Cyber Insurance Readiness Check: how does it work?
The cyber insurance market has undergone fundamental changes in 2024-2025. Insurers have significantly tightened their acceptance requirements: without proven baseline measures, you simply cannot obtain a policy anymore. Our Cyber Insurance Readiness Check assesses whether your organization is insurable, identifies dealbreakers, and provides concrete recommendations to lower your premium.
What is the Cyber Insurance Readiness Check?
The Cyber Insurance Readiness Check is a free online assessment that evaluates in three steps whether your organization is ready to apply for cyber insurance. The tool analyzes your organizational profile, security measures, and incident history, and benchmarks these against the acceptance requirements used by major cyber insurers.
The result is a readiness score indicating how insurable your organization currently is. In addition, you receive a dealbreaker analysis that shows exactly which missing measures would lead to direct rejection, along with concrete recommendations to strengthen your position.
The check has been specifically developed for SMEs and focuses on the requirements that apply in the current market. The cyber insurance market has undergone a fundamental shift in recent years: where insurers previously accepted virtually any organization, they now enforce hard technical requirements as a minimum condition. Organizations that cannot demonstrate these baseline measures are no longer eligible for a policy, regardless of their willingness to pay a higher premium.
Methodology and sources
The readiness check is based on the current acceptance criteria of leading cyber insurers, including Hiscox, CNA Hardy, Chubb, Allianz, and AIG. We continuously analyze their public underwriting guidelines, claims data, and market reports to keep the check up to date.
The methodology combines two components: a technical baseline assessment and a set of risk modifiers. The baseline assessment verifies whether your organization meets the hard minimum requirements that insurers enforce. These are measures whose absence automatically leads to rejection, regardless of other factors. The risk modifiers weigh factors that influence your premium and coverage terms, such as sector, revenue, claims history, and certifications.
The insurance market has tightened significantly in 2024-2025 in response to the explosive growth of ransomware-related claims. Claims payouts have tripled in some segments, causing insurers to drastically increase their requirements. The check reflects this new reality. Where a basic questionnaire was sufficient a year ago, insurers now require technical evidence of implementation.
How we score
The readiness score is built from three weighted categories: technical baseline (50%), organizational measures (30%), and risk profile (20%). Within the technical baseline, dealbreaker measures such as MFA, EDR, and backup carry the most weight. If a dealbreaker is missing, the total score is capped regardless of scores on other components. This reflects reality: insurers do not accept an application without these baseline measures, no matter how strong the organization scores otherwise.
The three steps of the check
In the first step, you indicate which sector your organization operates in (healthcare, finance, tech, government, industry, retail, or other), your estimated annual revenue, and which coverages you are looking for. You can choose from data breach liability, ransomware and extortion, business interruption, forensic investigation, legal costs, and reputation recovery.
This information is crucial because sector and revenue together determine your risk profile. Organizations in the healthcare and financial sectors have a higher inherent risk due to the nature and sensitivity of the data they process. A larger revenue means a larger attack surface and higher potential damages. Insurers use these factors as the basis for their premium calculation and coverage limits.
The second step maps your current security measures. You indicate which of twelve measures you have implemented: MFA on all external access, EDR on all endpoints, patching within 30 days for critical vulnerabilities, email security with SPF, DKIM, and DMARC, tested offsite backups, network segmentation, annual security awareness training, a documented incident response plan, Privileged Access Management (PAM), SIEM or SOC monitoring, a vulnerability management program, and data encryption at rest and in transit.
Insurers enforce hard dealbreakers within this list. Without MFA, EDR, and a tested backup strategy, virtually no insurer will issue a policy. These three measures are the absolute minimum requirements. The remaining measures influence your premium and coverage terms: the more you have implemented, the more favorable your conditions.
In the final step, we ask about your incident history over the past three years, your current insurance situation, and which compliance frameworks you follow. For incident history, it matters whether you have never been affected, once, or multiple times. You indicate whether you are seeking new insurance, looking to switch, or want to expand your current policy. Finally, you can select compliance frameworks: ISO 27001, SOC 2, NEN 7510, GDPR data processing register, and NIS2.
Claims history weighs very heavily in premium calculation. Organizations with multiple recent incidents pay significantly more or are rejected entirely. Certifications, on the other hand, act as premium reducers: an ISO 27001 certification demonstrates that you have structurally embedded security, which insurers reward with lower premiums. NIS2 compliance is increasingly factored in as a positive signal by insurers.
What you will find in the results
After completing the three steps, the tool calculates your results. The report contains the following components:
- Insurance readiness score — a total score from 0 to 100 indicating how insurable your organization is. Scores above 75 mean you are likely to be accepted under favorable terms. Scores below 40 indicate serious gaps that will almost certainly lead to rejection.
- Category scores — individual scores for technical baseline, organizational measures, and risk profile, so you can immediately see where your strengths and weaknesses lie.
- Premium indication — a rough estimate of your expected annual premium based on sector, revenue, and measures in place.
- Dealbreaker analysis — an overview of which missing measures lead to direct rejection by insurers, ranked by impact.
- Recommendations — concrete steps to increase your readiness score and lower your premium, prioritized by effectiveness.
The free report
- Insurance readiness score with explanation
- Dealbreaker overview: which measures are missing
- Top 5 priority advice to increase your score
- Useful as preparation for a quote request with your insurer
- Available directly by email after completion
The free report gives you a clear picture of your current position. You can use it directly as the basis for a conversation with your insurer or broker. The report shows which dealbreakers you need to resolve before submitting an application, so you avoid unnecessary rejections.
Premium analysis
- Assessment against acceptance requirements of all major cyber insurers
- Detailed dealbreaker analysis per insurer
- Premium indication with at least three scenarios: basic, optimal, and premium coverage
- Premium optimization: which specific measures lower your premium by how much
- Coverage advice: first party vs. third party, relevant exclusions, and points of attention
- Professional PDF report suitable as an attachment to your insurance application
The premium analysis goes considerably further than the free report. Where the free report shows your readiness score and dealbreakers, the premium analysis provides a complete assessment against the specific acceptance requirements of major insurers. You receive premium indications for at least three scenarios, allowing you to compare which coverage level best fits your risk profile and budget.
The premium optimization component is particularly valuable: it calculates per missing measure how much premium reduction you can expect after implementation. This allows you to build a well-founded business case for security investments. The investment of 79 euros typically pays for itself with the first premium reduction.
Free vs. premium comparison
| Component | Free | Premium |
|---|---|---|
| Insurance readiness score | ✓ | ✓ |
| Dealbreaker overview | ✓ | ✓ |
| Top 5 priority advice | ✓ | ✓ |
| Assessment per insurer | ✗ | ✓ |
| Premium indication (3+ scenarios) | ✗ | ✓ |
| Premium optimization per measure | ✗ | ✓ |
| Coverage advice (first/third party) | ✗ | ✓ |
| Report for insurance application | ✗ | ✓ |
Frequently Asked Questions
Cyber insurance is an indemnity insurance that covers the financial consequences of cyber incidents. Coverage falls into two main categories. First party coverage compensates your own damages: costs for forensic investigation, business interruption, data recovery, and crisis management. Third party coverage protects against claims from others: liability for data breaches, privacy violations, and legal defense costs. Most policies combine both coverages, but the ratio and limits vary per insurer and per policy.
The premium depends on multiple factors: sector, annual revenue, desired coverage, and security measures in place. For SMEs, annual premiums typically range between 2,000 and 50,000 euros. Organizations in the healthcare and financial sectors generally pay more due to a higher inherent risk profile. An organization with full MFA, EDR, SOC monitoring, and ISO 27001 certification pays significantly less than a comparable organization without these measures.
The five measures that virtually all cyber insurers enforce as minimum requirements are: multi-factor authentication (MFA) on all external access, Endpoint Detection and Response (EDR) on all endpoints, a tested offsite backup strategy, regular patching within 30 days for critical vulnerabilities, and email security with SPF, DKIM, and DMARC. Without these baseline measures, an application is rejected in most cases.
Dealbreakers are missing measures or risk factors that lead to direct rejection of your insurance application. The most important ones are: no MFA on external access, no EDR on endpoints, no offsite backup, no documented incident response plan, and multiple cyber incidents in the past three years. These factors are considered unacceptable risk by insurers and lead to rejection regardless of your overall security level.
The market is shifting rapidly here. An increasing number of insurers explicitly exclude ransom payments in their policy terms or limit the coverage to a fraction of the total insured amount. Policies that do still cover ransom payments impose additional requirements: a documented and tested incident response plan, proven backup tests, and network segmentation. The industry actively encourages organizations to invest in prevention and recovery capability rather than ransom payments to criminals.
The three measures with the greatest impact on your premium are implementing MFA on all access points, deploying EDR on all endpoints, and setting up a SOC or SIEM solution for continuous monitoring. Certifications such as ISO 27001 and SOC 2 also weigh heavily. Organizations that demonstrably invest in structured security awareness training and a documented incident response plan pay on average 20 to 40 percent less in premiums than comparable organizations without these measures.
Cyber insurance is not legally mandatory. However, it is increasingly required contractually by clients, chain partners, and suppliers. Under the NIS2 directive, essential and important entities must implement demonstrable risk management measures. Cyber insurance can be part of that risk strategy. In tenders and audits, cyber insurance is increasingly explicitly requested, making it a practical necessity for many organizations.
First party coverage compensates your own direct damages after a cyber incident: costs for forensic investigation, business interruption and lost revenue, data recovery, potential ransom payments, and crisis management including communications. Third party coverage protects against claims from others: liability for data breaches that exposed customer personal data, privacy violations, breach of contract due to downtime, and all legal defense costs. Most cyber insurance policies combine both, but the limits and terms vary significantly per policy. It is essential to assess at the time of application which type of coverage is most relevant for your risk profile.