Why cyber insurance is now essential for SaaS companies
Cyber insurance has shifted from a nice-to-have to a business requirement. Enterprise customers ask for evidence of coverage during procurement. Investors increasingly require it as a condition of funding. And after a ransomware attack or data breach, it's the difference between a contained incident and an existential event.
The problem is that the market has hardened significantly since 2020–2021. After a wave of ransomware claims, insurers tightened underwriting requirements, added exclusions, and raised premiums. Getting coverage — especially at reasonable cost — now requires demonstrating a minimum security posture before you apply. This guide explains what underwriters actually evaluate and how to improve your position before submitting an application.
How the cyber insurance market works for SaaS
Cyber insurance underwriters evaluate risk across two dimensions: your industry sector and your security controls. SaaS companies sit in a moderately elevated risk tier — you process customer data, you're internet-facing, and a breach can affect many customers simultaneously. But SaaS companies that can demonstrate strong security controls get better terms than those who can't.
Key factors that drive your premium:
- Revenue — higher revenue = higher coverage needs = higher premiums
- Data types — health data, payment card data, and government IDs are rated highest
- Security controls — MFA, EDR, backup, patching, and IR plan are the "Big 5" underwriters focus on
- Prior incidents — any breach in the last 3–5 years significantly affects terms
- Compliance certifications — SOC 2, ISO 27001, Cyber Essentials typically reduce premiums by 5–20%
The "Big 5" controls underwriters evaluate
Underwriters have become very specific about what they require. These five control areas appear on virtually every cyber insurance application:
1. Multi-Factor Authentication (MFA)
MFA is the single most important control for cyber insurers. Expect to be asked about:
- Is MFA enforced for all remote access (VPN, remote desktop)?
- Is MFA enforced for email (Microsoft 365 / Google Workspace)?
- Is MFA enforced for privileged accounts and cloud admin consoles?
- What percentage of users have MFA enabled?
Not having MFA for remote access or email is a common reason for decline or ransomware exclusions. Insurers have seen too many incidents where BEC and ransomware started with a compromised credential that MFA would have stopped.
2. Endpoint Detection & Response (EDR)
Traditional antivirus is not sufficient. Underwriters now specifically ask for EDR or Managed Detection and Response (MDR). They want to know:
- What EDR tool is deployed?
- What percentage of endpoints have EDR installed?
- Is EDR actively monitored (24/7 MDR or in-house)?
Common acceptable EDR tools: CrowdStrike Falcon, Microsoft Defender for Endpoint (P2), SentinelOne, Carbon Black, Sophos Intercept X. Windows Defender basic (without Defender for Endpoint P2) is often flagged as insufficient.
3. Backup & Recovery
Backup is the primary ransomware defence. Underwriters have become very specific since they've paid ransomware claims where backups were also encrypted:
- Are backups conducted regularly (daily for critical systems)?
- Are backups stored separately from production (air-gapped, offline, or separate cloud account)?
- Are backups immutable (can't be encrypted or deleted by ransomware)?
- When were backups last tested for restoration?
- What is your documented RTO and RPO?
Immutable backup technology: AWS S3 Object Lock, Azure Immutable Blob Storage, Veeam immutable repository, Backblaze. If your backups sit in the same cloud account as production with the same admin credentials, ransomware can delete them. Underwriters know this.
4. Patch & Vulnerability Management
Underwriters ask about patching because unpatched known vulnerabilities (especially critical CVEs) are the leading cause of initial access in non-phishing attacks:
- What is your SLA for applying critical patches?
- Are any end-of-life operating systems or applications in use?
- How often do you run vulnerability scans?
Industry benchmark: 14-day SLA for critical patches. EOL software (Windows Server 2012, PHP 7.x, etc.) is often a policy exclusion or decline reason. EOL is a known vulnerability by definition.
5. Incident Response Plan
A documented, tested incident response plan demonstrates that if something goes wrong, you won't make it worse:
- Does a written IRP exist?
- Has it been tested (tabletop or simulation) in the last 12 months?
- Are breach notification obligations documented?
- Is the insurer's notification hotline documented in the IRP?
Critical mistake to avoid: engaging external forensics or PR firms before notifying your insurer. Doing so can void coverage or complicate claims. The IRP should instruct the team to call the insurer first.
Additional questions you'll face on the application
| Question Area | What They're Really Asking | Good Answer Signals |
|---|---|---|
| RDP exposure | Is Remote Desktop Protocol exposed directly to the internet? | No — behind VPN or Zero Trust only |
| Privileged access | Do privileged accounts have separate credentials from standard user accounts? | Yes — separate admin accounts, JIT access preferred |
| Email authentication | Are SPF, DKIM, and DMARC configured? | Yes — DMARC at p=quarantine or p=reject |
| Security training | Do employees receive security awareness training including phishing simulations? | Annual training + quarterly phishing simulations |
| Network segmentation | Are sensitive systems isolated from general business systems? | Yes — VPC segmentation, separate production environments |
| Penetration testing | When was your last third-party pen test? What was the most severe finding? | Within last 12 months; findings remediated |
| Third-party payment | Do you use a third-party payment processor (Stripe/Braintree) or handle card data directly? | Third-party processor — significantly reduces cardholder data risk |
| Prior incidents | Any security incidents, breaches, or ransomware attacks in the last 3–5 years? | None — or disclose and explain what changed |
Cyber insurers for tech and SaaS companies
Not all cyber insurers are equal for SaaS. Insurers with strong SaaS/tech practices:
- Coalition (US/UK) — tech-focused, active scanning of your attack surface, strong claims service
- At-Bay (US/UK) — continuous monitoring of your security posture, tech-native underwriting
- Cowbell (US) — AI-driven underwriting, SMB SaaS specialist
- Beazley (UK/global) — strong incident response team, tech sector experience
- Hiscox (UK/EU) — broad SaaS coverage, good SMB products
- Markel (UK) — competitive for smaller tech companies
Working with a specialist cyber broker is recommended — they know which insurers are competitive for your risk profile and can negotiate terms you can't get direct. In the UK: Howden, Lockton, Gallagher have specialist cyber practices.
How compliance certifications affect your premium
Certifications signal maturity to underwriters and typically reduce premiums:
- SOC 2 Type II — strong signal; often produces 10–20% premium reduction. Tells the underwriter your controls have been independently tested over a period.
- ISO 27001 — similar weight to SOC 2; particularly valued by UK/EU underwriters
- Cyber Essentials Plus (UK) — valued as foundational; can help with lower limits; NCSC-backed credibility
- PCI DSS compliance — relevant if you handle payment data; reduces card-related risk claims
Certifications in progress are worth disclosing — they show investment in security even if the certificate isn't yet issued.
30-day action plan before applying
| Priority | Action | Time Needed | Impact |
|---|---|---|---|
| 🔴 Critical | Enable MFA for all remote access and email | 1–3 days | Coverage potentially declined without this |
| 🔴 Critical | Close RDP to internet — put behind VPN or Zero Trust | 1 day | Ransomware exclusion risk without this |
| 🔴 Critical | Configure immutable backups in separate account | 1–2 days | Directly affects ransomware claim payouts |
| 🔴 Critical | Deploy EDR on all endpoints | 3–5 days | Major underwriting factor |
| 🟠 High | Write or update your Incident Response Plan | 2–4 hours | Required for most policies; easy win |
| 🟠 High | Configure SPF, DKIM, DMARC (p=quarantine minimum) | 2–4 hours | BEC risk reduction; underwriter question |
| 🟠 High | Test backup restoration and document the result | 2–4 hours | Directly affects ransomware claim outcome |
| 🟡 Medium | Patch or decommission EOL software | Varies | Potential exclusion trigger |
Use the free Cyber Insurance Readiness Assessment to evaluate your current posture against underwriting requirements and generate a prioritised gap report. For your Incident Response Plan, use the Incident Response Plan Generator. To document your penetration testing programme, see the Penetration Testing Policy Generator.