Cyber Insurance Readiness Checklist

Not optional. Must be required via Conditional Access, not just 'encouraged'. Includes admins, regular users, and service accounts.

Global Admins, Exchange Admins, Security Admins - zero exceptions. SMS is no longer acceptable; must use authenticator app or hardware token.

Most insurers now require 12+ characters (was 8). Must include complexity requirements or use passphrases.

Admins must use separate, locked-down devices for administrative work. No browsing/email on admin workstations.

Document who has access to what, remove terminated employees within 24 hours, review permissions every 90 days.

Microsoft Defender for Business, CrowdStrike, SentinelOne, or equivalent. Basic antivirus is no longer sufficient.

Intune, Jamf, or equivalent. Must enforce encryption, PIN requirements, and remote wipe capability.

BitLocker (Windows), FileVault (Mac), or equivalent. Must be centrally managed and auditable.

Windows Update, macOS updates must install within 30 days of release. No user override allowed.

If allowing BYOD, must use MAM (Mobile Application Management) with containerization.

Microsoft Defender for Office 365 P1/P2, Proofpoint, Mimecast, or equivalent. Must include Safe Links and Safe Attachments.

Email authentication to prevent spoofing. DMARC policy must be set to 'quarantine' or 'reject', not 'none'.

Visual indicators when email originates outside your organization.

Block .exe, .scr, .bat, .js, .vbs, .iso files from email. Use Safe Attachments for documents.

Veeam, AvePoint, Datto, or equivalent. Microsoft retention policies are NOT backups. Must backup Exchange, OneDrive, SharePoint, Teams.

Must use immutable storage or offline backup copies that ransomware cannot reach.

Document successful test restores. Must prove you can actually recover data.

Most insurers require 30+ days of backup retention. 90 days preferred.

Protects against regional disasters (fire, flood, earthquake).

KnowBe4, SANS, Microsoft training, or equivalent. Must be documented with completion tracking.

Send fake phishing emails, track who clicks, provide remedial training.

Must include real-world examples relevant to your industry.

Part of onboarding process, before access to company systems.

Document who to contact, what steps to take, how to contain breaches. Update annually.

IT provider, cyber insurance hotline, legal counsel, forensics firm.

Simulate a ransomware attack with leadership team. Document lessons learned.

Don't wait until you're breached to find this information.

Modern next-gen firewall (Fortinet, Palo Alto, Cisco, WatchGuard). Must be configured properly, not default settings.

RDP is a common ransomware vector. If required, must be behind VPN with MFA.

Zero Trust VPN preferred. Split-tunnel VPN acceptable if properly configured.

Guest WiFi isolated from corporate network. Servers segmented from workstations.

Firewall logs, authentication logs, security event logs. Required for forensics.

IT providers, cloud services, payroll processors. Ask about their MFA, backups, incident response.

Required for PIPEDA compliance. Must define security responsibilities.

Remove vendors who no longer need access. Ensure vendors use separate accounts, not your admin credentials.

Vendors should carry their own cyber insurance. Get Certificate of Insurance.