What is cyber insurance underwriting?

Key takeaways

• Underwriting is the gate: an organization with weak controls either pays more, gets less coverage, or gets non-renewed entirely.
• The underwriting questionnaire is not a courtesy form. Answers are warranties; misstatements can void coverage at claim time.
• For mid-market manufacturers, the controls underwriters care about most are phishing-resistant MFA, EDR coverage, backup with offline copies, tested incident response, and vendor remote-access governance.
• The renewal package matters as much as the underlying controls. Evidence presented well lowers premium; evidence buried in unstructured documentation does not.
• ARG audit findings translate directly into underwriting-favorable evidence; the engagement produces the renewal package as a byproduct.

What does a cyber insurance underwriter actually evaluate?

A cyber underwriter assesses three things about an organization: the likelihood it will suffer an incident, the magnitude of loss if an incident occurs, and the quality of evidence supporting both.

The assessment runs through five categories.

1. Identity and access. MFA coverage, type of MFA (push, TOTP, FIDO2), privileged account management, vendor remote-access governance. Identity is the most-asked category because identity controls are the most predictive of ransomware and BEC outcomes.

2. Endpoint and network protection. EDR deployment and tuning, email security tooling, web filtering, network segmentation between IT and OT (for manufacturers), patching cadence, vulnerability management.

3. Backup and recovery. Backup coverage, offline or immutable backup copies, restoration testing, recovery time objectives. The backup posture determines whether a ransomware event becomes a multi-week incident or a multi-day one.

4. Incident response readiness. Incident response plan existence, tabletop testing cadence, IR retainer arrangement, communication procedures, evidence preservation.

5. Organizational governance. Risk register, framework alignment (NIST CSF, NIST SP 800-171, CIS Controls, ISO 27001), supply-chain risk management, third-party governance, awareness program.

Each category produces a score (qualitative or quantitative depending on carrier). The composite drives the premium and the available coverage terms. A weak score in any category can produce premium adjustments, coverage sublimits, exclusions, or non-renewal.

The signals that move premiums up (and the ones that move them down)

Premium movement is not random. Specific signals consistently move pricing in measurable ways.

Premium-up signals:

• No or weak MFA on remote access and email. The single largest premium driver. SMS-based MFA also pushes premium up; push-based is better; phishing-resistant is best.
• No EDR or limited EDR coverage. EDR is now a baseline expectation; absence produces premium impact.
• Backups online only, no offline or immutable copy. Ransomware that encrypts online backups changes the recovery cost; carriers price the risk.
• No incident response plan, or one that has never been tested. Untested plans do not work; carriers know this.
• Recent claim history. A recent cyber claim raises premium materially. A series of claims can produce non-renewal.
• Industry and revenue. Higher-risk industries (healthcare, financial services, large manufacturing, critical infrastructure) and larger revenue both push premium up.
• Unmanaged vendor access. Vendor remote-access into OT systems without named accounts, MFA, and session recording.
• Open ports and exposed services. External attack-surface scanning (by the carrier or third party) finds exposed services; the findings move premium.

Premium-down signals:

• Phishing-resistant MFA on remote access, admin, and email. Material premium reduction at most carriers.
• EDR with documented tuning and 24/7 monitoring. Through internal SOC or external MDR.
• Offline or immutable backups, regularly tested restoration. Backup posture is one of the most leverage-rich controls for premium reduction.
• Documented IR plan with annual or more frequent tabletop testing. Tested plans produce real outcomes; carriers reward the discipline.
• Pre-arranged IR retainer with a known provider. Reduces response time and total claim cost.
• Continuous testing evidence. Adversarial simulation, continuous penetration testing, and tabletop documentation. Carriers reward evidence over assertions.
• Mature governance documentation. Risk register, framework alignment, supply-chain risk management.

The premium math compounds. A manufacturer with phishing-resistant MFA, EDR with MDR, immutable backups, tested IR, and continuous testing evidence can see premium reductions of 20% to 40% versus the same manufacturer with weak versions of each.

Why mid-market manufacturers are getting premium hikes or non-renewals

The cyber insurance market for mid-market manufacturers has tightened in 2024-2026. Three drivers:

1. Loss experience. Manufacturing has been disproportionately affected by ransomware. Carriers' loss ratios in the segment have been poor; they price the risk accordingly.
2. Tightening control expectations. Controls that were optional in 2020 are baseline in 2026. Manufacturers that have not modernized find that their previous policy is no longer available at the same price (or at all).
3. Carrier consolidation. Some carriers have left the cyber market entirely; others have narrowed appetite for specific industries. The available market shrunk; pricing rose.

The result for mid-market manufacturers without proactive control investment: premium hikes of 20% to 200%, coverage sublimits on ransomware and BEC, or non-renewal notifications. Manufacturers with proactive investment: stable or improving terms, expanded coverage, choice of carriers.

The decision-relevant frame: cyber insurance underwriting is not a procurement event; it is the carrier's evaluation of the organization's actual security posture. Improving the posture improves the terms. Failing to improve produces tightening pressure year over year.

Examples of underwriting questionnaires and what the answers really mean

Underwriting questionnaires vary by carrier but cover similar ground. Sample questions and the reality behind them:

• "Is MFA required for all remote access?" A "yes" is expected. The follow-up: "What type of MFA?" Push-based MFA produces lower premium reduction than FIDO2 or passkeys. See What is phishing-resistant MFA?.
• "Do you have endpoint detection and response on all servers and workstations?" The implied threshold is "all". 95% coverage is a finding; the 5% gap is where attackers operate.
• "Are backups stored offline or in an immutable form?" "Yes" is the expected answer in 2026. "No" produces premium impact. Cloud snapshots are usually not immutable by themselves; carriers know the distinction.
• "Have you tested your backups in the last 12 months?" Testing means actual restoration to a working state, not "we have backups". Documentation of the test matters.
• "Do you have a written incident response plan?" Required. Follow-up: "Has it been tested?" Untested plans count for less. Tabletop exercise documentation supports the answer.
• "How do you manage vendor remote access?" Named accounts, MFA, session recording, time-bounded access. "Vendors have VPN" is not sufficient.
• "Have you experienced a cyber incident in the last 5 years?" Truthful disclosure required. Misstatement at underwriting can void coverage. Recent incidents are not automatic non-renewal but require documentation of lessons learned and corrective actions.
• "Are you NIST CSF, ISO 27001, CMMC, or other framework aligned?" Framework alignment supports favorable terms. Documentation of the alignment matters more than the claim.

Each answer is a warranty. Subsequent claim disputes can hinge on whether the answer was accurate when given. Honesty plus documented evidence is the path to durable coverage.

How to prepare a renewal package that lowers premium

Renewal preparation is not the questionnaire submission. It is the supporting evidence and the narrative.

The package that produces the best terms includes:

1. Completed questionnaire with honest answers. Truthful in all material respects.
2. Evidence per question. Where the questionnaire asks about MFA, the package includes screenshots of conditional access policy, deployment statistics, exception documentation. Where it asks about EDR, the package includes coverage reports, alert volume, and response metrics.
3. Maturity narrative. A short executive summary of the program's current state, year-over-year changes, and planned improvements. The narrative gives the underwriter context the questionnaire cannot.
4. Framework alignment documentation. Current NIST CSF profile, CIS Controls coverage map, or equivalent. Showing alignment to a framework produces favorable underwriting consideration.
5. Recent testing evidence. Penetration test reports (with remediation status), tabletop exercise outputs, adversarial simulation findings with closure rates.
6. Incident response plan and tabletop documentation. Plan version, signature page with executive sponsor, dates of recent tabletops, corrective actions tracked.
7. Risk register. Current state of the risk register, particularly for risks the questionnaire surfaces.
8. Supply chain and vendor risk evidence. Documented vendor inventory, security review process, breach notification clauses in contracts. See What is third-party risk for manufacturers?.
9. Material improvements since last renewal. Specific changes (FIDO2 rollout, immutable backups, IR retainer, continuous testing) that materially improved the posture.

The package presents a program that is operating, not a program that exists on paper. The difference is measurable in pricing.

Best practices for sustaining favorable underwriting outcomes

Premium reduction is not a one-time event; it is a sustained outcome of program operation.

1. Engage broker 120 to 180 days before renewal. The lead time matters; gaps surfaced early are closed before submission.
2. Build the renewal evidence package as a byproduct of program operation. Documentation created during the year is the renewal package; reconstruction at renewal time is expensive and produces weaker evidence.
3. Track which controls drive premium impact at your specific carrier. Carriers vary; understanding the specific signals at the active carrier informs investment priorities.
4. Address negative signals proactively. A vulnerability scan that surfaces exposed services produces premium impact; closing the exposure before renewal produces favorable signal.
5. Maintain framework alignment over time. NIST CSF profile updated annually; CMMC state documented where applicable; ISO 27001 certification maintained where pursued.
6. Coordinate IT, security, finance, and broker. All four functions touch underwriting. Coordination produces consistent answers and supporting evidence.
7. Use renewal feedback to inform investment. Broker debrief after renewal identifies what drove the outcome; the feedback informs next year's program priorities.
8. Consider continuous-underwriting carriers as the program matures. Continuous underwriting rewards ongoing evidence of control operation, not just annual snapshots. See What is continuous underwriting?.

Cyber insurance underwriting FAQs

What is the most important control underwriters look at?

Multi-factor authentication, particularly phishing-resistant MFA on remote access, admin accounts, and email. After MFA, the most-asked controls are EDR coverage, backup with offline copies, incident response plan with documented testing, vendor remote-access governance, and patching cadence. The list is broadly consistent across major carriers.

How long before renewal should we engage with our broker?

120 to 180 days. Underwriters need time to assess; the organization needs time to close gaps the questionnaire surfaces. Engaging at 30 to 60 days produces rushed renewals at worse terms. The longer lead time produces materially better outcomes.

Does a pen test report help with underwriting?

Yes, if it shows program maturity. A pen test report with low findings is positive; a pen test report with critical findings that are remediated and re-tested is even better because it shows the program is operating. A pen test report sitting in a folder with un-remediated critical findings is worse than no report at all. See What is continuous penetration testing?.

What is the difference between binding and admitted markets?

Admitted carriers are licensed and regulated by the state where the policy is issued; their policy forms are state-approved. Non-admitted (surplus lines) carriers operate outside the admitted system; their forms have more flexibility but less consumer protection. Most mid-market cyber policies are admitted; specialty or hard-to-place risks often go to surplus lines.

How ARG's audit findings translate directly into underwriting-favorable evidence

ARG engagements produce the underwriting evidence package as a byproduct of the security program, not as a separate project.

The audit and continuous simulation work is led by David Ashby on the physical and procedural side and James Wall on the digital side. Each engagement output is structured to support insurance renewal:

• MFA evidence. Conditional access policy state, FIDO2/passkey deployment progress, weak-factor decommission status. See What is phishing-resistant MFA?.
• EDR and detection evidence. Coverage maps, MITRE ATT&CK technique coverage, detection drift surfaced through BAS and adaptive simulation.
• Backup evidence. Restoration testing logs, offline copy verification, recovery time documentation.
• IR evidence. IRP version with executive sign-off, tabletop exercise records, ransomware playbook documentation.
• Continuous testing evidence. Monthly operational packets, quarterly trend reports, year-over-year metrics. Carriers reward documented continuous testing over annual snapshots.
• Vendor and supply chain evidence. Vendor inventory, access governance, contract security clauses, third-party risk management program documentation.
• Framework alignment. NIST CSF profile, CIS Controls coverage map, CMMC state where applicable.

For founding clients, ARG's monthly operational packet is structured so the renewal evidence package can be assembled by the broker in days, not weeks. The expected outcome over the engagement's first 18 to 36 months is measurable premium impact at renewal, supported by documented control improvement and continuous testing evidence.

ARG's roadmap includes the development of a continuous-underwriting-aligned program that converts the engagement data into carrier-grade evidence in real time. See What is continuous underwriting? and What is a Managing General Agent (MGA)? for the longer-horizon direction.

Apply as a founding client or see how the engagement works for the full delivery cycle.