Free IT Tool

Cyber Insurance Readiness Audit

Answer 34 granular sub-questions across MFA, patching, backups, payee verification, dual-authorisation and security training. Get a 0–100 readiness score, per-control pass rates, and the exact sub-controls to fix before renewal.

Browser-side processing · No data uploaded · No cookies set

0 of 34 answered

1
Is Multi-Factor Authentication (MFA) required for:
Critical for insurance0/7 answered
Insurers treat MFA as table stakes. Any gap on this list is the question that gets asked first — and rejected on first.
- Remote access (VPN, RDP, remote desktop)
- Webmail (Microsoft 365, Google Workspace)
- All admin / privileged accounts
- Cloud backups (Datto, N-able Cove, Veeam, etc.)
- Cloud storage (OneDrive, SharePoint, Drive, Dropbox)
- Financial services / banking portals
- Line-of-business apps (CRM, ERP, payroll, industry SaaS)
2
Are critical security patches applied within 30 days for:
Critical for insurance0/6 answered
Most denied cyber claims involve a vulnerability that had a patch available more than 30 days before the breach.
- Workstation operating systems (Windows, macOS)
- Server operating systems
- Web browsers (Chrome, Edge, Safari, Firefox)
- Microsoft 365 / Office desktop apps
- Network equipment (firewalls, switches, APs)
- Third-party apps (Adobe, Java, PDF readers, etc.)
3
Are critical backups kept offline or segregated from production:
Critical for insurance0/4 answered
If ransomware can reach your backups, you don't have backups. Insurers want to see at least one isolated copy.
- Immutable cloud backups (S3 Object Lock, vendor-locked snapshots)
- Air-gapped / offline local copy (rotated offline drives or tape)
- Backups on a separate identity tenant / domain
- Backup admin accounts separated from production admin accounts
4
Are your backups encrypted, MFA-protected and tested:
Critical for insurance0/4 answered
Encryption protects data at rest; MFA stops an attacker with admin creds from wiping recovery; a test proves the restore actually works.
- Encrypted at rest (AES-256 or equivalent)
- MFA enforced on the backup admin console
- Full restore tested in the last 90 days
- Documented restore runbook (who does what, in what order)
5
Are payee and banking changes verified out-of-band for:
0/4 answered
Catches the most common forms of invoice and CEO fraud — bad actor emails 'updated bank details' and gets paid.
- Adding a new payee (verbal callback to a known phone number)
- Changing existing payee bank details
- Wire transfers over $10,000
- Payroll bank account changes
6
Is dual-authorisation required for:
0/4 answered
Two-person rule on sensitive money moves. Required by most policies that cover funds-transfer fraud.
- Transfers over $10,000
- Supplier / vendor changes
- Payroll changes
- Expense reimbursements over $1,000
7
Is security awareness training in place for:
0/5 answered
Quarterly micro-training plus simulated phishing is the gold standard. Insurers increasingly ask which platform you use.
- All staff (at least annually)
- Quarterly simulated phishing campaigns
- New starters receive training as part of onboarding
- Targeted training for finance / payroll staff
- Specialised training for IT admins (least privilege, hardening)

Other free tools

All tools

Phish-Finder

Spot suspicious emails before they bite.

Password Risk Tester

How long would your password actually last?

Downtime Cost Calculator

What does your most-feared outage actually cost?

Cyber Insurance Cover Calculator

How many dollars of cyber cover should you actually buy?

What IT Support Do I Need?

What support and budget do I need — and what's my risk?