What underwriters require — and how to document it before your next renewal
Unlock full access
How to Use This Checklist
Work through each section with your IT provider. For each item, identify:
• Whether the control is in place (YES / NO / PARTIAL)
• What documentation exists to prove it
• Whether the documentation is sufficient for a post-incident audit
Bring your completed checklist to your insurance broker meeting. This document demonstrates proactive risk management and can support premium negotiations.
Section 1: Multi-Factor Authentication
This is the #1 underwriter requirement. Carriers now require MFA not just “somewhere” but comprehensively, with evidence.
Requirement | What Carriers Want to See | Status |
MFA on all business email | Screenshot of MFA enforced via policy (not just user-optional) | YES / NO / PARTIAL |
MFA on all remote access (VPN, RDP) | VPN config showing MFA required; no open RDP to internet | YES / NO / PARTIAL |
MFA on all privileged/admin accounts | Admin accounts require MFA; separate from standard accounts | YES / NO / PARTIAL |
MFA on all critical business apps | CRM, accounting, HR, banking — all require MFA at login | YES / NO / PARTIAL |
MFA enforcement is policy-based | Users cannot bypass or disable MFA; IT controls enforcement | YES / NO / PARTIAL |
PARTIAL MFA is a yellow flag for carriers. “Most of our users have it” is not the same as “MFA is enforced for all users on all covered systems.” Know your actual coverage before you attest.
Section 2: Endpoint Security
Requirement | What Carriers Want to See | Status |
EDR on all endpoints | EDR software (not basic AV) on 100% of company devices; license count matches device count | YES / NO / PARTIAL |
EDR is actively monitored | Alerts reviewed by IT team or managed SOC; incident response process exists | YES / NO / PARTIAL |
All devices on supported OS | No Windows 7, 8, Server 2008 or other EOL systems in production | YES / NO / PARTIAL |
Full-disk encryption on laptops | BitLocker or FileVault enabled; enforced via MDM policy | YES / NO / PARTIAL |
MDM on mobile devices | All company mobile devices enrolled; remote wipe enabled | YES / NO / PARTIAL |
Section 3: Backup and Recovery
Requirement | What Carriers Want to See | Status |
Automated daily backups | Backup logs showing daily successful completion for 30+ days | YES / NO / PARTIAL |
Backups isolated from production network | Backups stored off-site, in separate cloud tenant, or air-gapped; not on same network as endpoints | YES / NO / PARTIAL |
Backups are ransomware-resistant | Immutable storage or versioning that prevents attacker deletion or encryption | YES / NO / PARTIAL |
Backups tested for restoration | Documented test restore within last 90 days; results on file | YES / NO / PARTIAL |
RTO/RPO targets defined | Recovery time and recovery point objectives documented | YES / NO / PARTIAL |
This is the section most often misrepresented on Arizona applications. Cloud sync (OneDrive, Dropbox) is NOT the same as a backup. If the ransomware encrypts your synced files, your “backup” is also encrypted.
Section 4: Email Security
Requirement | What Carriers Want to See | Status |
Advanced email filtering | Anti-phishing, anti-malware, sandboxing (not just basic spam filter) | YES / NO / PARTIAL |
Domain authentication configured | SPF, DKIM, and DMARC all configured and in enforcement mode | YES / NO / PARTIAL |
External email labeling | Emails from outside the organization are labeled to alert recipients | YES / NO / PARTIAL |
BEC awareness training | Staff trained specifically on business email compromise; documented | YES / NO / PARTIAL |
Section 5: Access Control
Requirement | What Carriers Want to See | Status |
Principle of least privilege | Users have access only to systems required for their role; access reviewed annually | YES / NO / PARTIAL |
Privileged accounts separated | Admin accounts are distinct from daily-use accounts; documented | YES / NO / PARTIAL |
Formal offboarding process | Access revoked within 24 hours of termination; documented process | YES / NO / PARTIAL |
No shared credentials | Every user has unique login; shared accounts eliminated or documented with justification | YES / NO / PARTIAL |
Vendor access reviewed | Third-party vendor access audited at least annually | YES / NO / PARTIAL |
Section 6: Incident Response
Requirement | What Carriers Want to See | Status |
Written IR plan exists | Documented incident response plan with named roles and contact list | YES / NO / PARTIAL |
IR plan has been tested | Tabletop exercise or real-world test within last 12 months; documented | YES / NO / PARTIAL |
IT provider has 24/7 availability | SLA with defined emergency response time; after-hours contact documented | YES / NO / PARTIAL |
Forensics vendor identified | Preferred forensics firm or insurer-provided firm pre-identified | YES / NO / PARTIAL |
Breach counsel identified | Outside legal counsel familiar with Arizona ARS § 18-552 breach notification law identified | YES / NO / PARTIAL |
Section 7: Security Awareness Training
Requirement | What Carriers Want to See | Status |
Annual training for all staff | Training completion records showing 100% staff participation; dated | YES / NO / PARTIAL |
Phishing simulations conducted | Quarterly phishing simulation results; click rate tracked over time | YES / NO / PARTIAL |
New hire training at onboarding | Security training documented as part of onboarding checklist | YES / NO / PARTIAL |
BEC-specific training content | Training explicitly covers wire transfer fraud and business email compromise | YES / NO / PARTIAL |
Documentation You Should Have Ready
When your carrier conducts a post-incident audit in Arizona, these are the documents they will request. Have them ready before the incident, not after.
□ ☐ MFA configuration screenshot from admin portal (dated)
□ ☐ EDR deployment report showing all licensed endpoints (dated)
□ ☐ Backup completion logs for last 30 days
□ ☐ Most recent backup restoration test report with date and result
□ ☐ Security awareness training completion records with dates
□ ☐ Most recent phishing simulation results
□ ☐ Written incident response plan (dated, version controlled)
□ ☐ Access review documentation (who reviewed, when, what was changed)
□ ☐ IT provider SLA documentation
□ ☐ Offboarding checklist with timestamps for recent terminations
AEGITz provides all clients with a documentation package aligned to current carrier requirements. If you’re preparing for a renewal or want to verify your current posture, ask about our Cyber Insurance Readiness Assessment.
