856-282-4100
1 Executive Drive Suite 100 Marlton, NJ 08053
+1 856-282-4100
Facebook-f X-twitter Instagram Linkedin-in Youtube
Let’s Talk
Let’s Talk

Cyber Insurance Requirements: How to Read an IT Firm’s Policy as a Security Signal

Cyber Insurance Requirements: How to Read an IT Firm’s Policy as a Security Signal

Every IT vendor claims to take security seriously. Every pitch mentions encryption, monitoring, and incident response. But there is one document that cuts through all of it – the vendor’s own cyber insurance policy. The controls their insurer demands, and the coverage limits they actually carry, tell you more about their real security posture than any sales presentation ever will. Cyber insurance requirements are one of the most powerful – and most overlooked – tools in your vendor evaluation process.

  1. Why Cyber Insurance Is an Honest Proxy for Security Maturity
  2. What Underwriters Actually Require Before Writing a Policy
  3. The Specific Questions to Ask an IT Vendor About Their Coverage
  4. Red Flags That Should End the Conversation
  5. What a Well-Covered IT Firm Actually Looks Like
  6. How to Factor This Into Your Final Decision

Why Cyber Insurance Requirements Are an Honest Proxy for Security Maturity

An IT vendor can write anything on their website. They can claim they follow best practices, that their team is certified, and that they have never had an incident. You have no easy way to verify most of those claims – unless you know where to look.

Cyber insurance underwriters are not in the business of taking anyone at their word. Before issuing a policy, they audit the applicant’s actual controls. They send detailed questionnaires covering multi-factor authentication adoption, backup integrity testing, privileged account management, endpoint protection, and patch management discipline. If an IT firm cannot prove those controls exist, they either do not get coverage or they pay a significantly higher premium for a much lower limit.

That means the existence, scope, and limits of an IT firm’s cyber policy represent a third-party opinion on their security posture – delivered by a financially motivated organization with real skin in the game. Carriers lose money when their policyholders get breached. They are, unintentionally, doing your vendor due diligence for you.

The question is knowing how to read what they found.

What Underwriters Actually Require Before Writing a Policy

cyber insurance requirements - Wide shot of a server room or data center with rows of equipment and blinking status lights, emphasizing the physical infrastructure that underwriters audit.

The cyber insurance market hardened significantly after 2020. Carriers that used to write broad policies with minimal questions started absorbing massive claims from ransomware events and supply chain attacks. The result: underwriting standards became genuinely rigorous. According to guidance published by CISA, the controls most frequently demanded by cyber insurance requirements now include the following.

  • Multi-factor authentication on all remote access, administrative accounts, and email – not just some accounts, all of them
  • Privileged access controls that limit who can reach sensitive systems and data
  • Endpoint detection coverage across every managed device in the environment
  • Tested, offline, and immutable backups – not just backups that exist, but backups proven to restore successfully
  • A documented and practiced incident response plan – carriers increasingly want to see tabletop exercises on record
  • Patch and vulnerability management with defined remediation windows
  • Employee security awareness training with documented completion rates

When a carrier asks these questions and an applicant cannot answer them confidently, it shows up in the policy: lower coverage limits, higher deductibles, more exclusions, or outright denial. An IT firm that carries strong coverage at reasonable terms has passed a rigorous external audit. One that carries thin coverage – or none at all – has not.

The Specific Questions to Ask an IT Vendor About Their Coverage

Most buyers never ask their IT vendors about cyber insurance requirements because it feels like an uncomfortable or overly technical question. It is neither. It is a standard business question, and a vendor who pushes back on answering it is already giving you important information.

Here are the questions worth putting in front of any IT firm you are seriously evaluating.

Do you carry cyber liability insurance, and what are your coverage limits?

This is the baseline. A firm managing IT environments for businesses should carry at minimum $1 million per occurrence in cyber liability coverage. Many mature firms carry $2 million or more. A firm that is vague about their limits – or carries only a nominal amount – is signaling that either their insurer did not trust them with higher limits, or they did not bother to get appropriately covered.

Does your coverage include technology errors and omissions?

Standard cyber insurance covers the vendor’s own breach events. Technology errors and omissions coverage – often called tech E&O – covers situations where the vendor’s mistake or negligence results in a breach or loss at a client’s business. These are separate policies, and both matter. If an IT firm only carries one and not the other, ask why.

What cyber insurance requirements did your insurer ask you to demonstrate to obtain your current policy?

This question separates vendors who have thought carefully about their own security from those who bought the cheapest policy they could find. A serious IT firm can walk you through what their underwriter asked for and what they had to prove. That conversation tells you a great deal about the depth of their internal security program.

Have you had a cyber claim in the past three years?

A vendor who has filed a claim is not automatically disqualified – how they handled the event and what changed afterward matters more than the event itself. But a vendor with multiple claims, or one who becomes evasive here, is a different story entirely.

Are you willing to provide a certificate of insurance?

A certificate of insurance is a standard business document. Any vendor with legitimate coverage can produce one quickly. Hesitation here is a red flag without exception.

Red Flags That Should End the Conversation

Beyond the specific questions above, there are patterns in how vendors respond to insurance-related inquiries that reveal the character of the organization as a whole.

  • They claim they “do not need” cyber insurance because they are careful – no organization is beyond the reach of a breach, and this answer reflects either arrogance or a fundamental misunderstanding of how modern attacks work
  • They carry coverage limits far below what they would need to make a client whole in a real incident – this suggests insurance is a checkbox, not a genuine risk management tool
  • They cannot describe the cyber insurance requirements their insurer imposed – a vendor who genuinely operates a strong security program knows exactly what their underwriter asked about
  • They conflate their general business liability policy with cyber insurance – these are entirely separate coverages, and an IT firm that does not know the difference should not be managing your environment
  • They become defensive or evasive rather than forthcoming – confidence and transparency about insurance signals a firm that has nothing to hide

Any one of these responses should prompt serious reconsideration. More than one should end the conversation.

What a Well-Covered IT Firm Actually Looks Like

A security-first IT firm treats its own cyber insurance as a reflection of its internal standards – not as a compliance checkbox. Their coverage is not the minimum they could get away with. It is calibrated to the actual risk profile of the environments they manage.

They can speak clearly about what their underwriter required and how their internal controls meet or exceed those requirements. They carry separate cyber liability and technology errors and omissions coverage. Their limits reflect the size and sensitivity of the client businesses they serve. And they renew without drama because their controls are maintained year-round, not assembled at renewal time.

Some IT firms go further and pursue independent third-party audits of their security posture annually – not because a carrier required it, but because it is the right operating standard. That kind of voluntary accountability is the clearest signal that an organization’s security culture is genuine rather than performed.

At Xact IT Solutions, we hold the GTIA Cybersecurity Trustmark, which requires an annual audit against the CIS Critical Security Controls framework conducted by a CREST-accredited assessor. That audit informs our own underwriting conversations and reflects the same standards we apply to every client environment we manage. We have maintained zero client breaches across every engagement since 2004 – and our own insurance record is consistent with that history.

That is what the combination of insurance history and independent audit looks like when it is genuine. Not a marketing claim – a documented, externally verified track record. To learn more about how we approach managed IT services with security at the core, explore our full offering.

A visual overview of the key cyber insurance requirements underwriters typically verify before issuing a policy to an IT firm.

How to Factor This Into Your Final Decision

Cyber insurance requirements are one signal among several, but they are an unusually reliable one – financially backed, externally validated, and hard to fake. Here is how to weight this in your evaluation process.

Start by treating it as a qualifier. A vendor who cannot produce a certificate of insurance with reasonable coverage limits should not advance past the early stages of your evaluation, regardless of how compelling their pitch is. This is a minimum bar, not a differentiator.

Use it to generate better follow-up conversations. The questions above are not just about insurance – they reveal how an IT firm thinks about risk, accountability, and the relationship between their own security posture and their clients’ exposure. A vendor who engages those questions directly is demonstrating the kind of thinking you want managing your environment.

Compare it against their breach history and independent audit status. A vendor with strong insurance, no breach history, and an annual third-party audit is a qualitatively different organization from one with thin coverage, no audit history, and vague answers about internal controls. That gap deserves more weight than most buyers give it.

Finally, ask yourself whether the vendor talks about their own security the way a serious organization would. The firms worth working with do not react to incidents – they build environments where incidents are far less likely to happen in the first place. A vendor who takes their own cyber insurance requirements seriously takes yours seriously too. One who treats insurance as a cost to minimize probably approaches your security the same way.

The insurance question is not a trick. It is one of the clearest windows into an IT firm’s actual values – and in a market full of similar-sounding vendors, one of the fastest ways to separate the ones who are serious from the ones who are not.

Want to see how Xact IT answers these questions? Book a Free Cybersecurity Strategy Call – a 20-minute conversation with our team, no pressure, no obligation.

Want a Walkthrough of Your Own Setup?

Twenty minutes on the phone with our team gets you specific recommendations you can use immediately — whether you hire us or not. No pitch, no pressure, just an honest read on where your business stands.

Book a Free Strategy Call