercrime, an actor who gains access to this low-level account can perpetrate a significant attack if the account has more permissions than it should.
This is the idea behind appropriate access controls. Every user should have only the access and capabilities that they need to do their job—no more. It’s an essential component of a strong cybersecurity program, and cyber insurers will want to see it when they evaluate your application.
The takeaway: Seal your defenses and get insured
It may seem daunting to qualify for cyber insurance, but it doesn’t have to be. A trusted partner can help you put the right controls in place to mitigate your vulnerabilities. It all starts with the first step—contacting an MSSP (managed security services provider) and explaining your situation.
Here at Corsica Technologies, we help companies in all verticals get the cyber insurance they need. Reach out today, and let’s collaborate to give you peace of mind.
