REFERENCE GUIDE

8 Core Controls, 3 Real Applications: The Evidence Checklist for 2026 Cyber Insurance Renewals

A source-backed checklist of the 8 controls that recur across Coalition, Travelers, and Hartford cyber insurance applications in 2026, with guidance on what to verify before renewal.

BindLedgerMarch 21, 202614 min read

8 Core Controls, 3 Real Applications: The Evidence Checklist for 2026 Cyber Insurance Renewals

If you read enough cyber insurance marketing, you can walk away with the wrong impression.

It sounds like every carrier has a radically different framework, every renewal is bespoke chaos, and the only practical response is a generic compliance program.

The public applications tell a more useful story.

The wording varies, the depth varies, and the supplementary flows vary — but the same control themes show up over and over again. Coalition’s agency application asks about encryption, backups, four separate MFA vectors, and funds-transfer controls.[1] Travelers’ short form asks about firewalling, endpoint protection, patching, backups, incident response, business continuity, vendor security, MFA, and encryption.[2] Hartford’s 2025 underwriting application is even more explicit, with separate questions for encryption, backups and recovery testing, MFA for remote access and email, endpoint protection, EDR/MDR, email security controls, and training cadence.[3] Hartford’s ransomware supplemental goes deeper still on phishing controls, remote access, RDP, privileged access, EDR, patching, logging, backups, restore testing, and disaster recovery preparedness.[4]

At the same time, the market backdrop is getting more disciplined. Marsh reported that US cyber rates declined 5% in Q4 2024, but it also continues to emphasize a set of 12 key controls that insurers view as core cyber hygiene.[5][6]

For practical renewal prep, though, most MSPs and SMB IT teams do not need a generic list of 12. They need the tighter list of eight control families that recur across real applications and renewal workflows.

That is what this guide covers.

For each control, we will look at:

  • how Coalition, Travelers, and Hartford ask about it,
  • what the insurer is actually trying to learn,
  • and what evidence you should gather before anyone signs.

1. MFA: the universal requirement

If there is one control that has moved from “good practice” to “underwriting baseline,” it is MFA.

How the three carriers ask it

Coalition breaks MFA into four separate questions:

  • email,
  • VPN,
  • RDP / RDWeb / RD Gateway / other remote access,
  • network or cloud administration / privileged user accounts.[1]

Travelers compresses the idea into one short-form question: does the applicant have MFA for remote access to email and other systems that contain private or sensitive data in bulk?[2]

Hartford separates it again in the 2025 underwriting application:

  • is MFA required for all remote access to the network, including cloud-hosted, on-prem, and VPN?
  • is MFA required for access to email?[3]

Hartford’s ransomware supplemental goes even further by asking how remote access is controlled, how RDP is protected, how privileged access is controlled, and how MSP access is controlled.[4]

What they are really asking

All three carriers are trying to discover the same thing:

Can attackers reach the business’s critical access paths with only a password?

That is the real underwriting question.

What to verify before answering

For Microsoft-heavy environments, you need to reconcile:

  • Security Defaults,
  • Conditional Access,
  • exclusions,
  • legacy per-user MFA,
  • and sign-in evidence.[7][8][9][10]

You also have to separately check access paths that Microsoft does not prove for you, such as:

  • firewall-based VPN,
  • third-party remote support tools,
  • RDP outside Entra,
  • backup consoles,
  • network appliances,
  • MSP administrative tooling.

The most common failure modes

  • assuming M365 email MFA means the whole remote-access story is solved,
  • ignoring Conditional Access exclusion groups,
  • forgetting privileged access paths outside Microsoft,
  • and treating registered MFA methods as proof of enforced MFA.

If you do nothing else before renewal, do this control carefully.

2. Endpoint protection / EDR: the “all endpoints” problem

Traditional antivirus language still appears on forms, but the underwriting intent is stronger than that.

How the carriers ask it

Travelers asks whether the applicant has up-to-date, active anti-virus software on all computers, networks, and mobile devices.[2]

Hartford is much more explicit. It asks where antimalware, antivirus, and/or endpoint detection are running — computers, networks, mobile devices — and separately asks whether an EDR or MDR product is in place and which one is used.[3]

Coalition’s base agency PDF is lighter on explicit endpoint language, but Coalition’s underwriting model clearly goes beyond the paper form. Coalition routinely scans the external digital footprint, and its renewal process can include updated Cyber Risk Assessments and security findings.[11][12]

What carriers are really asking

They are trying to figure out whether an attacker who lands on one device can move freely because the environment has weak visibility and weak detection.

What evidence should look like

A good evidence pack answers two questions:

  1. Which devices exist?
  2. Which of those devices are actually protected?

That denominator problem is why endpoint claims go wrong. A deployment dashboard that says “1,248 protected endpoints” sounds impressive until nobody can explain whether the company has 1,248 devices, 1,310 devices, or 1,600 devices.

For Microsoft shops, Intune and Graph-managed device inventory can help establish device scope, while Defender can help establish coverage on managed devices.[13]

The common mistake

Confusing “our standard stack includes EDR” with “EDR is deployed on every relevant endpoint today.”

3. Backups and recoverability: not just backup existence

Carriers still ask this control in relatively short language, but they increasingly care about whether the backup story survives ransomware.

How the carriers ask it

Coalition asks whether the insured maintains at least weekly backups of critical data and business systems offline or on a separate network.[1]

Travelers asks whether the applicant has backup and recovery procedures in place for all important business and customer data.[2]

Hartford asks a much more underwriting-friendly version:

  • is critical data regularly backed up,
  • weekly or monthly,
  • are backups stored offline and/or isolated from production systems,
  • how often is recovering data from backup tested?[3]

Hartford’s ransomware supplemental goes even further, asking what best describes backup procedure, storage, hours-to-restore expectations, and how often fail-over and recovery are tested.[4]

What carriers are really asking

If production is encrypted, do you have a realistic path back?

This breaks into four sub-questions:

  • frequency,
  • scope,
  • isolation,
  • and tested recoverability.

What evidence should include

At minimum:

  • last successful backup date,
  • coverage of critical systems and critical data,
  • target type and isolation model,
  • retention,
  • most recent restore or recovery test date.

The common mistake

Treating “backup software exists” as proof of recovery readiness.

In 2026, that is no longer enough.

For the backup-specific proof layer, How to Prove Backup Immutability for Cyber Insurance Renewals expands this control into the actual evidence carriers tend to want.

4. Email security: sometimes explicit, sometimes still externally checked

Email security is interesting because it is no longer optional from a risk perspective, but not every paper form asks it directly.

How the carriers ask it

Hartford is explicit. Its underwriting application asks about:

  • secure email gateway,
  • malicious attachment screening,
  • malicious link screening,
  • tagging emails from external senders,
  • and phishing/security awareness training frequency.[3]

Travelers’ short form does not ask a separate DMARC/SPF/DKIM question.[2]

Coalition’s base PDF also does not ask those DNS-level questions directly.[1]

But that does not mean Coalition ignores the control. Coalition says it routinely scans the external digital footprint for data assets, phishing risks, and related issues, and Coalition Control markets continuous monitoring across assets, apps, data leaks, and phishing risks.[11][12]

What carriers are really asking

Can attackers easily impersonate the business or land malicious content through the front door?

What evidence should include

At a minimum, be ready to demonstrate:

  • SPF presence,
  • DKIM configuration where supported,
  • DMARC presence and policy strength,
  • plus inbound email filtering controls if the carrier asks for them.

This is the rare control where a lightweight external scan can still produce useful underwriting evidence because the DNS posture is public.

For a deeper treatment of that public evidence layer, see DMARC, SPF, and DKIM for Cyber Insurance.

The common mistake

Assuming the control does not matter because the base PDF does not spell it out.

Carriers increasingly see email risk whether or not the form makes you describe it.

If your client is Microsoft-heavy, Cyber Insurance for Microsoft 365 Tenants: The 2026 Attestation Checklist is the M365-specific companion to this cross-carrier control map.

5. Encryption: broader than laptops, narrower than people think

Encryption shows up in all three carriers, but the scope differs.

How the carriers ask it

Coalition asks whether the insured implements encryption on laptops, desktops, and other portable media devices.[1]

Travelers asks whether the applicant encrypts private or sensitive data:

  • at rest in the database or on the network,
  • in transit,
  • on mobile devices,
  • on employee-owned devices,
  • and while in the care of a third-party service provider.[2]

Hartford asks whether nonpublic records are encrypted at rest, in transit, and on mobile devices.[3]

What carriers are really asking

They are trying to separate routine device loss or data handling from full-blown reportable events.

What evidence should include

For endpoint-heavy answers, the fastest defensible evidence is:

  • BitLocker status for Windows, via manage-bde -status, Intune encryption reporting, or Graph-managed device data,
  • FileVault status for macOS via device-management tooling or fdesetup workflows.[13][14][15]

For broader data-at-rest and in-transit questions, you may also need application, storage, or vendor-security evidence. Do not let laptop encryption lead you into over-answering database or third-party encryption questions.

The common mistake

Using one true encryption fact to answer a broader encryption question.

6. Privileged access: the hidden multiplier

Privileged access is not always broken out as its own section, but it is present in the control logic.

How the carriers ask it

Coalition asks directly about MFA for network/cloud administration or other privileged user accounts.[1]

Travelers bundles privileged risk into its broad MFA question about remote access to email and sensitive systems, and in the full Travelers v. ICS complaint the separate MFA attestation specifically referenced internal and remote admin access to directory services, backup environments, network infrastructure, and endpoints/servers.[2][16]

Hartford pushes privileged access more explicitly in the ransomware supplemental, asking how privileged access is controlled and how MSP access is controlled.[4]

What carriers are really asking

How many identities can change the environment, disable protections, access backup systems, or widen a compromise?

What evidence should include

A good privileged-access review should show:

  • who holds admin roles,
  • how many global-level administrators exist,
  • whether every privileged identity has MFA,
  • whether service-provider/admin access is controlled distinctly,
  • and whether there is obvious sprawl.

For Entra environments, role enumeration and admin-account review are straightforward and worth doing every renewal cycle.

The common mistake

Assuming privileged access is covered because “admins know what they are doing.”

Privilege without strong identity control is exactly what carriers are worried about.

7. Incident response and business continuity: the manual control that still matters

This control family is harder to automate, but it is becoming more visible in underwriting.

How the carriers ask it

Travelers asks separately about an incident response plan and a disaster recovery/business continuity plan.[2]

Hartford asks whether the applicants have a cyber incident response plan or business continuity plan in place and how often it is tested.[3]

Coalition’s base application does not ask an IRP question on the agency PDF, but Coalition’s renewal model includes updated underwriting and can attach ransomware supplements in standard-renewal scenarios.[17]

What carriers are really asking

If something bad happens, does the organization know what to do, who to call, how to communicate, and how to restore operations?

What evidence should include

This is one of the few controls where the evidence is inherently document-based:

  • a current IR plan,
  • a current DR/BC plan or integrated response plan,
  • test or tabletop evidence,
  • named roles and outside resources.

The common mistake

Calling a contact sheet or an MSP emergency phone number an incident response plan.

8. Patch management: still one of the quietest underwriting essentials

Patch management is not always the most dramatic control, but it shows up reliably when carriers or supplements get more specific.

How the carriers ask it

Travelers asks whether the applicant has a process in place to regularly download and install patches.[2]

Hartford’s ransomware supplemental asks what best describes the applicant’s patch management procedure.[4]

Coalition’s base form does not include a standalone patching question, but Coalition’s external assessment and security findings model means patch-related external exposure can still surface during underwriting or renewal.[11][12]

What carriers are really asking

Are known exploitable weaknesses likely to remain open long enough for attackers to use them?

What evidence should include

  • documented patching process,
  • tool of record,
  • coverage across managed endpoints,
  • exception handling,
  • and a credible answer to how quickly critical issues are remediated.

The common mistake

Confusing “updates happen eventually” with “we have a patch-management process.”

Cross-carrier summary table

Here is the fast map.

ControlCoalitionTravelersHartford
MFAQ6a–Q6dQ3iRemote access MFA + email MFA
Endpoint protection / EDRLighter on base PDF; broader risk model via assessmentQ3bEndpoint protection + EDR/MDR product
BackupsQ5Q3dBackups, isolation, restore testing
Email securityNot explicit on base PDF; external digital-footprint/phishing review still mattersNot explicit on short formSEG, attachment screening, link screening, external sender tagging, training
EncryptionQ3Q6a–Q6eAt rest, in transit, mobile
Privileged accessQ6dEmbedded in MFA posture / separate attestation logicStrongly present in ransomware supplemental
IR/BCNot on base agency PDFQ3e–Q3fIR/BC plan and testing
PatchingNot on base agency PDFQ3cExplicit in ransomware supplemental

The practical lesson for renewals

The forms are not identical. But the control universe is smaller than it first appears.

If you can verify these eight control families well, you are most of the way toward a defensible answer set for a large percentage of SMB and lower-middle-market cyber renewals.

That is why the right product wedge in this market is not “fill out forms faster.”

It is:

  • verify the same core controls once,
  • preserve evidence,
  • map it carrier by carrier,
  • and rerun the check before renewal or after material change.

BindLedger is built around that exact workflow. The public scan covers the external email-security basics. The M365 workflow handles the hardest reconciliation problem — MFA — and supports verification of privileged accounts, encryption, and other Microsoft-centric evidence before the questionnaire is signed.

The easiest way to improve renewal quality

You do not need a giant compliance platform to improve cyber-insurance renewals. You need a repeatable way to verify the control set carriers keep asking about.

BindLedger is built for that exact job: start with the free external email-security scan, then verify the harder internal controls — especially M365 MFA, privileged access, and device-level evidence — before the application goes back to the broker or carrier.

Verify your email security posture now

Free carrier-mapped DNS scan. No signup required.

Scan your domain →

Or enter your email to get notified when full M365 attestation verification launches.

We'll send product updates and launch access when new controls go live.

Sources

[1] Coalition Insurance Solutions, Inc., “Coalition Cyber Policy Application” (CYUSP-00NA-1022-01): https://massagent.com/wp-content/uploads/2025/01/Cyber_Application_Agency.pdf

[2] Travelers Casualty and Surety Company of America, “CyberRisk Short Form Renewal Application” (CYB-14203 Rev. 03-19): https://asset.trvstatic.com/download/assets/cyb-14203.pdf/ae74d9ea63c911eea2fad22664723407

[3] The Hartford, “CyberChoice Underwriting Application” (for businesses with revenue of $10M or more; CB 00 H027 03 0824): https://assets.thehartford.com/image/upload/cyberchoice_cyber_new_business_application.pdf

[4] The Hartford, “CyberChoice Supplemental Ransomware Application”: https://assets.thehartford.com/image/upload/cyberchoice_supplemental_ransomware_application.pdf

[5] Marsh, “US cyber insurance market update” (May 22, 2025): https://www.marsh.com/en/services/cyber-risk/insights/cyber-insurance-market-update.html

[6] Marsh, “Cyber resilience: 12 key controls to strengthen your security”: https://www.marsh.com/en/services/cyber-risk/insights/cyber-resilience-twelve-key-controls-to-strengthen-your-security.html

[7] Microsoft Learn, “Security defaults in Microsoft Entra ID”: https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults

[8] Microsoft Learn, “List policies - Microsoft Graph v1.0”: https://learn.microsoft.com/en-us/graph/api/conditionalaccessroot-list-policies?view=graph-rest-1.0

[9] Microsoft Learn, “Conditional Access: Users, groups, agents, and workload identities”: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-users-groups

[10] Microsoft Learn, “Use the sign-in logs to review Microsoft Entra multifactor authentication events”: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-reporting

[11] Coalition, “Free Risk Assessment / Coalition Control Risk Assessment”: https://www.coalitioninc.com/free-risk-assessment

[12] Coalition, “Control from Coalition”: https://www.coalitioninc.com/control

[13] Microsoft Learn, “managedDevice resource type - Microsoft Graph v1.0”: https://learn.microsoft.com/en-us/graph/api/resources/intune-devices-manageddevice?view=graph-rest-1.0

[14] Microsoft Learn, “manage-bde status”: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-status

[15] Apple Platform Deployment, “Manage FileVault with device management”: https://support.apple.com/guide/deployment/manage-filevault-with-device-management-dep0a2cb7686/web

[16] Travelers v. International Control Services complaint (separate MFA attestation allegations): https://www.americanbar.org/content/dam/aba/publications/litigation_committees/commercial/cases/2023/travelers-v-international-complaint.pdf

[17] Coalition Help Center, “How do Cyber renewals work at Coalition?”: https://help.coalitioninc.com/hc/en-us/articles/6959642379547-How-do-Cyber-renewals-work-at-Coalition

Related articles