Compliance Frameworks
Regulatory coverage mapping for HIPAA, PCI-DSS, NIST, CMMC, SOC 2
Major frameworks
HIPAA · PCI · NIST · CMMC · more
Higher insurance cost
Without MFA + EDR controls
Avg HIPAA fine
Per breach incident (USD)
SMBs close post-breach
Within 6 months
CIS Controls → Cyber Insurance
Cyber insurers have converged on a core set of technical controls that they require — or heavily weight — at underwriting and renewal. Every mandatory insurance requirement maps directly to a CIS Control group that Microsoft 365 satisfies. Implementing M365 security properly doesn't just improve your posture — it directly reduces premiums and prevents claim denials.
Insurance underwriting requirements
Multi-Factor Authentication
MFA enforced for all users accessing email and cloud services
Nearly every cyber insurer now mandates MFA for all users — not just admins — as a baseline underwriting requirement. Non-compliance results in higher premiums or outright denial.
How M365 satisfies this:
Entra ID Conditional Access enforces MFA for all users on every sign-in, including legacy clients. Security Defaults provide a no-config baseline for organisations not yet using Conditional Access.
MFA enforced for all privileged/admin accounts
Privileged account compromise is the most destructive event insurers cover. Admin MFA is universally mandatory across all major insurers.
How M365 satisfies this:
Entra PIM requires MFA activation for all privileged role assignments. Conditional Access admin policies enforce MFA at every admin sign-in regardless of location or device.
Endpoint Detection & Response
EDR deployed on all endpoints — not just antivirus
The majority of ransomware claim denials cite lack of EDR. Insurers distinguish between AV (signature-based) and EDR (behavioural). AV alone is no longer sufficient.
How M365 satisfies this:
MDE provides full EDR capabilities — behavioural detection, threat hunting, live response, and automated investigation — across all managed Windows, macOS, iOS, and Android devices.
Email Security
Advanced email filtering beyond basic spam/malware (anti-phishing, sandboxing)
Insurers increasingly ask specifically about anti-phishing and attachment sandboxing — recognising that basic EOP-level filtering does not stop modern BEC and spear-phishing attacks.
How M365 satisfies this:
MDO P1 provides Safe Links (real-time URL detonation) and Safe Attachments (sandbox). MDO P2 adds Attack Simulation Training and advanced anti-phishing with impersonation protection.
Privileged Access Management
No standing privileged access — just-in-time admin activation required
Standing admin access is a critical risk factor. Insurers increasingly require PAM or JIT access controls for privileged accounts as a condition of coverage.
How M365 satisfies this:
Entra PIM implements just-in-time privileged access with time-limited activation, approval workflows, and MFA requirement. Purview PAM adds JIT approval for specific M365 admin tasks.
Security Awareness Training
Documented security awareness training programme with phishing simulations
Insurance applications specifically ask for evidence of security training frequency and phishing simulation results. Ad hoc training does not satisfy this requirement.
How M365 satisfies this:
MDO P2 Attack Simulation Training provides a documented, measurable programme — running phishing simulations with automatic training assignment and click-rate analytics for insurance evidence.
Patch Management
Critical patches applied within 30 days; high within 90 days
Insurers ask for patch SLAs and evidence of compliance. Unpatched systems that were known at the time of a breach can void claims.
How M365 satisfies this:
Intune automates Windows and M365 Apps patch deployment. Defender Vulnerability Management tracks CVE remediation timelines and provides evidence of compliance with patch SLAs.
Backup & Recovery
Regular, tested backups stored offline or immutably; tested recovery procedures
Backup coverage is the single most important factor in ransomware claim outcomes. Insurers require documented testing — not just the existence of backups.
How M365 satisfies this:
Microsoft 365 Backup provides immutable backup of Exchange, SharePoint, and OneDrive with point-in-time restore. Purview retention policies provide a secondary protection layer.
Incident Response
Documented and tested incident response plan
Most insurers ask whether the IR plan has been tested in the last 12 months. An untested plan is treated the same as no plan by claims adjusters.
How M365 satisfies this:
Defender XDR provides built-in IR workflows, guided response playbooks, and automatic attack disruption. Sentinel SOAR automates common IR tasks. Microsoft Incident Response retainer services available.
Data Loss Prevention
Technical controls preventing exfiltration of sensitive data
Insurers covering data breach liability increasingly require DLP controls that technically prevent — not just detect — data exfiltration.
How M365 satisfies this:
Purview DLP blocks sensitive data from leaving via email, Teams, SharePoint, OneDrive, and endpoints. Adaptive Protection tightens DLP automatically for high-risk users.
Access Control
Least-privilege access and regular access reviews
Broad access grants increase the blast radius of any compromise. Insurers ask for evidence of access review processes.
How M365 satisfies this:
Entra ID Access Reviews automate periodic reviews of group membership and role assignments. Conditional Access enforces least-privilege at every sign-in based on user and device risk.
Audit Logging
Security logs retained for a minimum of 12 months and monitored
Insurance carriers and incident response firms need 12+ months of logs to reconstruct a breach timeline. 90-day retention is insufficient for most investigations.
How M365 satisfies this:
Purview Audit Premium retains all M365 activity logs for 1 year, including MailItemsAccessed (critical for BEC investigations). Microsoft Sentinel extends this to a full SIEM with alerting and 2-year retention.
Real-world insurance scenarios
Ransomware claim denied — no EDR, no MFA
A 180-person manufacturing company pays $1.8M in ransomware. Their insurer denies the claim after discovering that EDR was not deployed on production servers and MFA was not enforced for remote access — both required under the policy.
BEC claim — $240K wire fraud covered
A 90-person professional services firm loses $240K to a BEC attack. The insurer approves the claim after confirming all required controls were in place — and MDE/MDO forensics provided the evidence needed.
Premium reduced 18% after M365 E5 deployment
A 250-person healthcare company renews their cyber insurance after deploying M365 E5. Their broker presents a security controls evidence package from Secure Score and Compliance Manager. The insurer reduces the premium by 18%.