How to Answer the Beazley Cyber Insurance Application

Beazley is one of the world's top three standalone cyber insurers, commanding an 6.68% market share with £827M in cyber gross written premium as of 2023[1]. But applying for coverage isn't a one-size-fits-all process—and Beazley has made deliberate, disciplined underwriting decisions that exclude entire business models.

If you're a broker, MSP, or IT leader preparing a Beazley cyber insurance application, you need to understand not just what Beazley asks, but why they ask it, what they'll actually cover, and the red flags that could sink your quote before review.

This guide covers Beazley's three revenue-tiered applications, their minimum-to-optimal control framework, critical business exclusions, and the breach response services that ship with every policy.

Beazley's Three-Tier Application Structure

Beazley doesn't use a single application form. Instead, the underwriting path depends entirely on your revenue.

Tier 1: Under $35M Annual Revenue (myBeazley Platform)

For organizations under $35M in annual revenue, Beazley routes applications through myBeazley, a digital-first platform designed for speed and simplicity[1]. This tier:

• Offers up to $5M in coverage limits[1]
• Uses a streamlined, self-service application
• Supports faster quote turnaround
• Works well for small businesses and SMBs with straightforward risk profiles

The myBeazley platform is best suited for organizations with clean control environments and no complex exposures. If you can document solid baseline controls—MFA, backups, patching, and training—you'll move through quickly.

Tier 2: $35M–$250M Annual Revenue (Medium and Large Cyber Risks Team)

Mid-market organizations ($35M–$250M) work with Beazley's dedicated Medium and Large Cyber Risks team[1]. This tier:

• Unlocks coverage limits exceeding $5M[1]
• Involves a more detailed application process
• Pairs your organization with a specialized underwriter
• Requires more thorough documentation of controls

At this level, Beazley expects detailed evidence of controls, incident response plans, and risk management practices. Your underwriter will probe deeper into your security posture and claims history.

The $35M–$250M application specifically asks for[2]:

• NAICS code (industry classification for underwriting purposes)
• Website URLs (for vulnerability assessment scoping)
• Designated cybersecurity point of contact (primary contact for the underwriter and claims)
• Specific business activities requiring explicit disclosure: adult content, gambling, cannabis operations, cryptocurrency transactions, payment processing, or data aggregator/MSP services

This tier's application format is more structured than myBeazley, with detailed control verification requirements that we'll cover in the next sections.

Tier 3: Over $250M Annual Revenue (Enterprise Application)

Organizations exceeding $250M revenue submit a separate enterprise application (PDF-based)[3]. This tier:

• Requires direct engagement with Beazley's enterprise underwriting team
• Demands extensive documentation and possibly on-site assessments
• May include custom terms and limits negotiation
• Often involves rate-on-line discussions with risk management consultants

Enterprise applications go significantly deeper than mid-market applications[3]. In addition to the controls required at lower tiers, enterprise applicants must document:

• Privileged Access Management (PAM): Controls over highly privileged accounts (domain admins, cloud admins, application admins) including just-in-time access, session recording, and multi-factor authentication
• Security Operations Center (SOC) coverage: Whether you maintain an in-house SOC, use managed detection and response (MDR), or rely on a mix of both
• Unsupported and end-of-life software segregation: How you isolate systems running unsupported operating systems or applications from your critical network
• Firewall default-deny posture: Whether your firewalls and network access controls follow a "default deny" approach (blocking all traffic except explicitly allowed)
• Local administrator rights restrictions: Controls preventing standard users from gaining local admin access on their devices
• Remote Desktop Protocol (RDP) exposure mitigation: How you restrict, monitor, and control RDP access to prevent lateral movement

If you're in this tier, expect a longer sales cycle and more intensive due diligence.

The Critical MSP and MSSP Exclusion

Here's the line item most brokers miss: Beazley explicitly excludes MSPs, MSSPs, and data aggregators from their cyber appetite[4].

From Beazley's Digital Cyber Risks Trading Guidance:

"Beazley does not have an appetite for data aggregators, MSSPs, and MSPs."

This is not ambiguous. If your organization's primary business model involves managing IT infrastructure, security, or data on behalf of other organizations, Beazley will decline your application.

Why? Beazley sees these business models as inherently higher-risk because:

1. Breach scope multiplies: A single incident in an MSP environment affects dozens or hundreds of downstream clients, dramatically increasing loss potential.
2. Regulatory complexity: MSPs operate across multiple client jurisdictions, multiplying regulatory breach notification obligations.
3. Reputational cascade: A breach damages not just the MSP's reputation but the reputation and operations of every downstream client.

For brokers: Before submitting a Beazley application, confirm your prospect is not primarily an MSP, MSSP, or data aggregator. If they are, recommend a different carrier (Coalition, Corvus, or Cowbell often have better MSP appetite)[4].

For MSPs: Beazley is not your market. Look to carriers with explicit MSP programs instead of wasting underwriting cycles.

The Minimum-to-Optimal Control Framework

Beazley structures its control requirements across three tiers: minimum (required), additional (recommended), and optimal (ideal)[2][5].

Minimum Controls (Non-Negotiable)

These controls are required for any quote—no exceptions[2][5]:

• Multi-Factor Authentication (MFA) for all remote network access: Every device connecting to your network remotely must use MFA. This isn't optional; it's foundational[2].
• MFA for all user accounts: For organizations with revenue above £1M, MFA across all user accounts is mandatory[2][5].
• Anti-virus and anti-malware on all devices: Every workstation and server must run current anti-malware software with active definitions[2].
• Regular security awareness training: Employees must receive training on phishing recognition and social engineering[2]. Beazley's application asks about training cadence: options include never/not regularly, annually, or 2+ times per year[2]. More frequent training signals stronger discipline in testing security culture.
• Anti-phishing training: Simulated phishing campaigns or dedicated anti-phishing modules are expected[2].
• Regular data backups: Backups must be tested for recoverability, stored offline or in a secure, isolated location, and verified at least annually[2].
• Critical security patches: Patches for critical vulnerabilities must be applied regularly (Beazley typically expects deployment within 30 days of release)[2]. Beazley explicitly allows patching to be handled by an outsourced service provider (such as an MSP), so long as the process is documented and verified[2].

If you're missing even one of these, your application will be delayed or declined. Most rejections come from inadequate backup evidence or inability to prove MFA implementation.

Pro tip: The M365 MFA Reporting Gap breaks down why standard M365 reports often don't prove MFA coverage to insurers. Document MFA enrollment through conditional access policies or third-party MFA logs, not just license counts.

What the $35M–$250M Tier Application Adds

For applicants with revenue between $35M and $250M, Beazley adds a second tier of control questions that go beyond the minimum baseline[2]. These additional controls are critical differentiators for mid-market underwriting:

• Advanced threat detection for Office 365: Beazley specifically asks whether you've deployed Microsoft 365 Defender (or an equivalent advanced threat hunting tool) for detecting phishing and Business Email Compromise (BEC) attacks[2]. This control directly addresses 2024 claims trends where social engineering and data exfiltration dominated[6].
• Macros disabled by default: For Microsoft Office and Google Workspace, Beazley asks whether macros are disabled by default across all devices[2]. This prevents one of the easiest malware delivery mechanisms.
• Endpoint Protection Platform (EPP), Endpoint Detection and Response (EDR), and Managed Detection and Response (MDR) disclosure: Beazley asks you to identify which of these three threat detection layers you have deployed, and if so, the specific vendor name[2]. This signals maturity and allows Beazley to assess your vendor ecosystem.
• Hardened baseline configuration: Beazley asks whether hardened baseline configurations (CIS benchmarks, Microsoft Baselines, or equivalent) are applied across all devices[2]. This is a formal security hardening question, not just "did you configure things securely?"
• Cloud backup vs. syncing service distinction: This is a crucial distinction[2]. Beazley specifically asks whether your cloud backup is a true backup solution (e.g., Veeam, Rubrik, Carbonite) or just a syncing service like Dropbox, OneDrive, SharePoint, or Google Drive. Syncing services do NOT count as backups for ransomware recovery—they replicate encrypted or deleted files across all devices. True backups must be immutable or isolated.
• Incident response plan specificity: Beazley asks whether you have a documented incident response plan that specifically addresses network intrusions and malware incidents[2]. A generic IR plan isn't sufficient; it must show you've thought through breach containment, forensic investigation, and recovery workflows.

If you're in the $35M–$250M range, demonstrating these controls significantly improves your underwriting outcome and premium.

Additional Controls (Strongly Recommended)

These controls differentiate stronger applicants from marginal ones[5]:

• Email security protections: Beazley specifically asks about three separate email controls[2]: (1) screening for malicious attachments, (2) screening for malicious links, and (3) tagging of external emails. Beyond these, also enable anti-spam, anti-spoofing, and web link inspection[5]. For details on proving these controls, see DMARC, SPF, and DKIM for Cyber Insurance.
• MFA for privileged accounts: If minimum MFA covers all users, additional MFA for domain admins, cloud admins, and service accounts strengthens your position[5].
• Simulated phishing tests: Regular phishing simulations (monthly or quarterly) with metrics on click-through rates and reporting[5].
• Regular internet-exposed services scanning: Quarterly or continuous scanning of externally-facing systems for vulnerabilities[5].

Organizations with these controls get better rates and higher limits. Underwriters view additional controls as evidence of mature risk management.

Optimal Controls (Competitive Advantage)

These are the controls that unlock premium pricing and higher limits[5]:

• Endpoint Detection and Response (EDR): Continuous monitoring and threat hunting on all endpoints[5].
• Managed Detection and Response (MDR) or MXDR: 24/7 managed security monitoring with Beazley's partnership ecosystem[5]. Beazley's own MDR offering uses Hunters' technology[11].
• 24/7 managed security operations: Round-the-clock monitoring, alerting, and response[5].

Organizations with optimal controls often negotiate better limits and rates because they've demonstrably reduced their claims frequency and severity.

Proving Your Controls: The Security Posture Report

Beazley offers a Security Posture Report (SPR), a non-invasive, point-in-time external vulnerability assessment[8]. Think of it as a health check without the risk of disruption.

What the SPR Evaluates

The SPR assesses:

• Exploited vulnerabilities: Does your external-facing environment contain known exploited CVEs?[8]
• Email security settings: SPF, DKIM, and DMARC configuration maturity[8]
• Certificate configurations: Are your SSL certificates valid, trusted, and properly installed?[8]
• High-risk exposed software: Unpatched, end-of-life, or dangerous software visible from the internet[8]

The SPR is non-invasive, meaning it doesn't attempt to exploit vulnerabilities—it just documents what's visible to attackers[8].

Why This Matters for Your Application

Many applicants claim "strong controls" but can't prove them. An SPR becomes your objective evidence. Even if it surfaces minor issues, it shows Beazley you're willing to be transparent about your posture and committed to remediation.

VERACIS Portal and Exposure Management

In 2025, Beazley launched the VERACIS portal, centralizing access to all Beazley Security services (SPRs, scanning, vulnerability management)[10]. This is the hub for requesting assessments and reviewing findings.

Looking ahead, Beazley's Exposure Management Platform (beta in March 2026) will enable continuous, automated discovery of your domains, subdomains, IP ranges, and cloud assets[13]. Rather than point-in-time assessments, you'll get always-on visibility of your external attack surface.

What Beazley Sees in Real Claims

Understanding what Beazley claims data shows helps you anticipate what they'll scrutinize in your application.

2024 Claims Trends

Beazley's 2024 claims data reveals stark patterns[6]:

• Data exfiltration appeared in nearly 90% of claims, making backup and encryption controls essential.
• Ransomware and malware spiked to 51% of all claims in 2024, up from 32% in the prior year[6].
• The human element was involved in 68% of cyber incidents[6], underscoring why training and phishing simulations matter.

These numbers tell you exactly what Beazley's underwriters are thinking when reviewing your application: Is your organization vulnerable to ransomware? Can attackers easily exfiltrate data? Do your employees fall for phishing?

If your controls don't address these three vectors, you'll struggle to get competitive pricing.

BBR Services: Included Breach Response

Every cyber policy with Beazley includes BBR (Beazley Breach Response) Services at no additional cost[7]. This is a major differentiator.

What's Included

• Dedicated breach response team: A manager assigned to your incident from discovery through closure[7].
• Forensics coordination: Beazley coordinates forensic investigators to determine breach scope and root cause[7].
• Specialized breach counsel: Access to privacy and incident response lawyers[7].
• PR and communications advice: Guidance on external communications and stakeholder management[7].
• Credit and identity monitoring: Beazley coordinates enrollment in credit and identity monitoring programs for affected individuals[7].
• Global incident management: Beazley's incident response team handles 4,000+ incident calls annually, meaning they've seen virtually every scenario[7].
• Privacy breach response for up to 5M individuals: Large-scale breach notifications are managed end-to-end[7].

The Microsoft Integration

As of December 2025, Beazley partnered with Microsoft to make incident response reimbursable under Beazley cyber claims. If you use Microsoft's incident response services, Beazley covers the cost.

Why This Matters for Your Application

Beazley's BBR Services don't cost extra, but they signal that Beazley expects to handle claims professionally. When your underwriter reviews your application, they're implicitly assessing your readiness for a breach: Do you have basic incident response procedures? Are key contacts documented? If a breach happens, will you cooperate with forensic investigators?

Organizations that can articulate a basic incident response plan—even a simple one—get better underwriting treatment.

Revenue-Tier Specific Tips

Under $35M (myBeazley)

• Keep it simple: myBeazley is designed for straightforward applications. Don't over-document.
• Nail the basics: MFA, backups, training. If these are solid, you'll move fast.
• Use the SPR: Request a Security Posture Report to show transparency and validate your external posture.
• Expect higher rates: Under $5M limits come with higher relative premiums—this is normal.

$35M–$250M (Medium and Large Cyber Risks)

• Document everything: Your underwriter will want to see evidence, not just claims. Prepare screenshots of MFA settings, backup test reports, training completion logs.
• Address your gaps proactively: If you're weak on EDR, say so and explain your remediation timeline. Underwriters respect honesty more than false perfection.
• Prepare an incident response outline: Have a one-page IR plan ready. It doesn't need to be elaborate, but it should exist.
• Get an SPR: At this tier, an SPR is nearly expected. It becomes part of your underwriting file.
• Know your claims history: If you've had a prior claim, prepare an explanation. Focus on what you changed afterward.

Over $250M (Enterprise)

• Engage early: Don't submit an application and wait. Contact Beazley's enterprise team directly to discuss your risk profile first.
• Hire a broker: Navigating enterprise Beazley underwriting almost always requires a specialist broker who knows the team.
• Expect deep dives: Enterprise underwriters will want to see your SOC, your IR team, your threat intelligence program. Be ready to discuss maturity models.
• Plan for 8–12 weeks: Enterprise quotes don't move fast. Budget time accordingly.

The Broader Carrier Landscape

Beazley is one option among many. Depending on your industry, revenue, and risk profile, you might find better terms elsewhere:

• Coalition: Strong SMB appetite, fast quotes, excellent claims experience.
• At-Bay: Best-in-class for tech companies, excellent risk management tools.
• Cowbell: Continuous underwriting, real-time monitoring integration.
• Hartford: Traditional underwriting, solid rates for established businesses.
• Corvus: Machine learning-driven pricing, good mid-market appetite.
• Travelers: Large limits, enterprise appetite, established claims network.

Each carrier weights controls, claims history, and industry risk differently. If Beazley's not the right fit, one of these may be.

Beazley's Market Position and Future Outlook

Beazley has deliberately reduced cyber GWP in recent years. In the first nine months of 2025, their cyber premium fell 8% to $848M[12]. Why? CEO Adrian Cox stated that the lack of underwriting discipline in the U.S. market is "somewhat surprising"[12], signaling that Beazley is exiting unprofitable segments to protect profitability.

This matters for you: Beazley is being selective. They're declining business that doesn't meet their profitability thresholds. This means:

1. Expect tighter underwriting: Beazley will be more critical, not less.
2. Expect better pricing for good risks: If your controls are solid, Beazley will reward you with competitive rates.
3. Expect declines for weak risks: If you're on the margin, Beazley will pass.

That said, Beazley forecasts the global cyber market will grow to $40B by 2030, suggesting they see long-term opportunity and aren't exiting the market—just being smarter about it[12].

Checklist: Before You Submit to Beazley

Use this checklist to validate readiness before submitting your application:

• Confirm you're not an MSP, MSSP, or data aggregator (if you are, stop here and choose a different carrier)
• Document MFA implementation across all remote access and (for revenue >£1M) all user accounts
• Verify backups are tested, offline or isolated, and recoverability is documented
• Confirm anti-malware is deployed and actively updated on all devices
• Collect evidence of annual security training and simulated phishing tests
• Confirm all critical security patches are deployed within 30 days of release
• Request a Security Posture Report (SPR) to validate external posture
• Document email security controls (SPF, DKIM, DMARC, external warnings, anti-malware scanning)
• Have a one-page incident response outline ready
• Gather any prior cyber claims and prepare explanations
• Know your annual revenue to determine the correct application tier
• Prepare screenshots and logs proving each control—don't just claim them

---

Check your controls now. Run the free readiness check →

Have a carrier questionnaire? Upload it to see what you're missing →

---