The Underwriting Landscape Has Changed
A few years ago, a client could get $1M in cyber coverage for a few thousand dollars a year and a two-page questionnaire. Those days are over.
Insurers took a beating from ransomware claims in 2020 and 2021, and they’ve responded by raising premiums, cutting coverage limits, and — most importantly for MSPs — adding technical control requirements as conditions of coverage. Skip MFA on privileged accounts, and you may find your claim denied even if you have a policy. Fail a mid-term audit, and you might have your coverage rescinded.
The result: renewal season is now an annual reckoning for most SMBs. They hand the questionnaire to their IT person, who realizes they can’t honestly answer “yes” to half of it. The broker is no help. The CEO panics.
That’s your opening.
MSPs who understand what underwriters actually want — and can walk clients through the gaps before renewals — are landing vCISO engagements they wouldn’t have otherwise. Not because they sold harder, but because the insurer created the urgency for them.
This guide covers what’s changed in cyber insurance underwriting, what controls insurers most commonly flag, and how to structure the MSP conversation so it turns a renewal crisis into a recurring security engagement.
What Insurers Are Actually Checking
Insurance companies have gotten a lot more specific. Early cyber policies asked vague questions like “do you have a firewall?” Modern underwriting questionnaires — especially from the larger carriers like Coalition, Cowbell, Beazley, and Chubb — ask about specific controls, often with evidence requirements.
Here’s what keeps coming up:
Multi-Factor Authentication (MFA)
This is non-negotiable at this point. Insurers want MFA on email (particularly Microsoft 365 and Google Workspace), remote access (VPN, RDP, remote desktop tools), and privileged admin accounts. Some carriers now require MFA on all employee accounts — not just admin.
The common client gap: they enabled MFA on Office 365 but left RDP exposed without it, or they have a legacy VPN that doesn’t support modern authentication. Either one can void a claim.
Endpoint Detection and Response (EDR)
Traditional antivirus doesn’t cut it anymore. Most underwriters now explicitly require EDR — not just “antivirus” — on all endpoints, including servers. They want to know who provides it and whether it’s actively monitored.
Clients who are still running standard AV will face coverage questions. This is a conversation about upgrading the security stack, which is squarely in your territory.
Privileged Access Management
Insurers want to see that admin credentials aren’t used for day-to-day work, that privileged access is time-limited and logged, and that default credentials have been changed on systems and applications. The questionnaire usually phrases it as “do you have a privileged access management program” — which sounds enterprise, but the baseline requirements are manageable for SMBs.
Vulnerability Management and Patching
Not just “we apply patches” but evidence of a program: how often, what’s in scope, how critical patches are prioritized. Some carriers ask specifically about patch cycle times for critical vulnerabilities.
Incident Response Plan
The insurer wants to know you have one. More importantly, they want to know it’s documented, that key staff know their roles, and that it’s been tested — even if “tested” means a tabletop exercise, not a full simulation.
Most SMB clients have never done a tabletop exercise. Most don’t have a written IR plan. This is one of the highest-value things a vCISO engagement can deliver.
Email Security Controls
DMARC, DKIM, SPF — all three, properly configured. Insurers check these because business email compromise is still one of the leading claim types. If your client’s domain doesn’t have DMARC set to p=reject, that’s a flag.
Backup and Recovery
Tested backups, offline or immutable copies, documented recovery time objectives. The backup question has evolved: “yes we have backups” isn’t enough. Underwriters want to know the backups can’t be encrypted by ransomware that’s already on the network.
The Gap Between What Clients Claim and What’s True
Here’s the pattern that plays out constantly: a client fills out a renewal questionnaire and checks “yes” on controls they think they have but haven’t validated.
They have antivirus — but it’s not EDR. They enabled MFA on email — but six admin accounts are excluded. They “have a backup” — but it’s a local NAS that’s been network-connected for years, sitting inside the blast radius of any ransomware attack.
The insurers know this. Some are now doing automated technical scans of client infrastructure as part of underwriting — checking for exposed RDP ports, DMARC records, email security headers, and publicly visible vulnerabilities. Coalition does this routinely.
When the insurer finds a mismatch between what was declared and what exists, they have grounds to deny claims or rescind policies. For clients, that’s catastrophic. For MSPs, it’s a reason to get ahead of the renewal with a proper assessment.
A pre-renewal security assessment is a natural entry point for a vCISO engagement. You scope it as a fixed deliverable: review the current controls against what the insurer requires, identify gaps, produce a remediation plan. That alone is billable. And once the client sees the gap list, the conversation about ongoing compliance governance becomes much easier.
What Cyber Insurance Actually Wants From a vCISO
The controls insurers require aren’t random. They map closely to what a properly scoped vCISO practice delivers as standard.
Risk assessment → required for most cyber policies. A proper risk register is what underwriters want to see when they ask “do you conduct regular risk assessments.”
Policy documentation → acceptable use, incident response, access control, data classification. Insurers sometimes ask for these directly.
Security awareness training → required by most carriers. Documented completion, phishing simulation results, annual cadence.
Vendor risk management → large carriers now ask about third-party access to systems and data. Do you know which vendors have access? Are they reviewed?
Incident response plan → documented, assigned, tested. The tabletop requirement is appearing in more questionnaires.
All of this sits inside a standard Tier 2 vCISO service engagement. You’re not building something new — you’re pointing at what you already deliver and showing how it maps to what the underwriter wants.
That’s a different conversation than “you should invest in security.” It’s “here’s what your insurer is going to ask, here’s what you don’t have, and here’s what it costs to fix it before your renewal.”
How to Structure the MSP Conversation
The key is to get ahead of the renewal — ideally 60 to 90 days out — rather than reacting to a crisis on the last day.
Build a renewal calendar for your clients
You probably know when your clients’ policies renew, or you can find out quickly. Build a simple tracking sheet: client name, renewal date, current coverage, last assessment date. Sort by renewal date and work backwards — which ones renew in the next 90 days?
Those are your first conversations.
Lead with a gap assessment
Don’t pitch vCISO services directly. Offer a pre-renewal assessment — a fixed-scope review of their current controls against the typical underwriter checklist. This is a contained engagement with a clear deliverable. Position it as protecting their coverage, not expanding your contract.
The assessment produces a gap list. That gap list is the proposal.
Map gaps to your service tiers
Once you have the gap list, show the client what a 90-day remediation looks like and what ongoing governance costs to maintain it. Frame it in insurance terms: if you don’t address the MFA gap, your insurer can deny claims. If you don’t have a documented IR plan, you’ll struggle to get coverage from any major carrier.
The ROI conversation is straightforward: cyber insurance at $5,000–$15,000/year for an SMB is a real cost. Losing coverage — or having a claim denied — is a much bigger cost. The vCISO engagement exists to protect the insurance investment.
Position around renewal, not just security
“Security is important” is an easy objection to defer. “Your policy renews in 60 days and you currently can’t honestly answer yes to six of the required controls” is harder to defer.
This framing works because it’s accurate. The insurer has created external accountability that you don’t have to manufacture.
The Multi-Framework Reality
One thing worth understanding: the controls cyber insurers require aren’t isolated. They overlap significantly with compliance frameworks like SOC 2, ISO 27001, Cyber Essentials Plus, and NIST CSF.
MFA, access control, incident response, risk assessment, vendor management — all of these appear in every major framework. If your client is working toward a compliance certification at the same time as renewing their insurance, you can deliver both with a single evidence collection program rather than two parallel projects.
This is one of the core efficiency arguments for a vCISO platform that handles multi-framework mapping: you gather evidence once and map it across insurance requirements and compliance frameworks simultaneously. Clients stop paying for the same work twice.
For MSPs, this is a strong retention argument. Once a client’s evidence collection is running through your platform, the cost of switching is high. You own the compliance history. That’s a sticky engagement.
Common Objections and How to Handle Them
“We already have cyber insurance — we’re covered.”
Coverage and adequate coverage are different things. Most SMB policies haven’t kept up with current underwriting standards. The client may technically have a policy that would be denied if they actually filed a claim for a ransomware attack because they failed to implement MFA on privileged accounts. The question isn’t whether they have insurance — it’s whether it would pay out.
“Our broker handles the renewal.”
Brokers optimize for getting the policy renewed, not for making sure the client can actually pass a technical audit. Brokers don’t do gap assessments. They don’t review your Active Directory setup or check whether backups are offline-isolated. That’s your job.
“We can’t afford a vCISO service on top of insurance premiums.”
This is a budget framing problem. The vCISO service often pays for itself in insurance terms: some insurers offer 5–15% premium discounts for clients who can demonstrate strong controls. More importantly, the alternative isn’t “pay less now” — it’s “pay the same and have your claim denied later.”
Run the numbers with the client. If a $25,000 ransomware event isn’t covered because they failed a post-claim audit, the $3,000/month vCISO service looks different.
Building the Repeatable Offer
Once you’ve run this conversation a few times, you can standardize it into a product.
A Cyber Insurance Readiness Review — fixed-scope, fixed-price, delivered in 2–3 weeks — gives you a repeatable entry point. It covers:
- Review of current policy and renewal questionnaire
- Technical control gap assessment (MFA, EDR, backups, email security, access controls)
- Policy documentation review (IR plan, acceptable use, data classification)
- Gap report with remediation priorities mapped to insurer requirements
- Recommended service tier to close the gaps before renewal
Price it at $1,500–$3,000 depending on client size. Most clients will say yes. And most gap reports will lead to an ongoing engagement — because the gaps rarely close in one sprint, and the insurer wants evidence of continuous governance, not a one-time sprint.
That’s the flywheel. Insurance renewal drives the assessment. Assessment surfaces the gaps. Gaps drive the vCISO engagement. vCISO engagement protects coverage and makes the next renewal easier. Repeat annually.
Start With What You Have
You don’t need to wait for the perfect moment to launch this. Pick five clients with upcoming renewals. Review their current control posture against the insurer checklist above. See how many gaps you find.
If you find nothing, those clients are in better shape than most — and you’ve confirmed they don’t need an emergency engagement.
If you find gaps — and you almost certainly will — you have the basis for a concrete conversation. Not “would you like to invest in security?” but “here are six things your insurer requires that you currently don’t have, and here’s what it takes to fix them.”
That’s the conversation that lands recurring vCISO revenue.
Ready to Build the Practice?
GetCybr is built for MSPs delivering vCISO services at scale. Automated evidence collection, multi-framework compliance mapping across 50+ standards, client-facing dashboards, and risk reporting designed for recurring engagements — not one-off projects.
Book a demo and we’ll walk through how the platform fits a cyber insurance readiness workflow and what a 10-client vCISO book of business looks like running on it.
Ready to Scale Your vCISO Practice?
See how GetCybr helps MSPs deliver enterprise-grade security services.
