How CFC Underwrites Cyber Insurance: Application, Response Platform, and Proactive Threat Monitoring

When you're evaluating cyber insurance options for your clients, CFC stands out—not because of marketing claims, but because of how they've fundamentally reimagined underwriting speed, claims acceptance, and proactive threat management. Founded in 1999 as one of the first companies to sell cyber insurance online, CFC has spent 25 years building the infrastructure that now powers nearly one-third of the world's cyber insurance policies.[1][13]

This guide walks you through how CFC's underwriting actually works, what they're looking for in applications, how their Response platform catches threats your clients miss, and why their claims service acceptance rate hovers around 99%—the highest in the industry.

The CFC Underwriting Advantage: From Website URL to Three Quotes in Seconds

The traditional cyber insurance application is a nightmare: pages of questionnaires, months-long underwriting waits, tedious back-and-forth over control details. CFC flipped this entirely.

Their platform requires only one piece of information: your client's website URL.[3] That's it. In seconds, CFC's Connect platform generates three bespoke quotes without requiring underwriters to manually touch 90% of applications. For brokers juggling dozens of clients, this isn't just convenience—it's operational transformation.

Here's how it works:

The Single-URL Process[3]

1. You enter the client's website URL into CFC's Connect broker portal
2. CFC's algorithms analyze the domain, scan for public-facing vulnerabilities, and assess industry risk factors
3. Three quotes appear—typically varying by coverage limits and retention levels
4. The broker and client can bind instantly, with zero additional underwriting delays

CFC processes thousands of quotes monthly through this automation.[3] For standard risk profiles—which represent the majority of SMB cyber insurance—zero human underwriter intervention is required. The system handles portfolio quoting, API integration for digital trading, and real-time bind capabilities.[3]

This isn't reckless automation. Behind the speed is 25 years of claims data, behavioral underwriting models, and CFC's in-house security expertise.[13] The automation handles the straightforward cases perfectly, while flagging anything unusual for specialist review.

Cyber Proactive Response: The New Standard for SMBs

In April 2025, CFC launched Cyber Proactive Response (CPR)—a comprehensive overhaul of SMB cyber coverage designed around the reality that most attacks are preventable with the right controls and early warning system.[2]

Who It's For[2] CPR covers businesses with annual revenue up to $250 million. Above that threshold, CFC's Corporate Cyber product takes over.

What Makes CPR Different: 30 Coverage Enhancements[2] CFC added 30 coverage improvements compared to their legacy SMB offering. More importantly, they removed 6 significant exclusions—areas that historically complicated claims.

CPR includes several world-first innovations not available from other carriers:

• Contractually guaranteed proactive services embedded in the policy wording (not optional add-ons)
• Interim payments for business interruption (clients receive compensation during recovery, not just at the end)
• Income loss from lost or missed bids (unique coverage for opportunity costs from ransomware downtime)
• Affirmative AI event coverage (the first explicit cyber policy language covering AI-related breaches and failures)

The Reinstatement Game-Changer[2] Under CPR, your client gets unlimited reinstatements at nil deductible. This is critical for ransomware and high-frequency social engineering attacks. Older cyber policies limit reinstatements (often at the original deductible), which either forces clients to self-insure subsequent incidents or abandon coverage mid-year. CPR eliminates that dilemma.

Sector-Specific Tailoring (May 2025 expansion)[11] CFC extended CPR to fintech, digital health, and technology sectors in 2025. The product now includes AI-incident coverage—addressing the emerging risk that most carriers haven't yet underwritten.[11] By January 2026, CFC added a Customer Business Interruption extension covering supply-chain losses from attacks on your client's customers' systems.[12] If a critical vendor gets hit and your client loses revenue as a result, that's now covered.

CPR vs. Corporate Cyber: Application Depth Contrast

For clients above $250M in annual revenue, CFC's Corporate Cyber product requires significantly deeper underwriting. The corporate application goes far beyond CPR's streamlined one-page form:

Corporate Cyber asks about:

• Security policy documentation (completeness and update frequency)
• Patching process and target patch window (how quickly software updates are deployed)
• Unsupported software inventory (end-of-life operating systems, applications no longer receiving patches)
• MFA for remote access, remote email, AND cloud resources (more granular than CPR)
• Privileged account protection (dedicated management for admin credentials)
• Local admin rights (scope and justification)
• Endpoint protection and EDR (specific tools and deployment percentages)
• EDR monitoring and alerting (retention period, alert response times)
• Lateral movement controls (network segmentation, zero-trust architecture)
• Governance standards (security committee, board reporting, third-party audits)
• Phishing simulations (frequency, employee training results)
• DMARC/SPF/DKIM and other email controls (detailed email security posture)
• Vulnerability scanning (frequency and remediation SLA)
• Penetration testing (frequency and evidence of remediation)
• PCI assessments (if applicable to the business)

For brokers with mid-market or enterprise clients, the Corporate Cyber application is substantially more involved than CPR. If a client is approaching the $250M threshold or already past it, plan for extended underwriting and deeper technical documentation. Corporate Cyber is designed for businesses with mature security operations and established governance—not for businesses still building foundational controls.

Security Controls: What CFC's Underwriters Actually Look For

The underwriting questionnaire matters less than the technical controls inspection. When CFC assesses your client's cyber maturity, they're evaluating five core areas.[4]

For CPR (the one-page U.S. application), CFC's underwriting focuses on concrete, measurable controls. The application specifically asks about:

• MFA enabled and enforced for all remote access to the network
• MFA enabled and enforced for remote access to all company email accounts
• Offline backups fully disconnected from the live environment, OR cloud-based backups with access secured by MFA
• Prior cyber incidents in the past 3 years (incident count and description)
• Incidents causing direct financial impact greater than $10,000 (CFC's material threshold for underwriting adjustment)

These specific questions shape how you prepare your clients for underwriting. If a client has experienced an incident, it's the incidents exceeding $10,000 in direct losses that trigger closer review, not minor incidents below that threshold.

1. Multi-Factor Authentication (MFA) – Non-Negotiable

The Requirement: MFA on all business email accounts and key business software.[4]

Email is the primary attack vector for social engineering, ransomware delivery, and credential compromise. Any business without MFA on email is essentially uninsurable at favorable rates. CFC requires it as a baseline.

But MFA extends beyond email. CFC underwriters check:

• VPN access: MFA required
• Cloud storage (Dropbox, OneDrive, SharePoint): MFA required
• Admin consoles: MFA required
• Any system handling customer data: MFA required

If a client says "we have MFA on email, that's enough," they're underestimating the control gap. CFC will ask follow-up questions. More importantly, when incident response begins, the incident responders will find that unprotected systems became the attack pathway.

2. Endpoint Detection and Response (EDR) – Beyond Antivirus

The Requirement: Continuous monitoring of all network-connected devices, beyond basic antivirus or firewall.[4]

Basic antivirus is outdated. CFC wants to see EDR—technology that continuously monitors endpoints for suspicious behavior, quarantines threats in real-time, and logs data for forensics. Tools like Microsoft Defender for Endpoint, CrowdStrike, SentinelOne, or Carbon Black qualify.

Why it matters: A ransomware attack that gets caught by EDR within hours saves the entire incident. One that gets caught by antivirus definitions days later has already encrypted 70% of network shares.

If your client is running basic antivirus only, CFC's underwriters will flag it for EDR implementation as a condition of coverage or will apply a coverage restriction (e.g., higher deductible until remediated).

3. Backup and Recovery – The Ransomware Killer

The Requirement: Regular, segregated, offline backups in offsite locations, completely separated from the primary network.[4]

Ransomware is profitable because most backups are reachable by attackers. A client with network-attached storage (NAS) backups on the same network is not meaningfully backed up—ransomware gets there too.

CFC's underwriters specifically look for:

• Segregation: Backups on isolated storage with no direct network access from primary systems
• Offline component: At least some backup copies stored offline (tape, external drive, disconnected NAS)
• Offsite location: Not in the same building; ideally in a different geographic region
• Frequency: At minimum daily; more frequently for critical systems
• Testing: Evidence that restore operations are tested periodically—you'd be shocked how many businesses have backups that don't actually restore

This control is so important that clients without demonstrable backup hygiene will either face coverage restrictions or outright decline. See How to Prove Backup Immutability for a detailed walkthrough of what proof CFC expects.

4. Remote Desktop Protocol (RDP) – The Open Door Problem

The Requirement: Unused ports closed; open ports protected behind VPN + MFA.[4]

Over 50% of ransomware claims stem from exposed RDP.[4] An unprotected RDP port is an open invitation to brute-force attacks. Attackers scan the entire internet for port 3389 (the default RDP port), and if it's open and the password is weak, they're in.

CFC's underwriting position is clear:

• Exposed RDP ports should not exist (close them if unused)
• If RDP is needed, require VPN + MFA before access is granted
• Change the default port if exposing RDP is unavoidable
• Implement idle timeout and session limits

Brokers often encounter clients who say "we only use RDP once a month, for a specific vendor." CFC's answer: then it doesn't need to be exposed. Close it, and open it only when needed—or put it behind a VPN.

For IT teams considering RDP architecture, see When Remote Access Becomes an Underwriting Question for guidance on designing RDP deployments that satisfy underwriters.

5. Security Governance – Policy, Ownership, and Willingness to Improve

The Requirement: Documented policies, designated security leadership, and demonstrated willingness to remediate gaps.[4]

This is the behavioral control. CFC wants to see:

• A security policy in writing: Not a 200-page compliance manual; a 2–3 page statement of how your client handles passwords, patch management, incident reporting, and vendor access
• Designated responsibility: "Who owns security in your organization?" If the answer is "the IT manager when he has time," that's a red flag. CFC wants to see that security is someone's actual job
• Remediation track record: If CFC or a previous insurer identified a gap, can the client show that they addressed it? Even if they didn't fix everything immediately, showing intent and progress matters

Clients that refuse to implement basic controls or blow off underwriter recommendations will see higher deductibles or non-renewals.

Email Security (Implicit in MFA Requirement)

Email hygiene extends beyond MFA. CFC also evaluates whether clients have implemented SPF, DKIM, and DMARC to prevent email spoofing. These technical controls stop attackers from impersonating your organization to customers, partners, and employees. For a detailed guide, see DMARC, SPF, and DKIM for Cyber Insurance.

The CFC Response App: Twice the Threats Caught Proactively

Here's where CFC's underwriting philosophy becomes tangible for your clients: the Response platform.

CFC doesn't just sell a policy and disappear. They've built a 24/7 threat monitoring and response service, with a mobile app (iOS/Android) that gives policyholders real-time alerts, access to expert responders, and threat intelligence—and it's free for all policyholders.[5][14]

How Proactive Threat Detection Works

The Exclusivity Advantage[5][10] CFC's threat intelligence comes from proprietary feeds (honeypots, customer incident data), government agencies, and private security research. This isn't off-the-shelf threat intel; it's the accumulation of CFC's own global incident response data from thousands of customers.[5]

Deep Scanning and Monitoring[14] The Response app includes:

• Policy decryption key retrieval (access to encrypted backups for rapid ransomware recovery)
• 15-minute callback guarantee (when reporting through the app, technical responders commit to contact within 15 minutes)
• Dark web monitoring (continuously scans for compromised credentials, domains, and business data linked to your client across breach forums and underground marketplaces)
• Deep scanning (continuously scans external network footprint for common vulnerabilities—exposed RDP, outdated software, misconfigured cloud services, unpatched systems)
• Phishing simulations (designed to resemble real phishing attempts, with automated training delivered to employees who fail tests)
• Ask-the-expert / cyber advice (direct access to CFC's incident response and security experts for tactical questions outside of active incidents)
• Active threat hunting within client environments (not just passive monitoring, but proactive searching for indicators of compromise)
• Continuous monitoring for shadow IT and unauthorized cloud services (detecting SaaS tools and data repositories employees add without approval)

The Validation Process—Why False Positives Matter[5] Here's the differentiator: CFC doesn't just fire alerts at clients. Every threat flagged by the Response platform goes through validation by CFC's analysts. Before a client receives a notification, CFC answers three questions:

1. Is this threat credible? (Is it a real vulnerability, or a false positive from overzealous scanning?)
2. Is it actively exploited? (Is there evidence attackers are weaponizing it?)
3. Is it likely to cause harm to this client? (Is it relevant to their industry, software stack, and geography?)

Only threats passing all three filters reach the client. And when they do, the notification is plain-language and actionable—not the cryptic Shodan output most security teams receive.[5]

The Impact—6,000 vs. 3,000[7] In the past year, CFC's Response platform flagged 6,000+ threats proactively. CFC's clients reported only 3,000+ incidents themselves.[7] That's twice as many issues caught by CFC before the client even knew about them. For ransomware, which can encrypt an entire network in 24 hours, catching the attack 48 hours early is the difference between containment and catastrophe.

24/7 Technical Response – 15 Minutes, Guaranteed

When a client (or CFC's system) detects a threat, response kicks in immediately.[6]

• Follow-the-sun coverage: CFC's incident response team spans London (HQ), New York, Austin, Brussels, and Brisbane—so there's always a responder awake and available
• First contact within 15 minutes: Not an average; CFC contractually guarantees a technical responder is in contact within 15 minutes of notification
• Expert team: Ethical hackers, former law enforcement, digital forensics specialists, privacy law experts—the team has 20+ years of cyber incident experience in-house

When a ransomware attack hits, that 15-minute window is critical. Early containment can mean the difference between a $50,000 recovery and a $5 million disaster.

Ransomware, Social Engineering, and Beyond: Coverage That Handles the Real Threats

CFC's CPR product isn't a data-breach-only policy. It covers the full spectrum of cyber incidents your clients actually face.

Ransomware Coverage – Full Stack[8]

• Ransom payment: If negotiation is appropriate, CFC covers the ransom payment (with sanctions checking by specialists)
• Data recovery: The cost to retrieve encrypted data or reconstruct lost files
• System restoration: Rebuilding infrastructure after an attack
• Business interruption: The income lost while systems are offline
• Interim payments for business interruption: CPR includes contractually guaranteed interim BI payments while recovery is underway—clients don't have to wait for the entire incident to resolve before receiving compensation
• Income loss from lost or missed bids: If a ransomware attack prevents a company from bidding on contracts or fulfilling pending orders, CPR covers the resulting lost revenue (a unique CPR innovation)
• Full system failure coverage: Complete infrastructure loss is covered, not just data breaches
• Emergency continuity costs: Temporary operational expenses incurred to maintain critical functions during recovery
• Nil deductible for incident response: This is the game-changer. If a client reports a potential incident early, there's no deductible for the response phase—only for the recovery phase. This removes the financial disincentive to report early

The unlimited reinstatement feature (at nil deductible) is critical here. If a business experiences a ransomware attack in June and pays to recover, but then gets hit again in September (a real scenario), the second incident is fully covered at no additional deductible.

Social Engineering and Funds Transfer Fraud[9]

• Phishing: Employee downloads a trojanized invoice, transfers funds to a fake vendor account
• Vishing: CEO impersonation via phone, requesting wire transfer authority
• Business Email Compromise (BEC): Attacker compromises an executive account and authorizes fraudulent transfers
• Cryptojacking: Attackers insert code into a website or app that hijacks visitor CPU to mine cryptocurrency
• Theft of physical goods: Coverage for physical theft that results from a cyber compromise (e.g., inventory theft coordinated via stolen systems)
• Invoice manipulation: Attacker modifies invoices in customer-facing systems to alter amounts or payment instructions

All covered. For detailed guidance on how to document BEC exposure for underwriters, see BEC and Funds Transfer Fraud Coverage.

Emerging Risk Coverage: AI and Novel Threats

CPR includes affirmative coverage for AI events—a world-first in cyber insurance. As AI systems become embedded in business operations, risks emerge: deepfakes used to commit fraud, AI models compromised to generate biased outputs, or large language models extracting proprietary data through training inputs. CPR covers these emerging threats explicitly, not as data breaches or conventional cyber incidents.

Extended Coverage (Jan 2026)

The January 2026 Customer Business Interruption extension is noteworthy for supply-chain resilience. If your client's revenue depends on SaaS vendors, payment processors, or logistics partners, and one of those vendors gets hit by a cyber attack that cuts off service, CFC now covers the resulting revenue loss.[12]

This is forward-thinking coverage—it recognizes that cyber risk is no longer isolated to a single organization but cascades through ecosystems.

Claims Acceptance: Why 99% Matters

CFC's claims acceptance rate sits at 99.1–99.4%—among the highest in the industry.[7] Compare that to carriers averaging 85–92%, and you understand why clients choose CFC at renewal.

Why the High Acceptance Rate?[7]

1. Realistic policy language: CFC's underwriting is designed to cover incidents that are actually insurable, not to create loopholes
2. Largest dedicated cyber claims team: CFC has the biggest in-house cyber claims team in the market—not generalist adjusters, but specialists who understand incident response, forensics, and mitigation
3. Early reporting incentive: The nil deductible for incident response encourages clients to report suspected incidents immediately, before the attacker covers their tracks
4. Experience: The team handles 2,500–4,000 cyber events annually—they've seen every variant of every incident type

When your client files a claim with CFC, the response is immediate. A technical responder is in contact within 15 minutes. The claims process is integrated with incident response, not siloed from it. The goal is containment and recovery, not legal chess.

CFC's Scale and Reputation: Why Brokers Trust Them

CFC's credibility isn't hype. Here's the substance:

Global Presence[1][3]

• 700+ employees across London (HQ), New York, Austin, Brussels, and Brisbane
• Operations in 90+ countries
• Trusted by 130,000+ businesses
• Provider of nearly one-third of the world's cyber insurance policies

Financial Strength[1]

• $1 billion+ in gross premiums written annually (2022)
• Adjusted EBITDA of £153.2 million (2024)
• Valued at approximately £5 billion as of February 2026

Broker Recognition[1]

• Named "Brokers' Favorite Cyber Insurance Provider" (2022)
• Rated 5-star cyber insurer by Insurance Business America (2025)
• 1,500+ businesses move insurance to CFC every month

For brokers, this means CFC isn't disappearing in a market downturn, and they're not cutting corners on claims. The financial backing supports the 24/7 incident response team and the ongoing investments in threat intelligence.

How to Prepare Your Clients for CFC Underwriting

Before Submitting an Application

1. Conduct an internal control audit against CFC's five key controls (MFA, EDR, backups, RDP, governance). If gaps exist, flag them and develop a remediation plan before the quote request

2. Gather documentation:

   • MFA enablement across systems
   • EDR tool name and deployment scope
   • Backup policy and recent restore test results
   • RDP access control documentation (VPN requirement, MFA, firewall rules)
   • Security policy document
   • List of any previous cyber incidents (within 3 years) and how they were remediated
   • Incidents causing direct financial impact >$10,000 (CFC's material threshold)
   • For finance-process controls (combined/private-enterprise applications): documentation of training on phishing/social engineering for employees involved in fund transfers
   • Email security controls: DMARC, SPF, DKIM implementation status
   • Incident response plan documentation
   • SIEM or similar logging/monitoring platform details (if applicable)
   • Web application firewall (WAF) implementation (if applicable)

3. Use CFC's free tools to identify vulnerabilities before underwriting. CFC's Response app can be deployed to scan for EDR gaps, unpatched systems, and exposed services

During Application

1. Be honest about gaps. CFC's automation will find inconsistencies anyway. If a control is missing, disclose it and explain the remediation timeline
2. Engage with follow-up questions. If CFC's underwriting team asks for clarification on a security control, respond promptly with specific evidence (screenshots, policy excerpts, vendor attestations)
3. Plan for implementation. If underwriting flags a critical gap (missing EDR, exposed RDP), work with the client on a timeline to address it—ideally before the policy inception date

After Binding

1. Onboard to the Response app immediately. The threat monitoring is most valuable when it's active continuously
2. Run the proactive scans within the first 30 days to identify any remaining vulnerabilities
3. Subscribe the client to phishing simulations within the app—early training prevents the most common attack vectors
4. Document the 15-minute technical response contact and make sure your client knows who to call in an incident

Competitive Context: How CFC Compares

CFC occupies a unique position. Larger carriers (AIG, Zurich, Chubb) offer cyber coverage but don't integrate it with proactive response; they're primarily handling claims. Smaller cyber specialists (Coalition, Cowbell) move faster in some dimensions but lack CFC's scale and incident response depth.

CFC's advantage is structural: they're large enough to fund 24/7 global response and sophisticated threat intelligence, but nimble enough to automate underwriting at scale. The Response platform isn't an add-on; it's core to the product.

For brokers placing multiple clients, CFC's portfolio quoting and API integrations simplify operations. For clients needing reassurance, CFC's 99% claims acceptance and rapid response provide it.

Moving Forward: What's Next for CFC

In 2025 and 2026, CFC continues expanding:

• New US team: Dedicated cyber development team in Chicago and San Francisco (Oct 2025) signals focus on the US market
• Sector specialization: Continued rollout of industry-specific variants (fintech AI coverage, digital health HIPAA alignment, manufacturing OT/IT integration)
• Broker enablement: November 2025 tool release designed to unlock the $30B SME cyber market by simplifying broker workflows

For brokers with SMB clients in any vertical, CFC's platform (especially CPR with unlimited reinstatements) is now the default comparison point.

Final Checklist: Before You Quote

Use this as a quick reference when assessing client cyber readiness for CFC:

Core Controls (CPR)

• MFA: Enabled on email, VPN, cloud storage, admin access?
• EDR: Continuous endpoint monitoring deployed?
• Backups: Segregated, offline (or cloud-based with MFA access), tested within 90 days?
• RDP: Either closed or behind VPN + MFA?
• Governance: Written security policy, designated owner, prior remediation history?

Incident History

• Prior incidents: Any breaches, incidents, or security events in the past 3 years?
• Material incidents: Any incident causing direct financial impact >$10,000? (CFC's underwriting threshold)

Email and Advanced Controls (for larger organizations or Corporate Cyber)

• Email authentication: DMARC, SPF, DKIM configured?
• Phishing prevention: DNS filtering, email security gateway, or similar?
• Incident response: Written IR plan with defined roles and escalation paths?
• Finance controls: Employee training on phishing/social engineering (especially for staff handling transfers)?
• Monitoring: SIEM, SOC, or equivalent log monitoring and alerting?
• WAF: Web application firewall protecting customer-facing applications?

Response Readiness

• Threat monitoring: Client willing to enable CFC's Response app and dark web monitoring?
• Phishing simulations: Client open to participation in simulated phishing campaigns?
• Expert access: Client understands the ask-the-expert feature for tactical security questions?

Decision Points

• If the answer to core controls is "yes" (MFA, EDR, backups, RDP, governance), expect a straightforward underwriting experience with CPR
• If gaps exist in core controls, develop a remediation roadmap and reapply in 90 days
• If client revenue is >$250M, plan for Corporate Cyber underwriting (much deeper application)
• If any incident caused >$10,000 in direct losses, flag this during underwriting—it's CFC's threshold for material incidents requiring closer review

Additional Resources

For deeper guidance on specific cyber insurance topics:

• The Complete Guide to Cyber Insurance Evidence in 2026 — Document exactly what carriers like CFC expect to see during underwriting
• DMARC, SPF, and DKIM for Cyber Insurance — Email authentication controls that CFC underwriters check
• How to Prove Backup Immutability for Cyber Insurance Renewals — The backup evidence CFC specifically requires
• When Remote Access Becomes an Underwriting Question — RDP and VPN control design for underwriters
• BEC and Funds Transfer Fraud Coverage — Social engineering risk assessment

Free Tools to Get Started

• Free Cyber Readiness Check — Upload your client's domain to see immediate security recommendations aligned with CFC's underwriting criteria
• Carrier Decoder — Paste any cyber policy to decode coverage gaps, exclusions, and hidden deductibles in plain language

---