Cyber insurance has quietly become the most powerful forcing function in SMB security. Your underwriter, not your CISO, now decides which controls you must have — and they decide at renewal time, on a deadline, with real money on the line. If you can’t produce evidence, you get denied or premium-loaded.

The stakes are not hypothetical:

  • 41% of SMB cyber-insurance applications are denied on first submission. (Coalition 2026)
  • 73% of SMBs fail their cyber-insurance assessment. (Coalition 2026)
  • The top two cited refusal reasons are missing MFA and inadequate endpoint protection (EDR).

Here’s the checklist carriers actually use — and what evidence to have ready.

The eight control families carriers check

Every major SMB carrier (Coalition, Travelers, Chubb, At-Bay, Cowbell, Hiscox, and others) uses some variant of these eight control families. A “Yes” on six of eight is the typical renewal floor; below five usually means denial or a 20–40% premium load.

  1. MFA enforcement — on all admin accounts, remote access, email, and critical SaaS. Evidence: a per-user MFA-coverage report with the gap list named.
  2. Endpoint protection (EDR, not just AV) — coverage percentage across Mac, Windows, and Linux. Evidence: an endpoint inventory showing total vs. covered vs. stale agents.
  3. Email security beyond the M365/Workspace default — BEC detection, phishing protection. Evidence: a last-90-day blocked/quarantined report.
  4. Privileged access management — separate admin accounts, no shared service accounts. Evidence: a privileged-account inventory with last-used timestamps.
  5. Identity threat detection — impossible-travel and MFA-fatigue detection. Evidence: an ITDR event log and breach-exposure report by user.
  6. Backup + tested recovery — 3-2-1 backups, an immutable copy, a restore tested in the last 12 months. Evidence: a backup-coverage audit with last-tested-restore date.
  7. Incident response plan — written, tested, with named roles. Evidence: an IR playbook library and an auditable incident log.
  8. Logging + monitoring — ≥90 days of retention with alerting. Evidence: log-retention proof and a correlated-incident report.

Why this is getting harder, not easier

Carriers are tightening because the losses are real. BEC and funds-transfer fraud account for 58% of all claims (Coalition 2026), and the average sub-500-employee breach now costs $3.31M — the only company-size band whose breach cost rose in 2025 (IBM Cost of a Data Breach 2025). Underwriters are pricing that in.

Two controls carriers will ask about next

Coalition and Sophos data suggest two more questions are coming to the questionnaire by 2027:

  • Leaked-credential (dark-web) exposure monitoring per user — credential reuse is a top-three initial-access vector, and Microsoft only ships this in Entra ID P2 (~$9/user/month).
  • Explainable AI security analysis — as carriers begin awarding discounts for demonstrable AI defense.

Get ahead of both now and your next two renewals get easier.

How Centeye maps to all eight (plus the next two)

Centeye was built to cover this control stack, not because we read insurance manuals, but because it’s what an actual SMB SOC needs. The Identity/ITDR surface produces the MFA-posture and impossible-travel evidence (rows 1 and 5). Endpoint/EDR produces the coverage report (row 2). Email & BEC produces the quarantine evidence (row 3). The SIEM correlation layer produces the >90-day retention proof (row 8). And Argus, the plain-English vCSO, writes the board-ready readiness report that maps your controls to the questionnaire — including the dark-web exposure and explainable-AI capabilities carriers will ask about next.

The result: application questions answered in minutes, a single source-of-truth PDF to attach, and a business pre-stamped as renewable.

For MSPs, this turns renewal season from a support cost into a sales motion — see how an MSP runs 24/7 security without a 24/7 team.

Want a populated version of this checklist for your environment? Get a demo.

Figures cited from industry cyber-insurance surveys (2025), the Coalition 2026 Cyber Claims Report, and the IBM Cost of a Data Breach Report 2025. This article is informational and is not insurance advice; always work with a licensed broker.