Small businesses are prime targets: the 2025 Verizon DBIR analyzed 22,052 incidents and 12,195 confirmed breaches, the largest dataset to date, with SMB-specific takeaways that mirror enterprise trends.[1]
At the same time, carriers have matured their underwriting. Many now align baseline expectations to NIST CSF 2.0 outcomes, especially identity, data protection, and incident response, because those practices correlate with fewer and cheaper claims.[2]
The Hiscox Cyber Readiness Report 2025 finds a majority of SMEs suffered at least one cyber attack in the past year, underscoring that “too small to target” is a myth.[3]
The 7 Controls Most Underwriters Expect in 2025
- Multi-Factor Authentication (MFA) on email, remote access, and privileged accounts
Identity abuse remains a top breach pathway. Strong MFA materially reduces account takeover risk.[1] - Endpoint Detection and Response (EDR or MDR) on servers and workstations
Rapid detection and containment blunts ransomware dwell time and loss severity. Many carriers now require EDR or managed detection for quotes.[4][5] - Regular, tested backups including offline or immutable copies
Recovery readiness is a key pricing factor. Immutable backups are frequently cited in successful claims outcomes.[4][5] - Email security and user training for phishing defense
Social engineering is still a leading initial vector for SMBs.[1] - Vulnerability and patch management for internet-facing services
Unpatched known vulnerabilities are common precursors to ransomware.[1] - Privileged access hygiene including no shared admin accounts and least privilege
This limits blast radius when credentials are compromised and maps to NIST CSF 2.0 “Protect” outcomes.[2] - Documented incident response plan and tabletop tests
Underwriters look for muscle memory: who calls whom, how backups are restored, and how vendors are engaged.[4][5]
Why These Controls Matter to Pricing and Coverage
Carriers are pricing to frequency and severity seen in claims data. Controls that reduce the likelihood of credential theft, lateral movement, and downtime tend to translate into broader terms and lower premiums.[1][3]
A Quick Readiness Checklist You Can Use Today
✅ MFA on Microsoft 365 or Google Workspace, VPN or RDP, and all admin accounts
✅ EDR on every server and workstation, with 24×7 monitoring where feasible
✅ Backups with at least one offline or immutable tier, restore tested quarterly
✅ Email filtering and monthly phishing simulations
✅ Patch critical internet-facing vulnerabilities within 7 to 15 days
✅ Unique named admin accounts with password manager enforced
✅ Incident response plan documented and tabletop tested twice per year
(Aligned to NIST CSF 2.0 Identify, Protect, Detect, Respond, Recover)[2]
How Southern General Agency Helps You Bind Faster
Southern General Agency offers cyber placements for hundreds of professions, with admitted options and fast online processing via Hiscox NOW, ideal for small businesses that already meet the controls above.[6]
In-house premium financing is also available to keep cash flow smooth on larger limits or add-on coverages.[7]
Next steps:
- Run the checklist
- If you have gaps, we will show you the minimums needed to quote
- When ready, we will turn around options, often same day for qualified risks
References
[1] Verizon. 2025 Data Breach Investigations Report (Full + Executive Summary + SMB Snapshot).
[2] NIST. Cybersecurity Framework (CSF) 2.0 (Official release, Feb 26, 2024).
[3] Hiscox. Cyber Readiness Report 2025.
[4] ConnectWise. Cyber Insurance Requirements 2025.
[5] Field Effect. Insurers’ 2025 Cybersecurity Expectations.
[6] Southern General Agency. Hiscox NOW Cyber & Professional Liability Programs.
[7] Southern General Agency. Premium Financing Solutions.