Here’s a conversation happening right now in boardrooms, accounting offices, and dental practices across North America:
“Do we qualify for cyber insurance?“
The broker hands them a questionnaire. Fourteen pages. Technical questions about MFA, EDR, patch management, incident response. The business owner stares at it and does what most business owners do, they call their IT provider.
That’s you!
And here’s the thing: if you’re running a modern managed services stack, you’re probably already delivering 80% of what cyber insurers require. You just haven’t been framing it that way to your clients, or to yourself.
Let’s fix that.
What Insurers Are Actually Asking For
Cyber insurers aren’t looking for perfection. They’re looking for evidence that a business has taken reasonable, documented steps to reduce risk. The core requirements haven’t changed dramatically, but the bar for what “implemented” actually means has risen sharply since 2021.
Here’s what’s on every underwriter’s checklist right now, and where your existing services map to it.
1. Multi-Factor Authentication (MFA)
What insurers want: MFA enforced on email, remote access, and all privileged accounts. Not optional. Not “available if users want it.”
What this means for your stack: If you’re managing Microsoft 365 or Google Workspace for your clients, MFA configuration is already in your wheelhouse. The gap most MSPs have isn’t capability, it’s enforcement. Conditional access policies that actually block non-MFA logins are what separates “we have MFA” from “MFA is required.” Insurers know the difference.
2. Backups That Can Actually Restore a Business
What insurers want: Encrypted, offsite or offline backups tested regularly: the 3-2-1 rule in practice, not just on paper.
What this means for your stack: Backup is a core managed service. But “we have backups” is not the same as “we tested restoration last month and documented it.” Insurers are asking for proof of testing, not just proof of configuration. If you’re not already generating restore test reports for clients, this is both a coverage requirement and a conversation you want to be having at renewal time.
3. Security Awareness Training
What insurers want: Documented, recurring training with phishing simulations, not a one-time onboarding video from 2019.
What this means for your stack: This is one of the most common gaps MSPs leave on the table. If you’re not currently offering security awareness training as a managed service, you’re leaving clients exposed, and leaving revenue behind. Platforms like KnowBe4 or Proofpoint Security Awareness are easy to layer in. If you already offer it, make sure clients have records of completion. Insurers will ask.
4. Endpoint Detection and Response (EDR)
What insurers want: Active monitoring and response across all endpoints, not legacy antivirus that only catches known threats.
What this means for your stack: If you moved clients from AV to EDR in the last few years, this is already handled. If you still have clients on basic antivirus, even “next-gen” AV without behavioral detection, this is a coverage gap waiting to become a claim denial. EDR isn’t optional anymore. Most insurers treat it the same way they treat MFA: if it’s not there, the policy either doesn’t issue or excludes ransomware entirely.
5. Patch Management
What insurers want: A documented, consistent process for applying critical updates, not reactive patching when something breaks.
What this means for your stack: Patch management is table stakes for MSPs. The issue is documentation. Insurers want evidence of a schedule and records of what was patched and when. If your RMM is doing the work but you’re not surfacing patch compliance reports to clients, you’re doing the job without getting credit for it.
6. Incident Response Planning
What insurers want: A written, tested plan that defines who does what when a breach happens, before the breach happens.
What this means for your stack: This is the requirement most SMB clients genuinely don’t have, and most MSPs haven’t helped them build. An Incident Response Plan (IRP) doesn’t need to be a 40-page document. It needs to answer: who gets called, in what order, what gets isolated, what gets communicated, and to whom. If you’re not offering IRP development as a service, you’re missing an easy, high-value engagement that directly improves client insurability.
7. Identity and Access Management (IAM) / Least Privilege
What insurers want: Evidence that users only have access to what they need, and that access is reviewed and revoked when people leave or change roles.
What this means for your stack: Access reviews, offboarding checklists, and privileged access management are all within scope here. This is often the messiest area for SMB clients, accumulated permissions, old accounts that were never deactivated, admins who became admins by accident. A structured IAM audit is something you can offer, document, and deliver. Insurers notice when it’s been done.
The Conversation You Should Be Having
Most of your clients don’t know how close they already are to meeting these requirements, because nobody has shown them.
That’s the opportunity. Not a pitch. A map.
Walk into your next QBR with a posture snapshot that shows which requirements are met, which are partially met, and which have gaps. Then show them how your existing services, or a straightforward addition to their stack, closes those gaps before their next renewal.
The insurer’s questionnaire stops being a mystery. The client stops feeling like they’re failing a test they didn’t study for. And you become the person who made their cyber insurance work, not just the person who manages their laptops.
That’s a different kind of MSP relationship. And it’s one that’s a lot harder to lose at renewal time.
Inscora gives MSPs a cyber insurance posture scoring platform that maps client coverage gaps directly to your service catalog – so the cyber insurance conversation becomes a service conversation.