How to Answer the AIG CyberEdge Application

Navigating a cyber insurance application requires precision, especially when dealing with a carrier as sophisticated as AIG. As the second-largest cyber insurer globally with approximately 12% market share, AIG processes roughly 4 cyber claims every business day and brings decades of claims expertise to underwriting decisions[1]. For brokers and enterprise risk managers evaluating AIG's CyberEdge platform, understanding the application process, mandatory controls, and risk assessment methodology is essential to securing approvals and optimal terms.

This guide walks you through the complete AIG CyberEdge application landscape—from the interactive SMART questionnaire to CyberMatics® technology integration, SAR/ESR reporting, and the non-negotiable security controls that determine coverage eligibility.

AIG's Market Position and CyberEdge Product Lines

Before diving into application mechanics, it's worth understanding AIG's standing in the cyber insurance market. AIG commands a 3.91% share of U.S. admitted direct written premium (DWP) of $276.5 million as of 2024, making it a dominant player in enterprise cyber risk[13]. Globally, AIG trails only Chubb (16% market share) but significantly outpaces competitors like Beazley (10%)[1].

AIG's cyber portfolio consists of multiple product architectures designed for different risk profiles and coverage needs[1]:

• CyberEdge: Standalone cyber liability focusing on first-party coverage—event response, data restoration, network interruption, and cyber extortion[1].
• CyberEdge Plus: A hybrid product combining cyber, casualty, and property into a single policy, with limits up to $100 million[2].
• CyberEdge PC: Excess coverage for business interruption, property damage, and financial loss, available as a standalone form[3].

All products can be deployed as standalone policies or endorsed onto Financial Lines, Property, or Casualty policies. In September 2025, AIG launched a new SME-focused cyber product, expanding accessibility beyond enterprise segments[1].

The SMART Underwriting Application Process

AIG's cyber underwriting relies on what it calls the "SMART" (Interactive Questionnaire) application—a risk-adaptive framework that tailors questions to each applicant's risk profile and coverage needs[4]. The SMART application is genuinely dynamic: questions populate based on the specific coverages sought and prior answers within the form. Some questions are marked as required (indicated by a red asterisk), while others are optional but impact underwriting scoring (marked with a gold star). Applicants who answer only the minimum required questions may miss opportunities to report benefits and controls that could improve their risk score and terms. The platform encourages thoroughness to provide AIG underwriters with a complete picture of your security posture.

Revenue Tiers and Application Track

Application complexity and data requirements vary by revenue tier[9]:

• SME Facilities ($0–$50M annual revenue): Streamlined application pathways with simplified data collection.
• Open Market ($50M+ annual revenue): Full interactive questionnaire, comprehensive cyber maturity assessment, and integration with AIG's proprietary CyberMatics® technology.

Coverage limits also determine application requirements[4]:

• Under $250K in limits: Applicants may qualify for the simplified EAGLE Cyber option, reducing friction for modest coverage needs.
• $250K or higher: Requires completion of the full interactive AIG Cyber Application, which includes CyberMatics® assessment and advanced underwriting data.

Multi-Party Completion and Submission Process

AIG explicitly acknowledges that cyber insurance applications often require input from multiple organizational teams. The SMART application supports a collaborative workflow: the PDF can be saved, shared with the appropriate party (information security, privacy, general counsel, finance), completed by that team, and returned for consolidation. This is a significant design feature—AIG already assumes that a single risk manager or broker may coordinate completion across several departments:

• Information Security/CISO: Completes technical control questions (MFA, EDR, encryption, patch management, email security)
• Privacy/Data Protection Officer: Completes data handling, incident response, and regulatory compliance sections
• General Counsel: Completes incident history, legal holds, notification obligations
• Finance: Completes budget, revenue, third-party dependencies

Once all sections are completed, the designated risk manager uses eSignature to submit the consolidated application to AIG. This multi-party model is a big deal—it acknowledges the reality of enterprise organizations where security, legal, and finance operate independently. Many applicants treat the application as a single-person task, which leads to incomplete or inaccurate responses that delay underwriting.

SAR and ESR: Two-Tier Reporting Framework

One of AIG's key differentiators is its optional Summarized Assessment Report (SAR) and post-binding Executive Summary Report (ESR)[4]:

Summarized Assessment Report (SAR):

• Available on an opt-in basis during underwriting
• Provides a high-level risk score summary
• Includes baseline risk trending, top risk scenarios identified through threat modeling, and risk-reducing controls your organization should prioritize[5]
• Accessible via the AIG Cyber Portal throughout the policy term

Executive Summary Report (ESR):

• Generated and provided only if the client binds coverage
• Delivers deeper insight into cyber maturity, including additional risk scores and benchmarking
• Lists prioritized improvement practices ranked by potential impact
• Estimates scenario likelihoods and quantifies control effectiveness
• Also accessible via the AIG Cyber Portal

These reports transform the application process from a binary approval/decline decision into a strategic risk management conversation. Enterprise organizations benefit from the data-driven roadmap ESR provides, while SAR helps applicants evaluate risk posture before committing to coverage.

CyberMatics®: The Engine Behind Risk Assessment

AIG's proprietary CyberMatics® technology is the backbone of modern cyber underwriting and a critical component of the application evaluation[6][7]. Understanding how CyberMatics works is essential to preparing strong application responses.

Technology Foundation and Partnerships

CyberMatics® is a patented, award-winning system that verifies an organization's actual cyber risk posture through real-time data feeds from leading security vendors[6]. AIG partners with:

• CrowdStrike
• Darktrace
• TechGuard Security
• Threatblockr

Critically, AIG's privacy model ensures that raw security data is never exposed to AIG directly. Instead, partners translate their telemetry into risk signals before transmission, protecting applicant confidentiality while enabling comprehensive risk evaluation[7].

Evaluation Methodology

CyberMatics® evaluates cyber maturity against two core frameworks[6]:

1. 10 Common Attack Patterns: Ransomware, lateral movement, data exfiltration, business email compromise, supply chain compromise, and others
2. 11 Commonly-Used Technology Devices/Systems: Workstations, servers, cloud infrastructure, email systems, identity and access management platforms, and others

The assessment incorporates current threat intelligence, cyber control effectiveness ratings, potential breach impact modeling, and insights harvested from thousands of actual AIG claims. The result is a risk score that reflects not just technical controls, but their real-world effectiveness against the threats most likely to affect the applicant[6].

Continuous Risk Profiling and Renewal Efficiency

Unlike point-in-time assessments, CyberMatics® continuously updates the applicant's cyber maturity profile throughout the policy term. This allows AIG to surface mid-policy alerts when unpatched vulnerabilities, misconfigurations, or malware detections emerge—a significant value-add for loss prevention[7].

More importantly, CyberMatics® data dramatically improves renewal efficiency. AIG's broker guidance emphasizes that CyberMatics can ease renewal underwriting because AIG already possesses verified, continuously-monitored answers to many application questions. Instead of re-gathering evidence during renewal, AIG's dynamic dashboard displays how your risk scores have changed across the policy period. If your controls strengthened (e.g., EDR coverage expanded, patch cycles improved), that improvement is documented in real-time. If new vulnerabilities or gaps emerged, AIG alerts you proactively. This transforms CyberMatics from a static scoring tool into a living risk management asset that accelerates renewal conversations and often improves pricing by demonstrating genuine risk reduction over the policy term.

AIG's Specific Application Questions and Coverage Scope

Before detailing mandatory controls, it's helpful to understand the breadth of information AIG requests. The publicly posted SMART application asks about:[4][8]

Organizational & Personnel:

• Name and title of the CISO or equivalent employee responsible for cybersecurity
• Organization's primary web domain, any additional web domains, and associated IP addresses
• Whether email is sent from domains other than your primary domain

Infrastructure:

• Active Directory Domain Services (ADDS) usage and configuration
• Microsoft Exchange deployments (on-premise, hybrid, or cloud-only)
• Presence of unsupported or end-of-life software running in production
• Whether default or known-compromised passwords have been changed across systems

Access & Authentication:

• MFA enforcement for remote access—and critically, AIG specifically asks whether MFA is required for third-party vendor access when those vendors connect to your systems
• MFA scope for administrative access (separate from remote access)

Data Protection:

• Endpoint encryption status and annual asset inventory practices
• IT management model (employees only, mixed with outsourced vendors, or fully outsourced to MSPs—with names of specific MSP companies)

Threat Detection & Response:

• EDR deployment with specific vendor, software product name, and even SKU details
• Data Protection Officer (DPO) or Chief Privacy Officer (CPO) designation and responsibilities
• External email tagging configuration to flag emails from outside your organization

Supply Chain & Integrations:

• Third-party provider mapping across: hosting providers, email providers, CRM systems, HR management platforms, e-commerce/payment processors, and security vendors
• For each provider, AIG asks about data access scope and encryption in transit

This expansive questioning reflects AIG's commitment to understanding not just your internal security posture, but your entire digital attack surface including vendor integrations.

The Four Mandatory Security Controls

AIG's underwriting framework requires verification of four non-negotiable security controls. If your organization cannot demonstrate compliance with all four, approval becomes substantially more difficult or impossible[8]:

1. Multi-Factor Authentication (MFA)

Requirement: MFA must be required and enforced for all remote access—employees, vendors, third-party SaaS users, and privileged accounts. All exceptions must be documented with business justification[8].

What This Means:

• Password-only access is insufficient
• MFA must apply to VPNs, cloud services, identity providers, and remote desktop protocols
• Exceptions (such as system accounts unable to support MFA) must be logged and explained

Documentation for the Application:

• Screenshot or report of MFA enforcement at your identity provider (Azure AD, Okta, etc.)
• List of any documented exceptions and their justifications
• For additional context, review our guide on The M365 MFA Reporting Gap to understand common reporting gaps in Microsoft 365 environments that underwriters often challenge.

2. Endpoint Detection and Response (EDR)

Requirement: EDR must be deployed and active on all workstations, laptops, and servers. EDR must monitor for threats, identify anomalies, automatically respond to defined incidents, generate alerts, and provide forensic capabilities for incident investigation[8].

What This Means:

• 100% of endpoints must be enrolled (no "golden machines" or exemptions)
• EDR must be actively monitoring in real time
• Automated response rules must be configured for known attack patterns
• Forensic data must be retained for at least 90 days

Documentation for the Application:

• EDR console showing enrollment percentage across all devices
• Evidence of policy configuration and automated response rules
• Retention policy documentation

3. Backup Isolation and Authentication

Requirement: Backups must be isolated and separated from the production domain. Access to backup systems must be authenticated through a mechanism outside of Active Directory[8].

What This Means:

• Ransomware attackers who compromise AD cannot escalate to backup systems
• Backup access requires separate authentication (dedicated backup admin accounts with separate credentials)
• Backup systems should be air-gapped or network-isolated when possible
• Proof of isolation must be documented

Documentation for the Application:

• Network diagram showing backup system isolation
• Evidence of alternative authentication mechanism (separate backup service account credentials, physical key management system, etc.)
• For a deeper dive, see How to Prove Backup Immutability to understand documentation formats underwriters expect.

4. Encryption at Rest

Requirement: Full disk encryption or file-based encryption must be applied to all portable devices (laptops, tablets, USB drives). All sensitive data at rest must be encrypted at the storage layer[8].

What This Means:

• Laptops: BitLocker (Windows) or FileVault (Mac) enabled by default
• Servers: Encrypted storage volumes (EBS encryption, vSAN encryption, etc.)
• Databases: Transparent Data Encryption (TDE) or application-level encryption
• No exemptions for "offline" or "backup" machines

Documentation for the Application:

• Device inventory showing encryption status
• Policy evidence from mobile device management (MDM) or endpoint management platform
• Database encryption configuration

---

Supporting Controls (referenced in supplemental questionnaires but not mandatory blockers):

• Patch management: Documented patch deployment process with timelines
• Email security: DMARC, SPF, and DKIM configuration; see DMARC, SPF, and DKIM for Cyber Insurance for detailed setup guidance

Preparing Your Application: A Practical Checklist

Before submitting an AIG CyberEdge application, ensure you have compiled:

Technical Documentation

• Current network architecture diagram (production, backup, DMZ, cloud)
• Inventory of all endpoints with EDR enrollment status
• Identity provider configuration screenshots showing MFA enforcement
• Backup system documentation with authentication mechanism details
• Device encryption evidence (MDM policies, BitLocker reports, etc.)
• Email security configuration (DNS records for DMARC/SPF/DKIM)
• Patch management process documentation with typical deployment timelines

Organizational Information

• Revenue (for tier classification)
• Number of employees and contractors
• List of business-critical applications and data types
• Industry and regulatory requirements (HIPAA, PCI-DSS, SOC 2, etc.)
• History of security incidents or data breaches (full disclosure required)
• Insurance claims history (cyber and otherwise)

Risk Management Programs

• Cyber incident response plan
• Business continuity and disaster recovery documentation
• Employee security awareness training program details
• Vendor risk assessment process
• Data classification and handling procedures

Regulatory and Compliance

• Relevant compliance certifications (SOC 2 Type II, ISO 27001, etc.)
• Third-party penetration testing results (if available)
• Regulatory exam reports or audit findings

Claims and Loss Control Support

One significant advantage of AIG CyberEdge is the depth of claims expertise and loss control support available during and after underwriting.

24/7 Claims Support

AIG operates a dedicated CyberEdge Claims Hotline (1-800-CYBR-345) staffed by experienced professionals. Notably, 90% of AIG's cyber claims experts are former attorneys with an average of 20+ years in the field[10]. Claims services include:

• Legal counsel for incident response
• Digital forensics and evidence preservation
• Notification compliance and communication
• Crisis management and public relations
• Fraud investigation
• Credit monitoring and identity restoration services

For policies with annual premiums of $5,000 or more, AIG bundles tooling and services valued up to $25,000[10].

CyberEdge Communications Platform (Powered by Cygnvs)

AIG's CyberEdge Communications Platform, powered by Cygnvs, provides a secure off-network collaboration environment available across premium CyberEdge tiers[4]. This platform enables:

• Incident Rooms: Controlled-access collaboration spaces for organizing response teams during active incidents
• Real-World Practice Scenarios: Organizations can practice against realistic cyber attack simulations in a contained environment
• Single Pane of Glass: Unified dashboard for preparing incident response plans, practicing execution, responding to active incidents, and reporting details to AIG
• Incident Reporting to AIG: Streamlined channel for notifying AIG of covered incidents with audit trails and documentation

This transforms the insured-carrier relationship from reactive claims filing into proactive incident coordination and shared learning.

Cyber Risk Advisory Services and Cyber Resiliency Program

Beyond claims, AIG's Cyber Risk Advisors (averaging 20+ years of IT security experience) provide continuous risk management support through the tiered Cyber Resiliency Program[11][12]. Coverage tier determines the depth of advisory services available:

Available Across Premium Tiers:

• Incident Response (IR) Plan Templates: Tailored IR frameworks aligned to your organization's risk profile
• Darknet Credential Exposure Monitoring: Automated scanning for compromised employee credentials on underground markets
• Security Ratings ("Outside Looking In"): Third-party assessment of your security posture from an attacker's perspective
• CyberMatics Access: Continuous risk profiling and threat intelligence integration (detailed below)
• CyberEdge Communications Platform: Incident rooms, practice scenarios, and reporting coordination
• Cybersecurity Information Portal: Curated threat intelligence and best practice resources

Standard Risk Management Services:

• Vulnerability Alerts: Mid-policy notifications for unpatched vulnerabilities, misconfigurations, and detected malware
• Identity Risk Assessment: Detailed analysis of Active Directory and IAM infrastructure weaknesses
• Threat Intelligence and Blocking: Automated geo-blocking, IP blacklisting, and domain protection
• Vulnerability Scanning: Regular infrastructure scans to identify emerging exposures
• Breach Prevention: Proactive IP blocking and domain protection services[12]

Enhanced Program Features (selected tiers):

• Employee eLearning and Phishing Simulations: Organization-wide security awareness training with metrics
• Infrastructure Vulnerability Scans: Recurring assessments with detailed remediation guidance
• Identity Risk Assessments: Deep-dive analysis of AD/IAM configurations
• Ransomware Risk Assessments: Scenario-based evaluation of data exposure and recovery capabilities
• Privacy Risk Assessment: Compliance-focused review of data handling practices and exposure

This bundled, tiered approach transforms cyber insurance from a financial backstop into an active risk management partnership that evolves with your organization throughout the policy term.

Common Application Pitfalls to Avoid

Incomplete MFA Documentation

Many applicants claim MFA is "enabled" but fail to document enforcement—especially in cloud environments where MFA may be optional. AIG requires evidence that MFA is mandatory for remote access, not merely available.

Backup Isolation Misconceptions

Applicants sometimes believe that daily off-site replication or cloud backup qualifies as "isolated." AIG specifically requires isolation from the production domain and authentication mechanisms that cannot be compromised by domain compromise.

EDR Enrollment Gaps

Some organizations exempt infrastructure (hypervisors, network appliances) or "trusted" systems from EDR. AIG expects full coverage across all systems capable of supporting EDR agents.

Vague Incident History

If your organization has experienced past breaches or security incidents, full disclosure is mandatory. Applicants who attempt to minimize or conceal incident history will face underwriting delays or denials.

Insufficient Evidence

Verbal assurances are insufficient. Provide screenshots, reports, audit findings, and technical documentation. Use your security tools to generate compliance reports that speak to AIG's underwriting requirements.

The Path to Approval: Timeline and Expectations

A complete AIG CyberEdge application typically requires 5–10 business days for underwriting review[4]. Complex risks or those requiring additional evidence may extend to 15–20 days. Expect:

1. Initial Submission (Day 0): Your broker submits the application
2. Initial Review (Days 1–3): AIG acknowledges receipt and assigns underwriter
3. CyberMatics Data Integration (Days 2–5): If applicable, AIG integrates your CyberMatics profile
4. Underwriter Questions (Days 3–7): Underwriter issues information request
5. Your Response (Days 7–10): You provide documentation and clarifications
6. Conditional Approval or Decline (Days 8–15): AIG issues decision with or without conditions

Organizations that prepare documentation upfront accelerate this timeline considerably.

Beyond CyberEdge: Integrated Coverage Options

If your organization requires broader property, casualty, or excess coverage alongside cyber, AIG's product architecture allows consolidation:

• CyberEdge Plus combines dedicated cyber with casualty and property coverage in a single policy, simplifying administration and potentially improving terms through package pricing[2].
• CyberEdge PC provides excess coverage for business interruption and property damage on top of primary policies[3].

Brokers should evaluate these options during renewal or policy restructuring conversations.

Next Steps: Preparing for Underwriting

The AIG CyberEdge application is thorough, but transparency and preparation ensure smooth underwriting and optimal terms. To streamline your preparation:

1. Conduct a readiness assessment: Use our free readiness check to benchmark your current security posture against carrier expectations
2. Gather evidence: Compile the technical and organizational documentation outlined in this guide
3. Clarify your coverage needs: Determine whether CyberEdge, CyberEdge Plus, or a hybrid approach best serves your risk profile
4. Leverage the Carrier Decoder: Use our Carrier Decoder to map supplemental questionnaires and policy language to underwriting requirements

For enterprise organizations, the depth of AIG's underwriting and loss control support justifies the application rigor. The result is coverage that reflects your actual risk posture and partnerships that strengthen your cyber resilience long-term.

---