If you bought cyber insurance five years ago, the process may have looked something like this:
- Answer a questionnaire
- Check boxes for things like “MFA enabled” or “backups in place”
- Get your policy, file it away, and forget about it until renewal
That model feels almost quaint now.
Cyber insurance was designed for a world where threats were slower, static, and easier to define. But in 2025, attackers move faster than paperwork. Ransomware gangs launch new campaigns all the time. Zero-days spread across industries rapidly. AI-driven phishing lures slip past even the most cautious employees.
The uncomfortable truth? The “checkbox model” of cyber insurance no longer works. And businesses that treat their policy like a static safety net are taking on far more risk than they realize.
That’s exactly the message we explored in our recent fireside chat webinar on cyber insurance, cyber risk, and risk management. In it, industry experts unpacked how underwriting is changing, where misconceptions still exist, and what businesses and MSPs can do to stay insurable in a shifting landscape.
This blog distills the key takeaways from that conversation. If you’d like to dive deeper, you can watch the full on-demand webinar here.
Static questionnaires = static protection
Traditional underwriting relies heavily on self-reported questionnaires. But the questions are often too vague (“Do you enforce MFA?”), and the answers too simplistic to reflect reality.
Sometimes businesses misstate controls unintentionally. Other times they worry that admitting gaps will mean no coverage at all. Both scenarios create risk because misreporting on applications—intentionally or otherwise—can result in denied claims.
Static questionnaires produce static protection. They don’t account for the complexity of modern IT environments, nor the speed at which threats evolve.
Active insurance: A living policy
Active insurance is a new model of cyber insurance where the insurer doesn’t just assess risk once during underwriting, but actively works with the customer throughout the entire policy period to reduce risk and prevent losses.
Instead of relying only on questionnaires and paperwork, active insurance typically includes:
- Continuous scanning of your attack surface
- Real-time alerts about critical vulnerabilities
- Risk assessments that support IT budget requests
- Rapid response that contains incidents before they escalate
The goal of active insurance is to transform the insurer from a reactive claims payer into a proactive security partner, effectively turning the old model on its head. Instead of waiting until a renewal or a claim, insurers engage throughout the policy period.
Some insurers report that more than half of “claims” never result in payouts—not because they’re denied, but because early detection and response prevent the loss in the first place. That’s good for the insurer and the insured.
Insurance stops being a piece of paper. It becomes a living part of your cyber defense strategy.
MDR: A major factor for insurability
Multifactor authentication (MFA) has long been among the most recognized and required cybersecurity controls by insurers. But increasingly, insurers are placing strong emphasis on Managed Detection and Response (MDR) as well.
From an insurer’s perspective, businesses that have continuous monitoring and alerting via MDR are viewed as lower risk: narrower windows of exposure, quicker detection of threats, and better ability to respond to incidents outside of standard business hours.
While MDR is not yet universally mandated for all SMBs, in many underwriting cases it has become one of the deciding controls that can tilt the scales: improving the odds of binding coverage, securing more favorable premiums, or avoiding exclusions.
For SMBs, investing in a mature MDR isn’t just about bolstering security—it’s increasingly about ensuring they meet the expectations insurers now commonly have for good insurability.
MSPs: The hidden power brokers
For insurers, MSPs are the linchpin that bridges the gap between technical requirements and business reality—turning scan results into insurable outcomes for SMBs.
This creates a powerful opportunity for MSPs to showcase their value by:
- Using insurer scan results as a value-add service
- Translating insurer findings into client-friendly fixes
- Demonstrating your role in keeping clients eligible for coverage
Most SMBs simply don’t have the expertise to interpret scan results or remediate vulnerabilities on their own. MSPs fill that gap. In fact, many insurers now give MSPs the chance to review and address findings before underwriters make final decisions.
That puts MSPs in a unique position: not just keeping clients secure, but making them insurable. In practice, they’ve become the hidden power brokers of this new ecosystem—and without them, many SMBs would struggle to qualify for coverage at all.
What businesses are asking
During our recent fireside chat, several common questions surfaced—questions every business should be asking right now:
Do insurers really pay out cyber claims?
Yes. Despite the perception that insurers look for excuses not to pay, the reality is different. Many incidents never become full claims at all because insurers can step in early with incident response support.
In fact, more than half of claims at some providers are resolved without a payout—not through denial, but because the issue is contained before major damage occurs.
The bigger risk isn’t refusal, it’s misreporting on applications. Take the City of Hamilton case for example where, unfortunately, inaccurate MFA reporting led to a denied claim.
What about human risk?
People remain the weakest link. Training is important, but the content matters more than frequency. Address MFA fatigue scams and helpdesk manipulation—not just generic phishing.
Do insurers really care about third-party/vendor risk?
Yes. They call it “aggregation risk.” If 40% of their book of business runs on Salesforce, a single outage can trigger massive claims across thousands of customers.
Is there a universal checklist for becoming insurable?
Not exactly. Requirements depend on your industry, technology stack, and how those systems are configured. Insurers don’t hand out a one-size-fits-all checklist—instead, they provide a tailored list of “critical vulnerabilities” that must be addressed before a policy can be issued.
For some organizations, that might mean closing exposed RDP ports; for others, implementing MFA on certain services or segmenting backups. While there are common expectations like MFA, MDR, patching, and reliable backups, the specific requirements will always be context-driven.
How to stay ahead
The good news: organizations can take concrete steps to adapt.
- Be truthful on applications. You may pay a higher premium upfront, but you’ll avoid devastating denials later.
- Invest in MDR. It’s not just security—it’s insurability.
- Lean on MSPs. Their expertise makes the difference between flagged vulnerabilities and approved policies.
- Embrace active insurance. Choose insurers who don’t just sell policies, but actively help reduce risk.
The bottom line
Cyber insurance is no longer a one-and-done checkbox exercise. It’s becoming a dynamic, ongoing partnership that demands the right controls, truthfulness in applications, and proactive collaboration between insurers, MSPs, and businesses.
This blog covered the highlights—but the real depth came from our fireside chat, where experts dug into the hard questions, shared real-world examples, and outlined what’s coming next in the industry.
If you want to understand how to protect your business (or your clients) from both cyber threats and denied claims, you’ll want the full context.
Watch the on-demand webinar now to get the complete conversation and equip yourself with insights you won’t find in a summary.
