surable

July 19, 2026 · basics · requirements

Cybersecurity 101: the basic precautions insurers actually notice

The short answer

The cybersecurity basics insurers notice are the cheap, high-impact ones: enforced multi-factor authentication, endpoint detection and response (EDR), tested offline backups, prompt patching, email protection with a payment call-back rule, documented staff training, and a written, tested incident response plan. Most cost little or nothing and take hours, not months — and together they move you from 'declined' to 'insurable.'

T

The Founder

Founder, Surable · 20 years in IT and information security

If you run a small business, "cybersecurity" can sound like a project you'll never have time for. Here's the reassuring truth: the things that actually matter — the ones an insurance underwriter looks for, and the ones that stop the losses small businesses actually suffer — are mostly cheap, mostly fast, and mostly things you can decide to do this week. Fancy is not the goal. Boring and documented is.

In fact, 76% of companies say they invested in their defenses specifically to qualify for cyber insurance (Sophos, 2024) — the application has become the thing that finally gets businesses to do the basics. Let's make that easy. Here are the precautions insurers notice, in plain English, roughly in order of bang-for-effort.

What is the single most important thing to do first?

Turn on multi-factor authentication (MFA) for email — everywhere. MFA means a second step at login beyond your password: a tap on a phone app or a code. Because attackers usually have only a stolen or guessed password, that second step stops the large majority of account takeovers.

It's free, it's built into Microsoft 365 and Google Workspace, and enabling it for everyone takes an afternoon (most of which is telling your team it's coming). Its absence is the most common reason small businesses get declined for cyber coverage. If you do nothing else after reading this, do this.

How do I protect the actual computers?

Ask for EDR — endpoint detection and response. It's the modern replacement for old-school antivirus: instead of only matching known viruses, it watches for the behavior that precedes an attack and can stop ransomware in progress. Many 2026 applications ask for it by name. If you have an IT person or a managed service provider, "please put managed EDR on all our devices" is the sentence to send them. Microsoft Defender for Business is included with some Microsoft 365 plans, so you may already own it.

How do I make sure a ransomware attack can't end my business?

Keep tested, offline backups. Ransomware locks up your files and demands payment — and modern ransomware deletes any backups it can reach first. So the goal is a backup copy that ransomware can't reach: one that's offline or "immutable" (unchangeable once written).

The proof that it works is a restore test — actually recovering a file or system and confirming it opens. Backups fail silently; an untested backup is treated as no backup by experts and insurers alike. The payoff is real: a record 86% of ransomware victims refused to pay in 2026, and functioning backups are what made refusing possible (Coalition, 2026).

What about keeping software updated?

Patch promptly, and retire anything too old to update. Applying security updates closes the holes attackers use — and unpatched, internet-facing software is now a leading way they get in (Verizon DBIR, 2026). Turn on automatic updates everywhere you can, and put a recurring 15-minute monthly check on the calendar for the things that don't auto-update (servers, firewalls, that one old program). Anything the maker no longer supports should be replaced or strictly walled off.

How do I stop the scam that steals money by email?

Add email protection, and adopt a payment call-back rule. The most common way small businesses lose money isn't dramatic hacking — it's a convincing fake email that reroutes a payment. Business email compromise and funds-transfer fraud drive 58% of cyber claims (Coalition, 2026).

Two moves: ask your provider to turn on advanced anti-phishing protection (you may already license it), and adopt a simple rule everyone who touches money follows — any change to bank details or any unusual payment request is verified by phone at a number you already had, before money moves. That rule is free, fits on one page, and prevents the single most common loss outright.

Do I really need to "train" my staff?

Yes, and it can be light — but write it down. Applications ask whether training is documented, so the sign-in sheet is as important as the session. A short quarterly refresher on spotting phishing and verifying payments, with attendance recorded, satisfies the question and genuinely helps. You don't need a fancy platform to start; the Global Cyber Alliance offers a free small-business toolkit.

What's the one document that trips up the most applications?

A written incident response plan. It's the requirement most often missing entirely — not because it's hard, but because nobody owns it. It's a short playbook: who to call (including your insurance carrier's hotline), how to disconnect an affected computer, where the backups are, and who decides what. Carriers want it written and tested — and "tested" can be a 60-minute tabletop discussion where you walk through a pretend ransomware morning and write down what broke. That dated note is your proof.

Free help exists — use it

Recommending you spend nothing is easy here, because the government and nonprofits publish genuinely good, free resources: CISA's no-cost tools (including free vulnerability scanning), the FCC's Small Biz Cyber Planner that generates a written plan, and the Global Cyber Alliance toolkit with step-by-step guides. None of them cost a dollar, and recommending them is not a catch — it's just the honest answer.

Where to start

You don't have to do all of this at once. Do MFA today. Add the payment call-back rule and a one-page incident plan this week. Ask your IT provider about EDR and backups next. Each step both reduces real risk and improves how you'll look to an underwriter.

Want to know which of these you'd pass right now? The free Readiness Check scores you across all of them in five minutes — no email required — and tells you exactly which to fix first. Not sure what a term means? The glossary explains every one in a sentence.

Common questions

I'm not technical. Can I actually do these myself?+

Most of them, yes. Turning on MFA, adopting a payment call-back rule, and writing a one-page incident response plan need no special tools — just decisions and an afternoon. A few (EDR, advanced email filtering) are things your IT person or MSP sets up, but you can ask for them by name using this list.

Which one should I do first?+

Enforced MFA on email. It's free, takes an afternoon in Microsoft 365 or Google Workspace, and its absence is the single most common reason small businesses are declined. After that: a written incident response plan and a funds-transfer call-back rule, both free and both targeting the most common losses.

Do these actually lower my premium?+

They change whether you qualify and on what terms, which matters more than the sticker premium. Cyber rates have softened recently, so businesses that can prove these controls are the ones capturing better terms — while those that can't get surcharged, excluded, or declined. No one can promise a specific premium; carriers decide.

How do I prove I did them?+

Documentation. A written policy, a screenshot of your MFA enforcement setting, a dated backup-restore test, a training sign-in sheet. Applications ask whether controls exist AND are documented, and the attestation you sign makes your answers warranties — so the evidence is the point, not just the control.

Sources

Find out where you stand — free, in 5 minutes

Instant readiness score across the ten domains carriers probe, plus your top three gaps and how to fix them.

← All guides