EVIDENCE TEMPLATE UC-13
Privileged Access Management
Control and monitor administrator accounts across directories, backups, networks, and endpoints. Enforce MFA, log all activity, conduct regular access reviews, and eliminate shared credentials.
What this cyber insurance requirement is
A privileged access management (PAM) guide for cyber insurance should document all administrative accounts across directory services (AD), backup systems, network devices, and endpoints, enforce MFA on all privileged access, establish activity logging and session recording procedures, conduct regular access reviews and attestations, and eliminate shared or default credentials. Carriers require this documentation to verify you have visibility and control over high-risk accounts that could enable ransomware, data theft, or lateral movement.
Create your privileged access management guide below
What you'll get
- Administrative account inventory (scope and categories)
- MFA enforcement requirements across all systems
- Activity logging and session recording procedures
- Access review and attestation procedures
- Shared credential elimination and password manager requirements
- Just-in-time (JIT) access provisioning guidelines
- Deprovisioning procedures for role changes and terminations
- Carrier alignment (Travelers, Hartford, Coalition, Beazley)
What carriers are looking for
Each carrier asks slightly different questions. Here are some named artifacts by carrier.
Travelers
- MFA enforcement across directory services, backups, network, and endpoints
- Administrative account activity logging and monitoring
Hartford
- Account inventory and regular access reviews
- Activity logging for privileged access
- MFA enforcement on administrative accounts
Coalition
- PAM platform deployment and management
- MFA enforcement and activity monitoring
- Access review frequency and documentation
Beazley
- MFA enforcement on privileged access
- Account inventory and regular reviews
- Activity monitoring and session recording
What to collect
Evidence artifacts your broker will need during the renewal process.
📋
Administrative account inventory
List of all privileged accounts across AD, backups, network devices, and endpoints with ownership and justification.
⚙️
MFA policy configuration
Screenshots showing MFA enforcement enabled in directory services, VPN, cloud platforms, and access management tools.
📊
PAM dashboard and activity logs
Evidence from CyberArk, BeyondTrust, or equivalent showing activity monitoring, session recordings, and failed login attempts.
✅
Access review reports
Quarterly or semi-annual reviews with user attestation and approval signatures.
🗑️
Deprovisioning evidence
Documentation of disabled/deleted accounts during role changes or terminations.
📝
Exceptions register
Documented exceptions to MFA or access review procedures with business justification and approval.
Important: What this doesn't prove
Be upfront about these gaps. Carriers appreciate honesty over overstatement.
Controls are actually enforced:Configuration doesn't prove MFA was enforced on every connection.
Shared credentials eliminated:Policy doesn't prove shared service accounts (SQL, backup) no longer exist.
Unauthorized access prevented:Inventory and logging don't guarantee unauthorized access was blocked.
Reviews are thorough:Access review documentation doesn't prove reviews caught orphaned or inappropriate accounts.
Accounts are promptly deprovisioned:Policy doesn't prove terminated users' access removed within required timeframe.
Session recordings prevent attacks:Recording procedures don't prove suspicious activity was detected.
Who owns what
🏢Business Owner
Approves PAM policy and access review procedures. Attests to appropriateness of access for their team members.
🔧MSP/IT Security
Deploys and manages PAM platforms. Maintains account inventory, enforces MFA, conducts reviews, manages deprovisioning.
🤝Broker
Interprets carrier requirements, verifies PAM implementation, collects evidence, flags gaps for remediation.
Frequently Asked Questions
Why do cyber carriers focus so heavily on PAM controls?
Administrative accounts are the highest-value targets for attackers. Compromised admin accounts enable ransomware deployment, lateral movement, data exfiltration, and persistence. Carriers require PAM evidence to confirm you control access to these critical accounts.
Do we need a dedicated PAM platform like CyberArk or BeyondTrust?
Dedicated platforms are preferred but not strictly required. You can implement PAM controls using native tools (Active Directory, Okta, Azure AD). The key is demonstrating MFA, activity logging, access reviews, and deprovisioning procedures.
What administrative account categories should we inventory?
Domain admins, service accounts (SQL, backup, application), cloud admins (AWS/Azure), backup admins, network device admins, hypervisor admins, and database admins. If the account has elevated privileges, it should be inventoried.
How frequently should we review access?
Quarterly to semi-annual is preferred by carriers. At minimum, annual reviews. Ideally, reviews should occur immediately after role changes or terminations to catch orphaned accounts.
Are shared service accounts a problem?
Yes. Shared accounts (e.g., sqlsvc, bkpadmin shared across team members) are difficult to audit and deprovisioning is harder. Modern PAM platforms support temporary elevated access instead of permanent shared accounts.
What should we do with activity logs?
Retain logs for at least 90 days, ideally 6-12 months. Store logs in a centralized, tamper-proof location. Carriers will ask for sample logs of administrative activity for breach investigations.
Sources (March 2026)
- Travelers – MFA enforcement on administrative access requirements
- Hartford – Account inventory, access reviews, and activity logging expectations
- Coalition – PAM platform deployment and MFA enforcement requirements
- Beazley – Privileged access monitoring and session recording requirements
- NIST Cybersecurity Framework – Access control and privilege management (PR.AC-1, PR.AC-2)
- CIS Controls – Privileged Access Management (Control 5)