← All guides
Cyber Insurance10 min read3 July 2026

Cyber Insurance for SaaS Startups: What Underwriters Ask About and How to Prepare in 2026

Cyber insurance has become a SaaS sales enabler, investor requirement, and financial safety net. Here's exactly what underwriters ask about MFA, EDR, backup, incident response, and patching — and how to improve your security posture before applying.

Why cyber insurance is now essential for SaaS companies

Cyber insurance has shifted from a nice-to-have to a business requirement. Enterprise customers ask for evidence of coverage during procurement. Investors increasingly require it as a condition of funding. And after a ransomware attack or data breach, it's the difference between a contained incident and an existential event.

The problem is that the market has hardened significantly since 2020–2021. After a wave of ransomware claims, insurers tightened underwriting requirements, added exclusions, and raised premiums. Getting coverage — especially at reasonable cost — now requires demonstrating a minimum security posture before you apply. This guide explains what underwriters actually evaluate and how to improve your position before submitting an application.

How the cyber insurance market works for SaaS

Cyber insurance underwriters evaluate risk across two dimensions: your industry sector and your security controls. SaaS companies sit in a moderately elevated risk tier — you process customer data, you're internet-facing, and a breach can affect many customers simultaneously. But SaaS companies that can demonstrate strong security controls get better terms than those who can't.

Key factors that drive your premium:

  • Revenue — higher revenue = higher coverage needs = higher premiums
  • Data types — health data, payment card data, and government IDs are rated highest
  • Security controls — MFA, EDR, backup, patching, and IR plan are the "Big 5" underwriters focus on
  • Prior incidents — any breach in the last 3–5 years significantly affects terms
  • Compliance certifications — SOC 2, ISO 27001, Cyber Essentials typically reduce premiums by 5–20%

The "Big 5" controls underwriters evaluate

Underwriters have become very specific about what they require. These five control areas appear on virtually every cyber insurance application:

1. Multi-Factor Authentication (MFA)

MFA is the single most important control for cyber insurers. Expect to be asked about:

  • Is MFA enforced for all remote access (VPN, remote desktop)?
  • Is MFA enforced for email (Microsoft 365 / Google Workspace)?
  • Is MFA enforced for privileged accounts and cloud admin consoles?
  • What percentage of users have MFA enabled?

Not having MFA for remote access or email is a common reason for decline or ransomware exclusions. Insurers have seen too many incidents where BEC and ransomware started with a compromised credential that MFA would have stopped.

2. Endpoint Detection & Response (EDR)

Traditional antivirus is not sufficient. Underwriters now specifically ask for EDR or Managed Detection and Response (MDR). They want to know:

  • What EDR tool is deployed?
  • What percentage of endpoints have EDR installed?
  • Is EDR actively monitored (24/7 MDR or in-house)?

Common acceptable EDR tools: CrowdStrike Falcon, Microsoft Defender for Endpoint (P2), SentinelOne, Carbon Black, Sophos Intercept X. Windows Defender basic (without Defender for Endpoint P2) is often flagged as insufficient.

3. Backup & Recovery

Backup is the primary ransomware defence. Underwriters have become very specific since they've paid ransomware claims where backups were also encrypted:

  • Are backups conducted regularly (daily for critical systems)?
  • Are backups stored separately from production (air-gapped, offline, or separate cloud account)?
  • Are backups immutable (can't be encrypted or deleted by ransomware)?
  • When were backups last tested for restoration?
  • What is your documented RTO and RPO?

Immutable backup technology: AWS S3 Object Lock, Azure Immutable Blob Storage, Veeam immutable repository, Backblaze. If your backups sit in the same cloud account as production with the same admin credentials, ransomware can delete them. Underwriters know this.

4. Patch & Vulnerability Management

Underwriters ask about patching because unpatched known vulnerabilities (especially critical CVEs) are the leading cause of initial access in non-phishing attacks:

  • What is your SLA for applying critical patches?
  • Are any end-of-life operating systems or applications in use?
  • How often do you run vulnerability scans?

Industry benchmark: 14-day SLA for critical patches. EOL software (Windows Server 2012, PHP 7.x, etc.) is often a policy exclusion or decline reason. EOL is a known vulnerability by definition.

5. Incident Response Plan

A documented, tested incident response plan demonstrates that if something goes wrong, you won't make it worse:

  • Does a written IRP exist?
  • Has it been tested (tabletop or simulation) in the last 12 months?
  • Are breach notification obligations documented?
  • Is the insurer's notification hotline documented in the IRP?

Critical mistake to avoid: engaging external forensics or PR firms before notifying your insurer. Doing so can void coverage or complicate claims. The IRP should instruct the team to call the insurer first.

Additional questions you'll face on the application

Question AreaWhat They're Really AskingGood Answer Signals
RDP exposureIs Remote Desktop Protocol exposed directly to the internet?No — behind VPN or Zero Trust only
Privileged accessDo privileged accounts have separate credentials from standard user accounts?Yes — separate admin accounts, JIT access preferred
Email authenticationAre SPF, DKIM, and DMARC configured?Yes — DMARC at p=quarantine or p=reject
Security trainingDo employees receive security awareness training including phishing simulations?Annual training + quarterly phishing simulations
Network segmentationAre sensitive systems isolated from general business systems?Yes — VPC segmentation, separate production environments
Penetration testingWhen was your last third-party pen test? What was the most severe finding?Within last 12 months; findings remediated
Third-party paymentDo you use a third-party payment processor (Stripe/Braintree) or handle card data directly?Third-party processor — significantly reduces cardholder data risk
Prior incidentsAny security incidents, breaches, or ransomware attacks in the last 3–5 years?None — or disclose and explain what changed

Cyber insurers for tech and SaaS companies

Not all cyber insurers are equal for SaaS. Insurers with strong SaaS/tech practices:

  • Coalition (US/UK) — tech-focused, active scanning of your attack surface, strong claims service
  • At-Bay (US/UK) — continuous monitoring of your security posture, tech-native underwriting
  • Cowbell (US) — AI-driven underwriting, SMB SaaS specialist
  • Beazley (UK/global) — strong incident response team, tech sector experience
  • Hiscox (UK/EU) — broad SaaS coverage, good SMB products
  • Markel (UK) — competitive for smaller tech companies

Working with a specialist cyber broker is recommended — they know which insurers are competitive for your risk profile and can negotiate terms you can't get direct. In the UK: Howden, Lockton, Gallagher have specialist cyber practices.

How compliance certifications affect your premium

Certifications signal maturity to underwriters and typically reduce premiums:

  • SOC 2 Type II — strong signal; often produces 10–20% premium reduction. Tells the underwriter your controls have been independently tested over a period.
  • ISO 27001 — similar weight to SOC 2; particularly valued by UK/EU underwriters
  • Cyber Essentials Plus (UK) — valued as foundational; can help with lower limits; NCSC-backed credibility
  • PCI DSS compliance — relevant if you handle payment data; reduces card-related risk claims

Certifications in progress are worth disclosing — they show investment in security even if the certificate isn't yet issued.

30-day action plan before applying

PriorityActionTime NeededImpact
🔴 CriticalEnable MFA for all remote access and email1–3 daysCoverage potentially declined without this
🔴 CriticalClose RDP to internet — put behind VPN or Zero Trust1 dayRansomware exclusion risk without this
🔴 CriticalConfigure immutable backups in separate account1–2 daysDirectly affects ransomware claim payouts
🔴 CriticalDeploy EDR on all endpoints3–5 daysMajor underwriting factor
🟠 HighWrite or update your Incident Response Plan2–4 hoursRequired for most policies; easy win
🟠 HighConfigure SPF, DKIM, DMARC (p=quarantine minimum)2–4 hoursBEC risk reduction; underwriter question
🟠 HighTest backup restoration and document the result2–4 hoursDirectly affects ransomware claim outcome
🟡 MediumPatch or decommission EOL softwareVariesPotential exclusion trigger

Use the free Cyber Insurance Readiness Assessment to evaluate your current posture against underwriting requirements and generate a prioritised gap report. For your Incident Response Plan, use the Incident Response Plan Generator. To document your penetration testing programme, see the Penetration Testing Policy Generator.