Support for Insurance & Compliance

Practical implementation of cybersecurity requirements with clarity and defensibility.

Cyber insurance depends on whether required controls are implemented and maintained in practice. Many organizations interpret these requirements inconsistently, creating uncertainty both at the time of underwriting and in the event of a claim.

Personally I am aware of three unfortunate companies in Eastern Ontario who had bought cybersecurity insurance policies, and their claims were rejected because they had not implemented the requirements, one of which was having the services of a CISO (whether full time or fractional).

My services are geared towards both ends: helping the insurance companies to ensure their clients meet the requirements; and helping the organizations who purchase policies to properly implement and maintain the required controls. Different insurance companies each have their own set of requirements, so it is important that the clients understand what is expected depending on the type of the policy coverage purchased.

Approach

Outcome

Reduced ambiguity, stronger alignment with insurer expectations, potentially reduced costs, and a more defensible position in the event of a claim.

 

Common Requirements

Here is a list of 20 clauses that represent the type of requirements that insurance companies will place on their customers before paying out a claim. Your policy may have different requirements.
 

What insurers are really looking for when they underwrite cyber risk is evidence that the basics are not just in place, but working under pressure. Their questionnaires can look long and technical, but they tend to circle the same few themes: identity control, resilience, visibility, and disciplined operations. In a small law firm, the gap is often not intent but proof — being able to demonstrate that controls are consistently applied, monitored, and tested.

A practical distillation of what most carriers now expect:

  1. Multi-factor authentication (MFA) for email, remote access (VPN/RDP), and all administrative accounts
  2. Privileged access management—separate admin accounts, least privilege, and periodic access reviews
  3. Endpoint detection & response (EDR/XDR) on all workstations and servers, centrally monitored
  4. Timely patching of operating systems and applications, especially for internet-facing systems
  5. Secure, tested backups—including offline/immutable copies and documented restore tests
  6. Email security controls (phishing filtering, attachment/URL scanning, domain protection such as SPF/DKIM/DMARC)
  7. User awareness training with periodic phishing simulations
  8. Documented incident response plan with defined roles, contacts, and escalation paths
  9. 24/7 monitoring and response capability (in-house or via an MSP/MDR provider)
  10. Network security controls—firewalls, segmentation, and restricted inbound access (no exposed RDP)
  11. Encryption of sensitive data at rest and in transit (e.g., full-disk encryption on laptops)
  12. Mobile device management (MDM) or equivalent controls for laptops and mobile devices
  13. Vendor/third-party risk management for key service providers (IT, cloud, document systems)
  14. Vulnerability scanning and remediation tracking
  15. Centralized logging of critical systems and retention sufficient for investigations
  16. Business continuity and disaster recovery (BC/DR) plans aligned with backup capabilities
  17. Asset inventory of hardware, software, and cloud services (you can’t secure what you don’t know)
  18. Access to email and files restricted by policy (e.g., no uncontrolled forwarding to personal accounts)
  19. Change management discipline for significant system changes
  20. Alignment with a recognized framework — commonly NIST CyberSecurity Framework (CSF), ISO 27001 ISMS, or Center for Internet Security Critical Security Controls

 
Note that having a CISO is generally not a formal requirement for cyber insurance, especially for smaller firms. What insurers require is accountability — someone who owns the program, can answer for these controls, and can show evidence they are functioning. In a small legal practice, that role is often fulfilled by a fractional CISO, a capable IT lead, or a managed provider with clear governance. The title matters far less than demonstrable control and oversight.

If you want a clear, defensible position with minimal overhead, a sensible approach is: use CIS Controls as your operational baseline, and map them to NIST CSF for reporting. That gives you both practicality (for implementation) and credibility (for insurers, clients, and audits). Larger frameworks (such as NIST SP 800-53) are not expected or useful for small and medium businesses. What matters is that you can point to a recognized framework, show how your controls align to it, and — this is the part insurers increasingly test — demonstrate that those controls are working in practice, not just written down.

Case Studies

...in a future draft