Cyber-InsuranceAlignmentforFinancialFirms:The2024CarrierChecklist

Cyber-insurance underwriting for financial services firms has changed dramatically in the past three years. The losses carriers paid out during the ransomware wave of 2020-2022 pushed the market to a sharp correction. Premiums climbed. Capacity contracted. And the questionnaire — the document that used to fit on two pages and ask whether the firm had a firewall — expanded to twenty pages of specific technical controls that underwriters now verify before binding a policy.

For financial services firms, the stakes on the questionnaire are higher than for most industries. Your client agreements, custodian agreements, and state regulatory requirements often mandate that you carry cyber insurance. A nonrenewal or a coverage gap can trigger a cascade of business and regulatory problems. And if an incident happens and the carrier determines that the answers on your application were inaccurate, the claim can be denied entirely.

Below is the 2024 carrier baseline we use when we prepare financial services firms for renewal or for a first-time policy. Every item here is commonly asked. Missing any of them substantially reduces the carriers willing to quote your firm.

Identity and Access Controls

Multi-factor authentication is now a binary requirement. Every remote access path — VPN, remote desktop, cloud application login — must be protected by MFA for every user without exception. Every privileged account must have MFA even for on-premise access. Every email account must have MFA. Carriers increasingly specify phishing-resistant MFA, which means hardware tokens or platform-bound passkeys rather than SMS or push notification alone. The SMS push-notification exception that survived 2022 is closing fast.

Privileged access management sits alongside MFA as a carrier must-have. Every administrative account must have a separate credential from the day-to-day account. Privileged session activity must be logged, and the logs retained for at least a year. Where possible, privileged access should be just-in-time rather than standing — the admin elevates into the role for a specific task and de-elevates when done.

Shared accounts are a negative signal on the questionnaire. If any accounts in the environment — service accounts, generic user accounts, break-glass accounts — are shared across multiple humans, the firm needs a plan to eliminate or individually attribute them. Carriers are not going to decline coverage over a single break-glass account, but a pattern of shared credentials creates underwriting friction.

Endpoint and Email Security

Endpoint detection and response with 24/7 monitored response is the carrier expectation for 2024. Signature-based antivirus alone is no longer sufficient. The EDR platform has to be capable of behavioral detection, capable of isolation of a compromised host, and monitored by a named party — either an internal SOC or an MSSP — that can respond to alerts within a defined timeframe. The questionnaire will ask specifically how alerts are triaged after hours and on weekends.

Email security is the adjacent must-have. The firm needs an email security gateway or equivalent cloud filter with protection against phishing, business email compromise, impersonation, and malicious attachments. Additional protections that underwriters like to see include DMARC enforcement (so attackers cannot spoof the firm's domain), sender policy framework records, and internal banner warnings on external messages.

For the subset of firms that still operate on-premise Exchange servers: this is the year to migrate. Underwriters are penalizing on-premise Exchange deployments heavily because the exposure and patching burden is substantially higher than cloud-hosted alternatives.

Backups, Recovery, and Business Continuity

Immutable or air-gapped backups are now required by most carriers. The backup infrastructure must be architecturally separated from the production environment — a compromise of the production Active Directory should not give an attacker access to the backups. Ransomware attacks in the past three years have repeatedly shown that attackers pivot to backups as part of their playbook, and carriers lost enormous amounts of money to firms whose backups were encrypted alongside their primary data.

Immutability achieves the separation through technical means — object-lock, WORM storage, or immutable snapshot infrastructure. Air-gap achieves it through physical or logical isolation — offline media, vaulted snapshots, or a dedicated backup environment with its own identity store. Carriers will accept either approach; many larger firms deploy both.

Tested restoration is the complement to immutable backups. An annual tabletop exercise that includes a real restore test from the backup infrastructure is the minimum. Carriers will ask for the date of the last test, the scope, the outcome, and any remediation that followed. A firm that has not tested its backups in the past twelve months has a negative signal on the questionnaire.

Incident Response and Exercise

A written incident response plan is required. An exercised plan is required by most carriers. The questionnaire will ask whether the plan has been exercised in the past twelve months, whether the exercise included business leadership and outside counsel, and whether the plan was updated based on the exercise findings. A tabletop that happens on paper once a year and never touches reality is not going to clear the bar.

The plan itself needs to address the specific scenarios financial services firms face: ransomware, business email compromise, account takeover, wire fraud, data exfiltration, and insider threat. Each scenario should have a playbook that names the decision-makers, the escalation paths, the external parties to engage, and the communication templates for clients and regulators.

Pre-negotiated relationships with an external IR firm and with cybersecurity counsel are worth their weight. When an incident happens, the 30-day Reg S-P clock (for RIAs) or the state notification clock (for everyone else) starts immediately, and trying to shop for IR services during the active incident creates delays that can compound the loss.

Vendor and Third-Party Risk

Vendor management is a 2024 growth area on the questionnaire. Carriers want evidence that the firm maintains a vendor inventory, assesses security posture for vendors who touch sensitive data, and has contractual language requiring breach notification within defined timeframes. The 2024 Reg S-P amendments reinforced this by adding an explicit 72-hour vendor notification requirement, and carriers have picked up the same language.

The specific controls underwriters want to see include a written vendor management policy, a risk-tiered vendor inventory with higher scrutiny for vendors handling nonpublic personal information, annual SOC 2 Type II reviews for high-risk vendors, and a process for off-boarding vendors that includes access revocation and data retrieval.

Employee Training and Culture

Security awareness training at onboarding and annually for all employees is now a minimum. Phishing simulation — monthly or quarterly, with metrics tracked over time — is an expected control for most financial services firms. The questionnaire will ask for the click rate trend. A flat or declining click rate is a positive signal; a rising rate is a negative one.

Training needs to be role-specific. Reps handling wire instructions need dedicated training on wire fraud patterns. Operations staff handling account maintenance need training on social engineering. Executives need training on business email compromise targeting them specifically. Generic training alone is no longer sufficient.

The Documentation Discipline

One underappreciated dimension of cyber-insurance readiness is documentation discipline. Every answer on the questionnaire needs to be defensible by specific evidence — a policy document, a technical configuration, a log sample, a training record. If a claim is filed and the carrier investigates, they will reconstruct the control environment as of the application date. Answers that were inaccurate — even unintentionally — can void the claim.

The practical approach is to maintain a control evidence library that tracks every control referenced on the questionnaire, with current evidence and a named owner. Review it before every renewal. Update it quarterly regardless. Our financial services practice maintains the evidence library on behalf of our clients and completes the questionnaire jointly with the firm's CCO each renewal cycle.

If your firm is approaching renewal or assessing a first-time policy, schedule a consultation and we can walk through the current carrier baseline and your readiness against it.