MFA, EDR and offline backups, the cyber insurance triage list

Cyber insurance carriers underwrite against portfolio-level risk, and portfolio-level data tells a consistent story. A narrow set of controls correlates with a sharp drop in ransomware claim severity, and a different narrow set correlates with unrecoverable catastrophic losses. That data shaped the modern renewal questionnaire, and it produced what the broker community calls the triage list.

Three controls carry more underwriting weight than all others combined. If a firm has credible, evidenced answers on all three, the rest of the application still matters, but the renewal is almost always survivable. If a firm has weak answers on any one of the three, the rest of the application rarely saves the renewal.

The three are phishing-resistant multi-factor authentication, endpoint detection and response and offline or immutable backup. Here is what each one actually requires, where most firms fall short and what evidence underwriters expect.

1, phishing-resistant MFA

Identity-based compromise is the most common ransomware entry vector, and MFA is the single most effective mitigation. The carrier position in 2026 is blunt. No MFA on remote access or privileged accounts is effectively uninsurable at renewal. SMS-only MFA on privileged accounts is increasingly treated the same way.

What the carrier is measuring:

• MFA on 100% of remote access paths, including VPN, cloud email and all externally-accessible administrative interfaces
• MFA on 100% of privileged and administrative accounts
• Phishing-resistant factors (FIDO2 hardware keys, passkeys, authenticator apps with number matching) on privileged accounts specifically
• Conditional access policies blocking legacy authentication protocols that cannot be MFA-enforced

Common failure modes:

• MFA on email but not on the VPN
• MFA enforced for standard users but with admin accounts exempted “for convenience”
• SMS-based MFA on executive accounts, the class of account attackers target hardest
• Legacy authentication protocols left enabled for one ERP integration that never got revisited

Evidence underwriters want:

• Screenshots of the conditional access policy set or its equivalent
• A deployment coverage report showing MFA percentage
• Documentation of which factors are enforced for which user populations

2, endpoint detection and response

The shift from traditional antivirus to modern EDR is the single largest control evolution in cyber insurance underwriting since 2020. Carriers underwrite EDR coverage because the detection-and-response capability is what catches attackers in the window between initial compromise and ransomware deployment.

What the carrier is measuring:

• EDR deployed on 100% of managed endpoints (workstations and servers)
• Named tool, version and deployment percentage
• Whether EDR is backed by a managed detection and response (MDR) service, a SOC-as-a-service or an in-house SOC
• After-hours coverage hours, because ransomware is often deployed during nights and weekends
• Evidence that alerts are triaged and actioned, not just generated

Common failure modes:

• EDR coverage of 85 to 92% when the firm believed it was at 100%, usually because of unmanaged devices, shadow IT or endpoints that dropped out of the management tool
• EDR deployed but nobody watching the console after business hours
• Legacy antivirus coexisting with EDR on some systems, with the EDR in monitor-only mode
• Servers running older operating systems that cannot host the EDR agent

Evidence underwriters want:

• A deployment report from the EDR console showing endpoint count
• MDR provider contract or internal SOC staffing documentation
• Incident-handling records showing the alert-to-response cycle working in practice

3, offline or immutable backup with a tested restore

The control that determines whether a ransomware event is a recoverable operational disruption or an unrecoverable catastrophe. Insurable firms can recover their environment from backups the attacker could not reach.

What the carrier is measuring:

• Backup frequency and retention for critical systems
• At least one copy that is immutable (storage-layer enforcement), air-gapped or offline
• Geographic separation from production
• A documented recent restore test, usually within the last 90 days
• Defined RTO and RPO per system tier

Common failure modes:

• “Cloud backups” that can be deleted by any account admin, meaning a compromised administrative credential can destroy the backup alongside production
• A backup job that reports successful completion nightly but has never had a documented restore test
• Immutability enabled but with a short retention window that a patient attacker could outwait
• Backups that run to the same storage array as production

Evidence underwriters want:

• A backup system inventory with retention and immutability detail
• A documented restore test record within the last 90 days, with timing data
• Screenshots or configuration exports proving immutability is enforced at the storage layer, not just at the application layer

Why these three, specifically

The three controls correspond to the three phases of a ransomware event carriers most want to interrupt.

• Prevention. Phishing-resistant MFA interrupts the initial compromise.
• Detection. EDR with managed response interrupts the intrusion before ransomware is deployed.
• Recovery. Immutable, tested backup makes the event survivable even when the first two fail.

Firms that have all three are rarely the subject of a large ransomware claim. Firms missing any one of them account for a disproportionate share of catastrophic losses, and carrier pricing reflects that.

What a realistic triage plan looks like

Most mid-market firms with gaps in the triage list can close them within a single quarter if they start at renewal minus 90 days.

• Weeks 1 to 4. Inventory current MFA coverage. Identify every gap. Deploy MFA to the remaining accounts. Upgrade admin accounts to phishing-resistant factors.
• Weeks 3 to 8. Inventory EDR coverage. Deploy to any missing endpoints. Confirm MDR or SOC coverage hours. Document the alert-to-response process.
• Weeks 6 to 12. Confirm backup immutability at the storage layer. Run a full documented restore test. Update the backup system inventory with retention and immutability detail.

Working in that overlap allows the firm to show each control as operating with documented evidence by the time the renewal application is due.

Where we fit

Atticus Rowan operates in this triage space regularly. The practical work is deploying MFA without breaking workflows, rolling out EDR with managed response across a mixed endpoint fleet and standing up immutable backup with a documented restore cycle. For firms on a 90-day renewal runway, we usually sequence the work so the evidence is documented in the application package before the broker sends it.

If your cyber insurance renewal is approaching and you want to confirm that the triage list is in credible shape, schedule a discovery call. We can review the current posture of all three controls and scope the specific closes needed before the application goes out.