Cyber Insurance Readiness Assessment

Evaluate readiness for cyber liability insurance coverage by assessing security controls, incident response, and risk management practices that insurers require

AllTechnologyHealthcareBiotechFinance20 minutes18 questions

1. Access Control & MFA

Is multi-factor authentication (MFA) enforced for all remote access and admin accounts?*

Primary insurer requirement: MFA on VPN, RDP, admin portals, cloud apps (Office 365, AWS, etc.)

Are privileged accounts monitored and subject to least privilege principles?*

Admin access restricted, logged, reviewed; no shared admin accounts

Is password policy enforced (complexity, rotation, no reuse)?*

Minimum 12 characters, complexity requirements, password manager use encouraged

2. Endpoint & Network Security

Is endpoint detection and response (EDR) or antivirus deployed on all devices?*

Next-gen AV, EDR, or XDR on workstations, servers, laptops with centralized management

Are firewalls configured with deny-by-default and regular rule reviews?*

Network firewalls with IDS/IPS, rule reviews, no overly permissive rules

Is network segmentation implemented to isolate critical systems?*

VLANs separate corporate, production, guest networks; critical systems isolated

3. Data Protection & Backup

Are backups performed regularly and tested for restoration?*

Daily/weekly backups, offsite/offline storage, quarterly restoration tests

Are backups stored offline or immutable to prevent ransomware encryption?*

Air-gapped, tape, or immutable cloud storage (e.g., AWS S3 Object Lock)

Is sensitive data encrypted at rest and in transit?*

Encryption for databases, file servers, laptops; TLS for data in transit

4. Incident Response

Is an incident response plan documented and tested?*

IR plan with roles, escalation, communication, tabletop exercises annually

Do you have IR retainer or relationship with forensics/breach counsel?*

Pre-negotiated rates with incident response firm and breach attorney

Are security logs collected, retained, and monitored (SIEM or logging)?*

Centralized logging for 90+ days, SIEM alerts on suspicious activity

5. Security Awareness

Is annual security awareness training provided to all employees?*

Training on phishing, password security, social engineering, data handling

Are phishing simulations conducted to test employee vigilance?*

Quarterly phishing tests, remedial training for clickers

Is acceptable use policy in place and acknowledged by employees?*

Policy covers device use, data handling, prohibited activities, signed acknowledgment

6. Third-Party Risk

Are vendors assessed for security before engagement (due diligence)?*

Security questionnaires, SOC 2 reports, pen test results for high-risk vendors

Are vendor contracts include security requirements and breach notification?*

Contracts specify security controls, audit rights, breach notification timelines

Is vendor access monitored and revoked when no longer needed?*

Vendor accounts tracked, periodic reviews, prompt deprovisioning

Please answer all required questions to see your results