Cyber Insurance Readiness: 60-Day Case
A 200-person manufacturer received a renewal denial unless seven specific controls were in place within 60 days. We delivered all seven, ran a tabletop, and the underwriter approved at 18% lower premium.

Cyber Insurance Readiness: 60 Days from Denial to Approved
Cyber insurance readiness in 2026 means evidence, not assertions: every underwriter-required control documented and demonstrable.
A renewal letter, seven controls, sixty days — and a CFO who needed a yes-or-no answer in writing.
The renewal letter arrived Monday morning. Seven specific controls. Sixty days. No control, no cover. The CFO needed an answer by Friday on whether they could meet the deadline. We took 48 hours to scope, came back with "yes, here is how", and started Monday-week-two.
The Cyber Insurance Readiness Challenge
The underwriter's seven controls were not arbitrary — they tracked closely to what the broader Indian cyber-insurance market started expecting in 2025–26: MFA on all admin accounts, EDR on every endpoint, immutable offline backups with a tested restore, written incident response plan, tabletop exercise within the past 12 months, vendor-risk register, and email security with DMARC enforcement.
The client was at 1.5/7 on day one. The IT team was three people. The OT segments added a complication — anything that touched the manufacturing floor needed engineering team approval and could not be touched during shift hours.
Our Cyber Insurance Readiness Approach
We sequenced for risk and dependency:
- Days 1–10: MFA on every admin account, EDR rolled out to every IT endpoint (not OT yet), DMARC monitoring enabled.
- Days 11–25: Immutable backup target, restore test, vendor-risk register first cut.
- Days 26–45: Written IR plan tailored to their environment, OT-segment EDR coverage where vendor support allowed, DMARC moved to enforce.
- Days 46–55: Tabletop exercise with the leadership team and IT.
- Days 56–60: Evidence pack assembled and shipped to the underwriter.
What We Built for Cyber Insurance Readiness
- MFA enforced on M365, the ERP, the VPN, and the privileged Windows admin accounts. FIDO2 keys for the four executives, authenticator app for everyone else.
- EDR (Microsoft Defender for Business) on 100% of IT endpoints, 78% of OT endpoints (the remainder had vendor support constraints documented).
- Immutable backup — Veeam to a Wasabi immutable bucket, with a quarterly tested restore. The restore test surfaced one broken backup chain we fixed.
- Written IR plan — 14 pages covering ransomware, BEC, OT incident, and customer-data disclosure scenarios.
- Tabletop exercise — three-hour ransomware-on-OT scenario; revealed three operational gaps (one of which was that the engineering manager's phone number was not in the IT call tree).
- Vendor-risk register — initial 22 vendors classified, top 6 reviewed in depth.
- DMARC at p=quarantine after a 3-week monitoring period; reject planned for month 4.
Cyber Insurance Readiness Outcomes
- All seven controls evidenced in the underwriter's pack.
- Renewal approved at an 18% lower premium than the initial quote. The underwriter applied a "controls discount" we had not been counting on.
- Tabletop revealed three real process gaps — call tree, backup encryption key custody, and OT failover ownership — all closed within two weeks of the exercise.
- Twelve-month review: the client passed re-renewal in 2026 with the same controls intact and one additional control (Microsoft Defender for Identity) added voluntarily.
What We'd Do Differently
Two things, mostly about timing.
- We started 60 days from the deadline; we should have been engaged 6 months earlier. The client could have spread the cost over a budget cycle, deferred the EDR rollout to align with annual licence renewal, and saved roughly 15% of total programme cost. We now lead our scoping conversations with renewal-month questions for any insured client.
- We tabletop-exercised the wrong scenario first. We picked a ransomware-on-IT scenario; the more interesting findings came from the ransomware-on-OT scenario we ran in week 4. Future engagements lead with the OT scenario for any manufacturer client; it surfaces process gaps that pure-IT scenarios miss.
Stack & Tools
- Microsoft 365 Business Premium (MFA, conditional access, Defender for Business)
- Veeam Backup & Replication with Wasabi immutable target
- YubiKey 5C NFC for the executive tier
- Wazuh open-source SIEM/HIDS for the OT segment
- Microsoft Sentinel-light deployment for IT side
FAQ
How rigid are the underwriter requirements?
More rigid than they used to be. Underwriters now ask for evidence — screenshots of MFA enrolment dashboards, EDR coverage reports, backup restore-test logs. "We have it" is no longer enough. We assemble the evidence pack as part of every readiness engagement.
What if you cannot meet 7 of 7 in time?
Get a written extension or a controls-with-compensating-controls dispensation from the underwriter. We have negotiated this twice for clients; underwriters will work with you if the gap is narrow and the timeline is short.
Does this stack work for an OT-heavy environment?
The IT-side stack does. The OT side requires more care — we use vendor-supported agents only on OT endpoints, and accept compensating controls (VLAN isolation + monitoring) where agent support does not exist.
Why was the premium lower after these changes?
This particular underwriter has a "qualifying controls discount" tier — clients evidencing the named controls qualify for a 15–20% reduction off their base quote. Not all underwriters do this, but more of them are starting to.
Cyber Insurance Readiness as an Annual Discipline
Cyber insurance readiness in 2026 is not a 60-day pre-renewal sprint. The cyber insurance readiness controls (MFA, EDR, immutable backup, IR plan, tabletop, vendor register, DMARC) are operational baselines that auditors and insurers both check. Treat cyber insurance readiness as a continuous engineering discipline: monthly MFA-coverage reports, quarterly tabletops, half-yearly vendor reviews. The clients who do this find their renewal premiums trending down year-on-year; the clients who do not pay 60-day-emergency premiums every year.
Further reading: VITI Security cybersecurity services · CISA cyber-insurance guidance.
