1. MFA on all admin and email accounts?

Yes No / Not sure

Non-negotiable — expect underwriting decline without it.

2. EDR or equivalent on all endpoints?

Yes No / Not sure

Defender for Business, SentinelOne, CrowdStrike, Sophos all qualify.

3. Offsite, tested backups (3-2-1 rule)?

Yes No / Not sure

3 copies, 2 different media, 1 offsite. Test quarterly.

4. Written incident response plan?

Yes No / Not sure

Even one-pager covering detection, containment, comms, recovery.

5. Security-awareness training (annual)?

Yes No / Not sure

KnowBe4, Hoxhunt, even free phishing simulations.

6. Email security gateway (spam/phish filter beyond native)?

Yes No / Not sure

Proofpoint, Mimecast, or even Microsoft Defender for 365.

7. Vulnerability management program (patching cadence)?

Yes No / Not sure

Document "we patch within 30 days of release." Implement it.

8. Privileged access management / separation of duties?

Yes No / Not sure

Admin accounts separate from daily-use accounts.

9. Logging + SIEM or managed detection?

Yes No / Not sure

Even something as simple as centralized syslog counts.

10. Vendor/supply-chain security review process?

Yes No / Not sure

SOC 2 + DPA in hand for critical SaaS vendors.

11. Data classification and access control on sensitive data?

Yes No / Not sure

HR, finance, customer PII — documented access controls.

12. Business continuity / disaster recovery plan?

Yes No / Not sure

RTO/RPO documented. Tested at least yearly.

13. Encryption at rest for sensitive data?

Yes No / Not sure

Most cloud services have this. Document it for your policy.

Cyber Insurance Readiness Tool