Insurance Curator Risk Assessment & Underwriting Criteria for U.S. Businesses
Why This Guide Matters
Cyber-crime losses in the United States topped $10.3 billion in 2022 (FBI IC3). At the same time, carriers such as Coalition, Travelers, and Chubb have tightened underwriting standards, driving average cyber premiums for mid-market firms up 11 % in 2023 (Marsh McLennan, Global Insurance Market Index Q2 2023).
For any organization—from a 20-person SaaS startup in Austin to a multi-state healthcare group headquartered in New York—understanding the levers that influence eligibility and coverage limits is now mission-critical. This ultimate guide unpacks the 10 most decisive factors U.S. insurers scrutinize, complete with real pricing data, regional nuances, and expert tips to earn higher limits at lower rates.
Table of Contents
- Executive Summary
- Factor 1 – Industry & Revenue Profile
- Factor 2 – Data Volume & Sensitivity
- Factor 3 – Past Loss History
- Factor 4 – Security Controls Maturity
- Factor 5 – Third-Party & Supply-Chain Risk
- Factor 6 – Regulatory Environment & Location
- Factor 7 – Incident Response Planning
- Factor 8 – Business Continuity & Backup Posture
- Factor 9 – Employee Security Awareness
- Factor 10 – Governance, Risk & Compliance (GRC) Frameworks
- Putting It All Together: How Underwriters Weight the Factors
- Frequently Asked Questions
- Next Steps & Resources
Executive Summary
Insurers evaluate a blend of quantitative (annual revenue, record counts, loss ratio) and qualitative (board oversight, culture) variables. The matrix below shows a typical weighting model used by leading carriers such as AXIS and Beazley for mid-size U.S. accounts ($50 M–$1 B revenue):
| Factor | Weighting | Typical Impact on Limits |
|---|---|---|
| Security Controls Maturity | 25 % | Up to 30 % higher limits if MFA, EDR, and immutable backups are in place |
| Industry & Revenue | 20 % | High-risk industries (healthcare, finance) may see 40 % lower limits |
| Data Sensitivity | 15 % | PHI/PCI data drives retentions up 15 %–20 % |
| Loss History | 10 % | 2+ incidents in 3 years may halve available limits |
| Regulatory Environment | 10 % | NYDFS compliance can unlock 10 % premium credits |
| Remaining Factors | 20 % |
Source: InsuranceCurator analysis of 2023 carrier underwriting guidelines.
Factor 1 – Industry & Revenue Profile
Why It Matters
Carriers start with actuarial loss curves for each NAICS code. Healthcare, financial services, and public entities experience breach costs 246 % higher than low-risk sectors like manufacturing (IBM Cost of a Data Breach 2023).
Real-World Pricing Examples
Location and size compound the effect. Consider a $50 M-revenue company seeking $2 M in limits:
| Industry | Region | Annual Premium* | Retention | Notable Carrier |
|---|---|---|---|---|
| Healthcare (HIPAA) | New York | $78,000 | $100K | Chubb |
| SaaS | Texas | $26,500 | $25K | Travelers |
| Retail | California | $34,200 | $50K | Coalition |
*Quoted Q4 2023 for firms with no losses, standard controls.
Expert Insight
“Revenue alone doesn’t dictate exposure—transaction counts and cloud footprint are equally telling,” notes Maria Delgado, Cyber Practice Leader at a major San Francisco brokerage.
Factor 2 – Data Volume & Sensitivity
Key Metrics Underwriters Request
- Number of PII/PHI records stored or processed
- Peak concurrent user sessions
- Encryption status (at rest/in transit)
- Tokenization or data-minimization techniques
Impact on Limits
Large, sensitive data sets push carriers to cap limits. A fintech startup in Charlotte processing 10 million payment cards was offered only $3 M in total tower despite $100 M revenue.
Tactics to Mitigate
- Segment high-value data in separate, access-controlled networks.
- Purge dormant records older than industry-defined retention windows.
- Encrypt & Tokenize to demonstrate reduced breach monetization potential.
For a deeper dive into how record counts shape ratings, read How Industry, Revenue & Data Volume Impact Cybersecurity Insurance Risk Ratings.
Factor 3 – Past Loss History
The “Three-Year Lookback”
Most carriers examine the prior 36 months of:
- Ransomware events
- Fund-transfer fraud (FTF) claims
- Regulatory fines/settlements
Multiple paid claims can move an account into non-standard markets, where premiums run 30–50 % higher and limits often max at $5 M.
Case Study: Chicago Law Firm
After two ransomware claims totaling $1.7 M (2021–2022), the firm’s incumbent carrier cut available limits from $10 M to $2 M and doubled the premium. Only after implementing EDR and immutable backups did the renewal market open up.
Factor 4 – Security Controls Maturity
Top Controls That Move the Needle
| Control | Eligibility Gatekeeper? | Limit Multiplier |
|---|---|---|
| Multi-Factor Authentication (MFA) | Yes – logins & RDP | 1.5× |
| Endpoint Detection & Response (EDR) | Yes – all endpoints | 1.3× |
| Privileged Access Management (PAM) | No, but favorable | 1.2× |
| Immutable Off-Site Backups | Yes – critical | 1.4× |
| 24/7 SOC Monitoring | Recommended | 1.2× |
Carriers increasingly require MFA as a non-negotiable prerequisite. For hands-on advice, see From MFA to Backups: Technical Controls That Slash Your Cybersecurity Insurance Premiums.
Factor 5 – Third-Party & Supply-Chain Risk
What Underwriters Evaluate
- Vendor risk-assessment questionnaires
- Contractual indemnification & cyber clauses
- Continuous monitoring programs (e.g., SecurityScorecard)
Notable Trend
After the 2021 Kaseya and Accellion supply-chain hacks, carriers like Beazley began using external attack-surface scans. Poor grades can trigger:
- 15 %–25 % higher deductibles
- Endorsements excluding specific vendors
Pro Tip
Draft contract language requiring vendors to carry at least $5 M in cyber coverage, mirroring your own limits.
Factor 6 – Regulatory Environment & Location
State-Specific Considerations
| State | Primary Regulation | Unique Impact on Insurance |
|---|---|---|
| New York | NYDFS 23 NYCRR 500 | Non-compliance can void coverage clauses |
| California | CCPA/CPRA | Higher notification costs baked into limits |
| Texas | Tex. Bus. & Comm. Code 521 | Lower avg. breach costs, modest rate relief |
Insurers often embed sub-limits for regulatory fines. In New York, markets may cap this at $250K, while Florida accounts generally receive $500K.
Curious how regulators audit your controls? Explore Preparing for a Cybersecurity Insurance Audit: Documentation Insurers Expect.
Factor 7 – Incident Response Planning
Required Artifacts
- Board-approved Incident Response Plan (IRP)
- Contact list for legal, forensic, PR, and carrier hotlines
- Tabletop exercise logs (preferably within last 12 months)
Organizations with a tested IRP receive average premium credits of 5–7 %, according to AXIS policy forms reviewed in 2023.
Factor 8 – Business Continuity & Backup Posture
What Carriers Want to See
- 3-2-1 backup rule (three copies, two media, one offline)
- Immutable backups (AWS S3 Object Lock, Wasabi Immutability)
- Quarterly restore testing reporting to the board
Fail any of the above and expect:
- Retentions rising from $25 K to $100 K
- Ransomware sub-limits capping at 50 % of the base tower
Factor 9 – Employee Security Awareness
Quantifiable Indicators
- Annual phishing simulation click-rate below 5 %
- Completion rates for mandatory training at >90 %
- Executive participation certificates
Insurance actuaries correlate a 1 % reduction in click-rate with a 0.7 % drop in claim probability (NetDiligence 2023 Spotlight).
Factor 10 – Governance, Risk & Compliance (GRC) Frameworks
Frameworks That Impress Underwriters
- NIST CSF (v2.0 draft) alignment
- SOC 2 Type II reports (especially for SaaS)
- ISO 27001:2022 certification
- HITRUST (for healthcare)
Achieving ISO 27001 can unlock 10–15 % premium credits and help justify higher limits, especially for companies under $500 M revenue.
Putting It All Together: How Underwriters Weight the Factors
The decision tree below is typical for a $1 B limit request:
graph TD
A[Application Received] --> B{Mandatory Controls?}
B -- No --> X[Decline]
B -- Yes --> C[Financial & Industry Analysis]
C --> D[Loss History Review]
D --> E{High-Frequency Losses?}
E -- Yes --> Y[Lower Limits / Higher Retention]
E -- No --> F[Secondary Controls & GRC]
F --> G[Location & Regulatory Factors]
G --> H[Dynamic Scoring Algorithm]
H --> I[Limit & Pricing Proposal]
Insurers like Cowbell Cyber feed these variables into AI-driven risk engines, a trend explored in Emerging Underwriting Models: AI-Driven Risk Scoring in Cybersecurity Insurance.
Frequently Asked Questions
Q1. Can I get coverage without MFA?
Unlikely in 2024. Over 90 % of U.S. carriers cite MFA as a “hard bar.”
Q2. How often should we run tabletop exercises?
At least annually; semi-annually for organizations above $500 M revenue or operating in critical infrastructure.
Q3. What’s a realistic budget for $5 M in limits?
For a 250-employee tech firm in Denver with good controls, expect $45K–$60K a year. A healthcare provider in Miami could pay $110K–$140K due to higher data sensitivity and regulatory pressure.
Next Steps & Resources
- Benchmark your current posture using the Self-Assess Your Cybersecurity Insurance Readiness with These 8 Metrics scorecard.
- Map any control gaps against the checklist in Cybersecurity Insurance Underwriting Checklist: Pass Your Next Security Review.
- Share this guide with your CFO and GC ahead of renewal talks.
Cited Sources
- Marsh McLennan. “Global Insurance Market Index Q2 2023.”
- IBM Security. “Cost of a Data Breach Report 2023.”
- FBI Internet Crime Complaint Center (IC3). “2022 Internet Crime Report.”
Need personalized guidance? InsuranceCurator’s team of licensed brokers in New York, Texas, and California can model multiple towers from carriers like Coalition, Beazley, and Travelers—helping you secure the limits your balance sheet demands.