Raksira
← Back to site

SMB Cyber-Insurance & Security Readiness Checklist

The controls cyber-insurers, auditors, and enterprise clients actually look for — in plain language.

Use this checklist to gauge how ready your business is for a cyber-insurance application, a renewal, or a client security questionnaire. Tick what you already have, flag what you don't, and prioritize the gaps. Most denied claims and failed audits trace back to a handful of missing basics on this list.

1 Endpoint Protection (EDR / XDR)

Insurers increasingly require modern endpoint detection & response — not just legacy antivirus.

A modern EDR/XDR agent (e.g., CrowdStrike, Microsoft Defender, Trellix, Trend Micro) is installed on every laptop, desktop, and server.
Tip: "every" is the key word — one unmanaged device can fail an audit.

Agents report as healthy and up to date in a central console.

Detection and prevention policies are enabled (not left in "audit only" mode).

Someone reviews and responds to alerts — or an MSP/MSSP does it for you.

2 Identity & Access (MFA)

Compromised credentials are the #1 breach cause. MFA is now a hard requirement on most policies.

Multi-factor authentication is enforced on email and all cloud apps.

MFA is enforced for remote access (VPN/ZTNA) and any admin accounts.

Admin (privileged) accounts are separate from everyday user accounts.

Former employees' accounts are disabled promptly (offboarding process exists).

3 Data Protection (DLP)

Protecting sensitive data is core to compliance (HIPAA, PCI, GDPR) and to enterprise contracts.

Sensitive data types (PII, financial, health, IP) are identified and classified.

DLP policies (e.g., Microsoft Purview, Trellix DLP, Zscaler) block or alert on risky sharing.

Data leaving via email, USB, and cloud uploads is monitored or controlled.

Encryption is applied to data at rest (laptops, servers) and in transit.

4 Network & Remote Access (Zero Trust)

Flat networks and legacy VPNs let attackers move freely. Zero Trust limits the blast radius.

Remote access uses Zero Trust (e.g., Zscaler ZPA) or a hardened, MFA-protected VPN.

Web traffic is filtered/inspected (e.g., Zscaler ZIA) to block malicious sites.

Users can only reach the specific apps they need — not the whole network.

Guest/IoT devices are separated from business systems.

5 Backups & Recovery

Ransomware readiness is a top insurer question. Backups must be tested and out of reach of attackers.

Critical data is backed up automatically and regularly.

At least one backup copy is offline or immutable (can't be encrypted by ransomware).

Restores have actually been tested — not just assumed to work.

6 Visibility, Patching & Response

You can't protect what you can't see — and unpatched systems are the easiest way in.

Security events are logged centrally and retained.

Operating systems and key software are patched on a defined schedule.

A written incident response plan exists — who to call, what to do.

Staff receive basic security-awareness / phishing training.

How did you score?

Mostly ticked? You're in good shape — a tune-up will get you over the line. Several blanks? Those are exactly the gaps that lead to higher premiums, denied claims, lost deals, or breaches. The good news: every item here is fixable, usually faster and cheaper than people expect.

Want this assessed for your specific environment?

Book a free 30-minute assessment and get a prioritized roadmap for closing your gaps.

Book my free assessment