How to Answer the Tokio Marine HCC Cyber Insurance Application

When you're submitting a cyber insurance application to Tokio Marine HCC, you're dealing with one of the most sophisticated underwriting operations in the industry. With $377.9M in 2024 direct written premiums and a 5.2% US market share, TMHCC isn't just another carrier—they're a subsidiary of Tokio Marine Holdings, the largest property & casualty insurer in Japan with 39,000 employees across 38 countries [1]. Their cyber team handles over 2,400 claims annually and maintains 50+ specialist partners and 20+ in-house experts [2].

This means your application will be reviewed rigorously. If you miss a critical requirement—especially around mandatory endpoint detection and response (EDR)—your coverage won't be bound, period. This guide walks you through exactly what TMHCC expects, product by product, with practical advice on avoiding the mistakes brokers make most often.

Understanding TMHCC's Cyber Product Portfolio

Tokio Marine HCC doesn't have a one-size-fits-all cyber offering. Their portfolio is segmented by risk profile and industry, and choosing the right product for your client is the first step toward a smooth application.

NetGuard Plus: The Core Cyber Liability Workhorse

NetGuard Plus is TMHCC's flagship cyber liability product and the most common submission you'll make. It's designed for general commercial clients across industries, with coverage limits ranging from $250,000 to $5 million [3].

The policy includes some thoughtful features: breach coaches (immediate expert guidance when a security incident occurs), extra defense costs that sit outside the liability limit, and TCPA (Telephone Consumer Protection Act) coverage—a rider many brokers forget to highlight but that healthcare organizations and financial services firms desperately need [3].

The product's appetite widens significantly with revenue tier. Clients with revenues up to $99.999M can access the broadest appetite, with limits from $250K to $3M. Once you hit $500M+ revenue, TMHCC will consider limits up to $25M, though underwriting tightens considerably [4].

NetGuard Plus is your baseline. If your client isn't a technology firm, healthcare provider, or healthcare tech company, NetGuard Plus is almost certainly the right fit.

TechGuard: Specialized E&O + Cyber Bundling

TechGuard launched in October 2024 and represented a strategic shift for TMHCC: combining professional liability and cyber coverage into a single package designed specifically for technology companies [5]. This product is aggressively marketed, available through the broker portal for expedited quoting, and it's gaining traction fast.

What makes TechGuard distinctive is the proactive vulnerability scanning powered by AI-driven technology assessment. The policy includes worldwide coverage and an extended reporting period (tail) of up to three years—valuable for SaaS companies, managed service providers (MSPs), and tech consultants who worry about post-closing claims [3]. There's also dependent system failure coverage up to $1M, which protects your tech client if their software corrupts or damages a customer's systems.

If your client is a software developer, IT consulting firm, SaaS platform, or IT services company, TechGuard is often more cost-effective than layering separate E&O and cyber policies.

e-MD: Healthcare's Tailored Cyber Solution

Healthcare organizations face a different threat landscape than general commerce. TMHCC's e-MD product is purpose-built for physician groups, allied health practices, hospitals, long-term care facilities, and mental health providers [3]. The limits top out at $1M, which reflects the typical exposure for these organizations.

Here's the critical piece: e-MD's regulatory defense coverage for HIPAA, EMTALA, and STARK violations is bundled in—but only when combined with MEDEFENSE Plus, their healthcare liability companion product [3]. If your healthcare client is applying for just e-MD cyber without the full medical defense package, you may miss important coverage.

The threat environment for healthcare has shifted dramatically. Healthcare ransomware frequency surged approximately 90% in 2025, and loss costs doubled [4]. This isn't theoretical risk anymore; it's the most common cyber threat healthcare organizations face. TMHCC's underwriting reflects this urgency.

The CyberNet Platform: Beyond the Policy

One of TMHCC's underappreciated competitive advantages is the CyberNet platform, which accompanies their cyber policies [6]. This isn't just a policyholder portal—it's an active risk management tool that delivers:

• Real-time threat alerts and breach notifications
• Cyber awareness training modules for employees
• Phishing simulation campaigns (essential for defense-in-depth)
• Risk reporting dashboards that show your client where their vulnerabilities lie

When you're positioning TMHCC to your clients, emphasize this. The CyberNet platform is included in the premium and functions as a continuous security posture assessment. Clients who engage with it report better claims frequencies and, more importantly, catch security issues before they become breaches.

The Mandatory EDR/NGAV Requirement: Non-Negotiable

Before we go deeper into application specifics, you need to understand the single most important underwriting rule at TMHCC: EDR or NGAV protection is mandatory on all endpoints. If your client answers "No" to this question, the application will not be bound. Full stop. [7]

This isn't a preference. It's not a discount driver. It's a binding requirement. TMHCC saw too many preventable ransomware losses in 2024 and 2025, and their underwriting team decided that endpoint detection and response (EDR) or next-generation antivirus (NGAV) technology is table stakes.

EDR solutions include SentinelOne, CrowdStrike, Microsoft Defender for Endpoint, Kaspersky, Trend Micro Apex One, or similar tools that offer behavioral monitoring, threat hunting, and automated response. NGAV includes tools like Windows Defender, Kaspersky, Trend Micro, and others that go beyond signature-based detection.

The question TMHCC will ask is simple: "Are EDR/NGAV solutions deployed and actively running on all endpoints (servers, workstations, laptops)?" If your client's answer is anything other than "yes," you need to pause the application, help them implement EDR, and resubmit.

Many brokers try to negotiate this. Some attempt to submit applications with partial EDR coverage (e.g., "we have EDR on servers but not workstations"). TMHCC won't move. The requirement is comprehensive.

Testing Your Client's Actual EDR Posture

Here's where many applications stumble: clients think they have EDR running everywhere, but they don't. Legacy workstations are excluded. Contractor laptops aren't included. Kiosks were "too old to install EDR on." You need to verify independently.

Ask your client for:

1. A list of all endpoints (servers, workstations, laptops, managed devices)
2. EDR/NGAV tool inventory: which endpoints have which solutions
3. Last update logs from their EDR console, showing active status for all devices

If they can't produce this documentation cleanly, that's a red flag. Suggest they run an audit with their IT vendor or MSP. It takes a few days, and it prevents application rejection.

The Complete Application Requirements

Required Information Architecture

TMHCC's application is modular but comprehensive. Prepare your client for these information demands:

Company Structure & Financials

• Legal entity name, formation details, and ownership structure
• All subsidiaries, acquired companies, and affiliate operations (TMHCC wants the full tree)
• Three years of financial statements (P&L and balance sheet)
• Revenue for the past three years (used to determine appetite tier)
• Projected revenue for the upcoming year

Operations & Industry Detail

• Primary line of business and detailed description
• Secondary business lines or revenue streams
• Number of employees (broken down by location if material)
• Operating locations (US and non-US)
• Percentage of revenue by geography
• Customer base description (B2B, B2C, direct, indirect, etc.)

Information Security Program

• Detailed IT infrastructure overview (on-premises, cloud, hybrid)
• Number and types of systems storing sensitive data
• Data classification policy (if one exists)
• EDR/NGAV inventory (the mandatory requirement—list every endpoint type and solution)
• Multi-factor authentication (MFA) deployment scope
• Backup and disaster recovery procedures
• Patch management cadence
• Security awareness training frequency
• Incident response plan (even a simple one counts)

Claims History

• Cyber claims in the past five years (include amounts, closure status, cause)
• Data breach incidents (even without claims filed)
• Regulatory investigations or inquiries
• Lawsuits involving data or privacy (even if unrelated to cyber directly)

Compliance & Certifications

• Industry-specific compliance (HIPAA, PCI-DSS, SOC 2, ISO 27001, etc.)
• Penetration testing or security assessments (frequency and results summary)
• Audit findings related to cybersecurity

Critical Application Mistakes Brokers Make

After processing hundreds of TMHCC submissions, we've identified patterns in what makes applications stall:

Mistake #1: Incomplete Subsidiary Disclosure TMHCC wants to underwrite the entire group. If your client is a holding company with three operating subsidiaries and you list only the parent, the underwriter will ask for complete details on each subsidiary. This delays approval by days or weeks. Get the full organizational chart upfront and disclose everything.

Mistake #2: Misrepresenting EDR Scope Clients often claim universal EDR coverage when they actually mean "most devices." Be specific. If 95% of devices have EDR but there's a legacy system without it, disclose that clearly rather than answering "yes" and hoping it's not audited. Honesty here prevents claim denials later.

Mistake #3: Outdated IT Infrastructure Descriptions Applications that describe the IT environment in vague terms ("We use cloud and on-premises servers") won't pass underwriting. TMHCC's underwriting team, supported by their Cytora AI partnership announced in December 2025, can identify inconsistencies [8]. Be specific: "We use AWS for production workloads, Microsoft Azure for development, and on-premises servers for legacy ERP."

Mistake #4: Omitting Material Incidents If your client had a ransomware incident three years ago that cost $500K to remediate but wasn't formally "claimed," you might think it's not relevant. TMHCC disagrees. Any cyber-related incident, whether formally claimed or not, must be disclosed. Non-disclosure will result in claim denial if similar circumstances arise.

Mistake #5: Missing the MFA Requirement Details MFA (multi-factor authentication) is mandatory across all access points—but TMHCC's form is more specific than many brokers realize. The form asks about MFA for remote access including VPNs, RDP, RDWeb, and RMM tools (not just "VPN" in general). It also asks whether MFA protects privileged user accounts, whether users can access email through a web application or non-corporate device, and if so whether MFA is enforced there too. Additionally, the form asks whether account lockout policies are enforced for all users to prevent brute-force attacks. TMHCC won't explicitly state this as a binding requirement like EDR, but it's a hard expectation. If your client doesn't have MFA comprehensively deployed across these access vectors, your application will be declined or heavily modified.

Mistake #6: Incomplete Officer Signature TMHCC requires an authorized officer signature (typically CFO, CEO, or COO) on the application attesting to the accuracy of representations. Applications missing this signature don't move forward. Don't submit until you have it.

Mistake #7: Not Disclosing Material Changes Mid-Application If your client files an application and then, while underwriting is in progress, has a security incident or makes a major infrastructure change, you must disclose it immediately. Failure to do so gives TMHCC grounds to rescind coverage.

Preparing Your Clients: The Pre-Application Checklist

Before you open the application in TMHCC's system, walk your client through this checklist. It will prevent rework.

Checklist: Before You Submit

Endpoint & Access Security

• EDR or NGAV solution is confirmed active and running on 100% of endpoints (servers, workstations, laptops)
• Documented list of all endpoints and their protection tools is ready
• MFA is enabled on email, VPN, and all critical business applications
• Document which users/roles have MFA enforced vs. optional
• Administrator/privileged account policies are in writing (password complexity, forced rotation, MFA)
• Last three months of failed login attempts or access logs are available if needed

Data & Backups

• Backup and disaster recovery procedures are documented
• Backups are encrypted and verified as immutable
• Backups are stored offline, air-gapped, or in a separate network segment from primary systems
• MFA protection is enabled for both internal and external access to backup systems
• Backup cadence is documented (daily, hourly, etc.) and confirmed running on schedule
• Realistic restore timing is documented—specifically, time to restore essential functions after widespread ransomware or malware
• Evidence that backups are tested (restore logs from last 12 months)
• Backup systems themselves are protected with EDR/NGAV

Patching & System Updates

• Patch management policy is documented (frequency, testing, approval process)
• Log showing patches applied to critical systems in last 90 days
• Any systems running unsupported OS versions are identified (and hopefully being replaced)

People, Training & Financial Controls

• Cyber awareness training logs showing employee participation (past 12 months)
• Phishing test results (if available from a testing vendor)
• Incident response plan exists (doesn't need to be elaborate; a one-page plan is acceptable)
• Designated incident response team or contact is identified
• TMHCC's 24/7 breach hotline number (to be provided) is communicated to the team
• Wire-transfer controls are documented: written authorization protocol, direct-call verification for new payment requests, and direct-call verification before vendor/client account changes
• Evidence that finance team follows wire-transfer verification procedures (example: email trails or call logs showing verifications)

Compliance & Audit

• Relevant compliance certifications or audit reports (SOC 2, PCI, HIPAA BAA, ISO 27001, etc.)
• Summary of any recent penetration tests or security assessments
• List of any pending regulatory investigations or audit findings related to data security
• Documentation of any cyber incidents in the past five years

Financial & Organizational

• Three years of financial statements (P&L and balance sheet)
• Organizational chart showing all subsidiaries and operating entities
• Revenue breakdown by geography and business line
• CFO or CEO contact info (for application signature)
• Top 3 most critical vendors identified with their services and domains/websites
• Brief description of business dependency on each critical vendor

Application Logistics

• Primary contact (often the CFO or risk manager) is identified
• Secondary contact for questions is identified
• Email address that can receive large file attachments
• Decision timeline for when broker needs feedback (TMHCC will ask)

Don't go further until all of these are checked. The marginal time spent here saves days in underwriting delays.

Tokio Marine HCC's Underwriting Workflow: What Happens Behind the Scenes

Understanding how TMHCC's underwriting engine works helps you anticipate what they'll ask and provide information proactively.

In December 2025, TMHCC announced a strategic partnership with Cytora, an AI-powered underwriting platform [8]. This isn't just PR—it fundamentally changes their review process. Cytora's algorithms analyze applications, extract risk signals, and flag inconsistencies. If your application has contradictions (e.g., you claim sophisticated security but describe outdated systems), the AI will catch it.

Here's the typical flow:

1. Intake & Classification: Application is logged, and Cytora's algorithm assigns a preliminary risk score based on industry, revenue, and initial responses.

2. Automated Screening: The AI scans for red flags: missing EDR, weak MFA posture, unpatched systems, prior claims, regulatory issues. Anything triggering a red flag goes to human review faster.

3. Underwriter Assignment: A human underwriter takes the file. If it's routine (good controls, clean claims history, strong financials), approval can be fast—sometimes within 48 hours. If there are questions, the underwriter drafts a request for information (RFI).

4. RFI & Clarification: Most applications get at least one RFI round. Common questions: "Please provide documentation of EDR deployment on all endpoints," "Clarify your backup restore frequency," "Provide details on the 2023 data breach incident you mentioned."

5. Specialty Review (If Applicable): For healthcare clients or high-limit requests, the file goes to a specialist underwriter. For TechGuard applications, there's a tech-focused reviewer. Turnaround here can be 5-10 business days.

6. Pricing & Terms: Once underwriting approves, pricing is built using TMHCC's rating model. Discounts apply for strong controls (EDR + MFA + regular testing = better rate). Premium adjustments apply for risk factors (prior claims, weak controls, high revenue concentration, etc.).

7. Bind/Decline: Final decision issued. Most applications bind; some are declined (rare), and some are bound with exclusions or special conditions.

Total timeline for a clean submission: 5-15 business days. Messy applications with RFI back-and-forth: 3-4 weeks.

Product-Specific Application Guidance

Applying for NetGuard Plus

When your client is a general commercial business applying for NetGuard Plus, focus on this core narrative:

Domain and Footprint First: The NetGuard Plus form begins with your client's public exposure. TMHCC asks for all websites and domains owned or operated by the entities seeking coverage. This isn't just a listing exercise—the form explicitly states that the application should reflect total exposure including revenues, records, controls, vendors, and loss history. The public footprint matters significantly. If your outside-in story (what can be discovered and scanned from the internet) doesn't match the internal control story, the submission weakens before the underwriter even reaches technical control questions. Before filling out the form, run a scan of your client's public domain presence, email authentication posture, subdomains, and exposed services. Inconsistencies between what appears public and what's described internally create underwriting friction.

Data Categories and Sensitivity: The form asks specifically about record types: basic records, personally identifiable information (PII), protected health information (PHI), payment-card data, and biometrics. For each category, the form asks about encryption and, if data isn't encrypted, whether compensating controls like server segregation and role-based access control are in place. This is important: for organizations handling biometric data, the form goes further and asks whether related policies were reviewed with a qualified attorney for legal compliance. This means TMHCC isn't only underwriting technical risk—they're also underwriting regulatory and governance exposure.

Risk Profile: Describe the IT environment in concrete terms. Don't say "We have modern infrastructure." Say "Our email runs on Microsoft 365 with MFA enforced company-wide. Our customer database is hosted on AWS RDS with daily backups stored in a separate AWS account. Development environments run on-premises on a separate network with no internet access."

Security Posture: List actual controls, not aspirational ones. "We have EDR on all 150 workstations and 12 servers running CrowdStrike, which our MSP manages. Patches are applied on a monthly cycle, tested in staging first. We conduct phishing tests quarterly; our latest test (March 2026) had a 8% click-through rate."

Network Security Ownership: A key section of the NetGuard Plus form must be completed by the person within your organization responsible for network security. The form asks who that person is, whether security is handled internally or outsourced, and if outsourced, whether the form signer is the main contact for the network security provider. This is TMHCC's way of signaling that technical truth should come from the technical owner, not from broker estimates. If your client's IT is outsourced to an MSP, that MSP needs to be involved directly in the application process, especially for sections covering EDR, MFA, backups, and patching. Don't try to proxy technical answers through someone without hands-on visibility.

Claims History: If your client has prior cyber claims, own them. Example: "In 2022, we experienced a phishing attack that compromised 15 employee email accounts. We engaged Mandiant for forensics ($45K). The attacker accessed customer data for 2 weeks before detection. We notified 120 affected customers and paid for 12 months of credit monitoring ($8K). Since then, we've implemented MFA company-wide and EDR on all endpoints."

This narrative shows a company that had an incident, responded professionally, and hardened controls. TMHCC respects that more than a company claiming zero incidents (which is often a red flag that they're not monitoring).

Limits & Deductibles: For most commercial clients, a $1M limit with a $10K deductible is standard. Healthcare and high-revenue tech might need $2-3M. Ask TMHCC for guidance if you're unsure—their carrier team will recommend limits based on exposure analysis.

Applying for TechGuard

TechGuard is faster to underwrite than NetGuard Plus because it's streamlined for a narrower audience. When submitting:

Technology Detail: TMHCC's tech underwriters expect sophistication here. Don't describe "We're a software company." Describe your product architecture. "We operate a SaaS platform (B2B2C model) with a microservices architecture on Kubernetes/AWS. Customers connect via OAuth 2.0 and REST APIs. Each customer environment is logically isolated with row-level security in our PostgreSQL database."

Dependency Risk: TechGuard explicitly covers dependent system failures. Highlight what could go wrong from your client's perspective. "If our API is unavailable for 4 hours, our customers' order processing stops. We estimate that costs them roughly $50K/hour in lost revenue. That's why dependent system liability is critical."

Tail Coverage: Extended reporting periods are a huge selling point for TechGuard. If your client is a PE-backed firm potentially facing M&A, emphasize it. "With our three-year tail, we're protected from claims arising from issues in our past performance, even after sale."

Claims-Made Distinction: Make sure your client understands this is claims-made, not occurrence. If they drop coverage and later have a claim from work they did years ago, it won't be covered unless the tail was purchased. Recommend tail coverage be a requirement in any deal.

Applying for e-MD (Healthcare Cyber)

Healthcare applications require extra scrutiny at TMHCC, reflecting the frequency and severity of healthcare cyber threats. Here's what resonates:

Patient Data Protection: Describe how patient data is handled specifically. "We maintain patient records in an on-premises Epic instance with encrypted access and role-based access control. Clinic staff access via VPN with MFA. Backups are encrypted, stored offline, and tested monthly."

Regulatory Alignment: If your healthcare client is HIPAA-covered, expect TMHCC to probe compliance depth. Have the HIPAA Business Associate Agreement (BAA) ready. Have documentation showing annual HIPAA training completion. If there's been a prior breach (even a small one), have the breach notification documentation and OCR investigation report available.

Ransomware Risk: Healthcare organizations are primary ransomware targets. TMHCC knows this. Be honest about it. "We've had two ransomware incidents in the past two years. The first (2024) was contained to a test environment via user error; we paid no ransom and recovered from backups in 8 hours. The second (2025) encrypted our patient portal interface; we isolated it, restored from backup, and lost 6 hours of data. Since then, we've implemented EDR, immutable backups, and segmented our network."

MEDEFENSE Plus Bundling: Don't apply for e-MD cyber without also discussing MEDEFENSE Plus. TMHCC builds their healthcare cyber appetite assuming the full medical-legal protection package. If you apply for cyber only, you may find the terms less favorable or limits lower.

Staffing Model: Healthcare underwriters ask about staffing ratios and turnover. High turnover = more access points = more risk. "We have 120 clinical staff and 30 admin staff with average tenure of 4.2 years. Our IT team (5 FTEs) handles all credential and access management."

Red Flags That Slow Underwriting

TMHCC's underwriting team has seen thousands of applications. They can spot weak control narratives instantly. Here are the red flags that trigger immediate RFIs or decline:

1. "We'll implement EDR before binding": This doesn't work. EDR must be deployed and verified before the application is submitted. If it's not deployed now, the answer is "No" and your client needs to wait.

2. "Most of our endpoints have EDR": Percentage-based answers fail. TMHCC needs 100%. If there's legacy equipment without EDR, either deploy EDR on it or retire it.

3. "We have MFA on email": TMHCC wants MFA across email, VPN, and all critical applications. If you say MFA is only on email, they'll ask for more. Be comprehensive.

4. "Our backup is tested annually": Underwriters want to see recent restore tests. Annual testing isn't enough to prove restores work. Aim for quarterly or monthly test documentation.

5. "We haven't had any cyber incidents": For companies with significant customer data or financial holdings, claiming zero incidents ever is suspicious. It usually means they're not monitoring closely or they're not being truthful. Modest, documented incidents (found, handled, learned from) are more credible.

6. Vague financial information: "Revenue is in the $10-50M range" won't cut it. TMHCC needs exact numbers to determine appetite tier and pricing. Have three years of financials ready.

7. Organizational opacity: If your client is a subsidiary of a private equity firm or international parent, TMHCC will ask for details on the parent company, governance, and who controls cyber decisions. Be transparent.

8. Claims history minimization: If you list zero claims but the client has filed three workers' comp or general liability claims, that raises questions about your cyber data accuracy. TMHCC will cross-reference claims databases. Better to disclose proactively.

Pre-Submission Scan Consent: Getting Ahead of TMHCC's Questions

Both the new-business and renewal NetGuard Plus forms include consent language allowing TMHCC to conduct non-intrusive scans of internet-facing systems and applications for common vulnerabilities. Rather than waiting for the underwriter to run these scans and flag issues, run them yourself first through tools like BindLedger's readiness check. Catching public-facing vulnerabilities, email authentication gaps, exposed subdomains, and TLS certificate issues before the form is submitted prevents underwriting friction later.

Leveraging BindLedger Tools for Your Application

When you're preparing client evidence for a TMHCC cyber submission, use BindLedger's Carrier Decoder (our supplement parser tool) to extract and organize policy-specific requirements. Rather than manually building evidence files, the Carrier Decoder can help structure the data your client needs to provide.

Start with BindLedger's free readiness scan before you even open the NetGuard Plus application. This tool validates your client's public footprint, email authentication posture, TLS configuration, and internet-facing services. It takes 10 minutes and provides the baseline for TMHCC's outside-in assessment before you layer in internal controls documentation.

Additionally, for clients with complex backup and recovery claims (common in healthcare and financial services), review How to Prove Backup Immutability. TMHCC underwriters specifically ask for backup validation, and this guide walks through what documentation passes their scrutiny.

For clients with email security concerns, DMARC, SPF, and DKIM for Cyber Insurance provides the technical framework. Many TMHCC applications stumble on email authentication; having DMARC enforced sends a strong signal.

If your client uses Microsoft 365 (nearly universal in mid-market), The M365 MFA Reporting Gap covers how to generate proof of MFA enforcement. TMHCC will ask for MFA reports; this guide shows you how to pull them correctly.

And finally, for a comprehensive overview of what documentation TMHCC (and other carriers) typically ask for, read The Complete Guide to Cyber Insurance Evidence in 2026.

Comparing TMHCC to Other Carriers

TMHCC is competitive but not the only option. Here's how they stack up:

vs. Beazley: Beazley is more flexible on EDR—they'll write around it with appropriate premium adjustments. TMHCC won't. Beazley is faster for small accounts (<$2M revenue). TMHCC offers better limits at higher revenue tiers. See Beazley Cyber Insurance Application Guide.

vs. Chubb: Chubb has deeper appetite in the $5-10M limit range than TMHCC. Chubb requires more detailed risk questionnaires but is less prescriptive on specific controls. If your client has complicated operations (global entities, complex data flows), Chubb is often easier. See Chubb Cyber Insurance Underwriting Guide.

vs. CFC: CFC is the most tech-friendly carrier. If your client is a SaaS company, CFC often beats TMHCC on pricing and terms. CFC's underwriting is faster (2-3 days vs. 5-15). However, CFC caps limits at $3M and has smaller appetite in financial services. See CFC Cyber Insurance Application Guide.

vs. AIG: AIG's appetite is broad, but their underwriting is opaque and slow (4-6 weeks). If your client needs limits above $10M or operates in a regulated industry (financial services, healthcare), AIG is often required. TMHCC is faster for standard risks. See AIG Cyber Insurance Underwriting Guide.

TMHCC is ideal for mid-market companies ($50-500M revenue) with solid security controls and clean claims history. If your client is smaller and has EDR gaps, Beazley may be easier. If your client is larger or in healthcare, e-MD + MEDEFENSE Plus is often the best bundle available.

Frequently Asked Questions

What if my client's EDR solution isn't on TMHCC's "approved" list?

TMHCC publishes general guidance on acceptable EDR tools but doesn't maintain a strict whitelist. Most enterprise-grade EDR solutions (SentinelOne, CrowdStrike, Microsoft Defender, Kaspersky, Trend Micro, etc.) are acceptable. Niche or very new solutions are a question mark. If your client uses an unfamiliar EDR tool, reach out to TMHCC's underwriting team before submitting the application. They'll clarify acceptability within 24-48 hours. Don't guess and submit; having to correct this mid-underwriting is a painful delay.

Can we get a renewal quote from TMHCC if we have a pending cyber claim?

Technically, yes—TMHCC will quote renewals even with open claims. However, the claim will significantly impact terms and pricing. If your client has a claim actively being adjusted, ask TMHCC for guidance on timing. Sometimes it's better to wait 30-60 days until the claim is closed or settled so pricing reflects the actual loss, not worst-case reserves. A pending claim adds uncertainty that TMHCC prices aggressively.

What happens if my client's IT environment changes between application submission and binding?

Material changes must be disclosed. If your client implements a new cloud platform, acquires a company, or experiences a security incident between application and binding, inform TMHCC immediately. Small changes (hiring 5 new employees, migrating one test server) don't require disclosure. Major changes (acquisition, data breach, significant system architecture change) do. Failure to disclose can result in coverage denial for any claims arising from the undisclosed situation.

Does TMHCC offer any discounts for strong controls?

Yes. TMHCC's underwriting team, particularly with Cytora's AI-powered analysis, can identify companies with exemplary security postures. Comprehensive EDR + MFA + regular penetration testing + offline immutable backups + documented incident response = you'll see a 10-15% premium discount. Some clients invest $50-100K annually in security controls; TMHCC recognizes that and prices it in. It's worth mentioning to your clients as motivation to invest in controls that benefit both their risk profile and insurance costs.

Next Steps: Getting Your Client TMHCC-Ready

The path to a smooth TMHCC cyber application is clear:

1. Verify EDR: Confirm EDR or NGAV is deployed on 100% of endpoints. If not, pause and deploy it first.

2. Run Through the Checklist: Walk your client through the pre-submission checklist above. Flag any gaps.

3. Prepare Documentation: Gather the financial statements, org charts, IT environment descriptions, and backup/patch documentation. Don't let the underwriter ask for it; provide it proactively.

4. Use BindLedger's Readiness Check: Before you formally submit, use our free readiness scan to validate that your client meets common cyber insurance requirements. It takes 10 minutes and will highlight any gaps you can fix before submission.

5. Leverage the Carrier Decoder: Once you have your client's responses and evidence, use BindLedger's Carrier Decoder to organize everything by TMHCC's requirements. This tool parses policy language and maps your evidence to what carriers actually need.

6. Submit with Confidence: When you hit submit, you'll know the application is complete and accurate. Underwriting will flow smoothly, and you'll have approval (or a clear path to it) in 1-2 weeks.

TMHCC is a sophisticated carrier with high standards. But they're not trying to be difficult—they're trying to underwrite sustainable risk. Companies that invest in real controls (EDR, MFA, backups, patching) are genuinely lower risk. Meeting TMHCC's standards isn't just good for insurance; it's good for your client's actual security.

---