MFA, EDR, Backups, and Incident Response: The Four Controls Your Cyber Insurer Will Actually Check
MFA, EDR, Backups, and Incident Response: The Four Controls Your Cyber Insurer Will Actually Check
You paid your premium. You ticked every box on the application. Then you got hit with ransomware, filed a claim - and your insurer said no.
This is not hypothetical. Insurers are now conducting post-incident forensic audits. If they find that MFA was listed as "enforced" on your application but was actually optional, or that your backups were online and got encrypted alongside everything else, your claim gets denied. You are left holding a $345,000 average claim cost with zero coverage.
41% of cyber insurance applications are already denied on first submission (MoneyGeek). But the worse number is the one nobody tracks: claims denied after approval because the controls you said you had were not actually in place. If your business doesn't have the right security posture - take this quick cybersecurity quiz to find out where you stand - you are paying for a policy that will not protect you.
Why Are Insurers Getting Stricter Right Now?
The math stopped working. 1 in 3 SMBs were hit by a cyberattack in 2024 (BizTech Magazine), and the average claim cost hit $345,000 (Atlantic Digital). Insurers lost money. Their response was predictable: raise premiums, tighten requirements, and deny claims where controls were not verified.
The M&S, Co-op, and Harrods breaches in 2025 - with a combined impact exceeding £300 million - made headlines, but they also made underwriters paranoid. If household names with dedicated security teams get breached, what happens when a 50-person company with no IT department gets targeted? Cyberattacks increased 49% in H1 2025 alone (Identity Week). With 82.6% of phishing emails now containing AI-generated content, the attacks are getting harder to spot and easier to launch. Insurers are responding by treating their applications less like questionnaires and more like audits.
What Exactly Do Insurers Mean by "MFA Enforced"?
This is where most claims fall apart. Your insurer does not care that MFA is available. They care that it is enforced - meaning no user can bypass it, no legacy account is exempt, and no admin portal relies on password-only access.
Here is what "enforced" actually requires: every user account has MFA enabled with no exceptions. Service accounts use certificate-based authentication or hardware tokens. Conditional access policies block sign-ins from non-compliant devices. You have logs proving MFA was active at the time of the incident. The gap between "we turned it on" and "it is enforced everywhere" is exactly where insurers void claims. A single admin account without MFA - the one you kept for break-glass access - becomes the one attackers use. Then your insurer points to your application where you checked "MFA enforced on all accounts" and denies the claim.
Photo by cottonbro studio on Pexels
Does Your EDR Actually Detect Anything - Or Just Log It?
Endpoint Detection and Response is the second non-negotiable. But insurers are not asking "do you have antivirus?" They are asking whether your detection tool actively responds to threats and whether someone is actually monitoring the alerts.
The distinction matters. A tool that logs a suspicious process but sends no alert - or sends an alert that nobody reads until Monday morning - does not meet the standard. Insurers want active monitoring with documented response times. They want evidence that when a threat was detected, someone took action within hours, not days. This means either a 24/7 internal security team (unrealistic for most SMBs) or a managed detection service that watches your environment around the clock. The cost of not having this is not just a denied claim. As we covered in what SMBs are already losing without compliance, the financial damage compounds far beyond the initial incident.
Are Your Backups Actually Recoverable After Ransomware?
Having backups is not enough. Having offline backups that are regularly tested - that is what your insurer requires. The reason is simple: modern ransomware specifically targets backup systems. If your backups are connected to your network, they get encrypted too.
Your insurer will ask these questions: Are backups stored offline or air-gapped? How frequently are backups tested for restoration? What is your documented Recovery Time Objective? Can you restore operations within the timeframe stated in your business continuity plan? "We use cloud backup" is not an answer. Cloud-synced backups that replicate encrypted files are worthless. You need at least one backup copy that cannot be reached from your production network. You also need proof that you have actually restored from it - not just that it exists. Use our cybersecurity checklist to verify your backup strategy meets insurance standards before your next renewal.
Photo by Jakub Zerdzicki on Pexels
Do You Have an Incident Response Plan - Or Just a Folder?
The fourth control is the one SMBs fake most often. You downloaded a template, saved it to SharePoint, and listed it on your insurance application. But can your team actually execute it?
An incident response plan that satisfies insurers includes: named individuals with defined roles (not just "the IT guy"), a communication protocol for notifying customers, regulators, and your insurer within required timeframes, containment procedures that your team has actually rehearsed, and evidence of at least one tabletop exercise in the past 12 months. NIS2 now mandates 24-hour incident notification across the EU - and as we explained in our NIS2 overview for SMBs, this regulation affects far more companies than most realize. Our incident response checklist gives you a step-by-step framework that satisfies both insurer and regulatory requirements.
How Does This Compare: Traditional MSP vs. Fusion AI?
Most SMBs try to solve these requirements by hiring a Managed Service Provider at 100–250 EUR per user per month. Here is what that gets you compared to Fusion AI:
| Requirement | Traditional MSP (100-250 EUR/user/month) | Fusion AI |
|---|---|---|
| MFA enforcement with compliance evidence | Often configured but not audited | Enforced + continuous verification reports |
| 24/7 endpoint detection & response | Typically business hours only | Included - active monitoring around the clock |
| Offline/air-gapped backup verification | Backups set up, rarely tested | Automated backup testing with documented recovery |
| Incident response plan + tabletop exercise | Template provided, no rehearsal | Plan built, roles assigned, exercises scheduled |
| Insurance application evidence pack | You compile it yourself | Generated automatically from your live environment |
| Time to compliance evidence | Months of back-and-forth | First report in 48 hours, full compliance in 30 days |
| Cost for 50 users | 5,000–12,500 EUR/month | See current pricing |
The difference is not features. It is whether the evidence exists when your insurer asks for it. Your compliance is the natural byproduct of good IT management - not a separate project you run once a year before renewal.
What Happens If You Do Nothing?
The numbers are clear. 67% of vendors lost contracts in 2024 because they could not prove compliance (Marsh McLennan). 43% of UK businesses suffered a breach in 2025 (Cyber Security Breaches Survey). The real cost of ransomware recovery goes far beyond the ransom itself.
If your insurer denies your claim because MFA was not properly enforced, you absorb the full $345,000 average incident cost. If a regulator finds your incident response was inadequate, you face fines - ICO penalties jumped 7x in 2025, from £2.7M to £19.6M. If a client asks for compliance proof and you cannot produce it, you lose the contract. This is not about buying another tool. It is about whether your business can survive an incident that is statistically likely to happen within the next three years.
What Should You Do This Week?
Stop guessing whether your controls meet insurance requirements. In 45 minutes, you can connect your environment to Fusion AI's free security scan and get a clear picture of where your MFA gaps are, whether your backups would survive ransomware, and exactly what your insurer will flag at renewal.
No sales call required. No commitment. Just a factual report showing whether your cyber insurance will actually pay out when you need it - so you can sleep at night knowing the answer.
Run Your Free Security Scan Now →
Or start a free trial to see what continuous compliance monitoring looks like when it is built into your IT operations from day one.