“We thought it was covered.”

This phrase marks the start of a fight over cyber insurance coverage. An organization believes its controls are solid, policies are aligned, and the security team is confident. Then, an incident occurs, and a technical investigation exposes gaps between policy and reality.

The issue isn't intent—it's proof. 

By 2026, audit-ready evidence must meet strict standards that go far beyond screenshots and policy papers.

The Six-Part Evidence Trail

Defensible proof isn't a screenshot from last quarter. It's a coherent evidence trail with six connected elements:

• Assets
• Control requirement
• Deployment coverage
• Configuration
• Operational monitoring
• Date/time

This structure allows you to answer both underwriter questions (“Were controls in place when you applied?”) and post-incident questions (“Were controls in place when the breach occurred?”).

In part two of our blog series on cyber insurance, we are breaking down what this looks like for each of the three gatekeeper controls discussed in the previous post: Why “We Have MFA” No Longer Guarantees Cyber Insurance.

MFA Evidence: Beyond “It's Enabled”

Saying “we have MFA” isn't evidence. Insurers want to know which MFA methods are used on which accounts, with which enforcement rules, and with which exceptions.

Audit-Ready MFA Evidence Includes:

• Enrollment proof: A report showing that all 847 user accounts and 23 privileged accounts have hardware security keys or passkeys enrolled, with the specific MFA methods documented (hardware keys for 820 accounts, passkeys for 27 accounts).
• Enforcement evidence: Authentication logs from the past 30 days proving zero password-only logins occurred. This demonstrates that MFA is required, not optional.
• Exception documentation: Documentation of how break-glass emergency access is protected—time-limited credentials (automatically expire after 4 hours), logged access events (every use triggers a security alert), and monitoring alerts when used (SOC reviews within 15 minutes).
• Configuration proof: Evidence showing that MFA is required (not optional) and that “remember this device” settings are limited to 24 hours or disabled entirely. Settings that allow users to skip MFA for extended periods undermine the control.

Why This Matters: A common coverage dispute involves temporary or emergency accounts that were granted MFA exceptions “just for a few days.” If those accounts are exploited, and you can't prove they were documented exceptions with compensating controls and defined expiration dates, you're in a coverage dispute.

Example of a defensible exception: “Break-glass Account BG-01: Exempt from standard MFA due to emergency recovery requirements. Compensating controls: time-limited credentials (4-hour expiration), access logging with SOC alert, and monthly access review. Last used: 2025-12-15. Next review: 2026-02-01.”

EDR Evidence: Beyond “Agents Are Installed”

Having EDR agents deployed is table stakes. The evidence question is: Are those agents actually protecting your environment?

Audit-Ready EDR Evidence Includes:

• Deployment coverage: Records showing 100% coverage across all endpoints—628 workstations, 47 servers, including the 12 Linux servers running specialized applications. Not “we cover most systems” but exact counts with asset identifiers.
• Monitoring evidence: A service agreement with your MDR provider (or internal SOC documentation) showing 24/7/365 monitoring with documented response procedures, escalation paths, and mean-time-to-respond SLAs (target: under 30 minutes for critical alerts).
• Alert response proof: Logs demonstrating that EDR alerts are being reviewed and responded to, not just collected. Insurers have seen cases where EDR was “installed,” but alerts were ignored for weeks because no one was monitoring the console.
• Agent health monitoring: Configuration evidence showing that EDR is in “prevent” mode (not just “detect”) for critical threat categories, and that agents are reporting successfully (not offline or degraded). A report showing 628 agents with 625 active and 3 requiring attention (with remediation in progress).
• Exception documentation: If systems exist without EDR, document why (legacy OS not supported by current EDR solution), what compensating controls are in place (network isolation, enhanced logging to SIEM), and when they'll be remediated or decommissioned (scheduled for Q2 2026 retirement).

Why This Matters: If an attacker compromises a system with an installed EDR agent but no monitoring, insurers will argue that the control wasn't “operating as intended,” a common policy exclusion. The existence of the tool isn't enough; you must prove it was being used effectively.

Real-world scenario: Organization had EDR deployed on 98% of endpoints. The 2% gap included a developer workstation compromised via a supply-chain attack. The EDR agent was installed but set to “monitor only” mode to avoid interfering with development work. The insurer argued the control was present but not effective, triggering a coverage dispute.

Backup Evidence: Beyond “We Run Nightly Backups”

Backup disputes are among the costliest because they often involve ransomware scenarios where the backup system itself is compromised, or backups can't be restored under pressure.

Audit-Ready Backup Evidence Includes:

• Immutability proof: Configuration reports showing immutability enabled across all backup repositories, ensuring backups cannot be deleted or encrypted, even by administrators with privileged access. This must be enforced at the storage level, not just at the policy level.
• Credential separation: Evidence that backup administrator credentials are protected by separate MFA, not dependent on the primary domain. If your backups use domain admin credentials, and the domain admin is compromised, your backups are compromised. Show that backup credentials exist in a separate identity system with independent authentication.
• Restore testing logs: Records from the past 60 days showing successful recovery of critical systems—database server (restored to test environment in 4.2 hours), file server (restored to test environment in 2.1 hours), email system (restored to test environment in 6.8 hours)—with documented recovery time objectives and actual recovery times achieved.
• Retention and versioning: Evidence showing that backups span the required retention period (typically 30-90 days for insurance requirements) and are stored in locations that would survive site failures (on-premises primary, cloud secondary, geographically separated).
• Air-gap documentation: If using air-gapped or offline backups as an additional layer, documentation of the gap schedule (backups disconnected from the network every 24 hours), physical security controls, and restoration procedures.

Why This Matters: The most expensive ransomware cases involve organizations that “had backups” but couldn't restore them under pressure. Common failures include:

• Backups were encrypted because the backup credentials were compromised along with the domain admin credentials.
• Backups existed, but the restoration process had never been tested, and it failed during the crisis.
• Backups were overwritten on a 7-day rotation, and the attack went undetected for 14 days.
• Backup repositories were deletable, and attackers deleted them before deploying ransomware.

Insurers now require proof of tested recovery capability, not just backup existence.

Example of defensible backup evidence: “Three backup repositories configured with immutability (cannot be deleted for 90 days after creation). Backup admin credentials are managed in a separate CyberArk instance with hardware key MFA. Last restore test: 2026-01-15, successfully restored production database to test environment in 4.2 hours (within 6-hour RTO requirement). Backups retained for 90 days across three locations: on-premises primary, AWS secondary, Azure tertiary.”

The Universal Elements: What Every Control Needs

Regardless of the specific control, audit-ready evidence must include six elements:

1. Asset identification: Which specific systems or accounts are in scope: “847 user accounts,” not “all user accounts.”
2. Control requirement: What standard applies: “phishing-resistant MFA,” not just “MFA.”
3. Deployment coverage: Percentage and specifics of where it's deployed: “100% coverage (847/847 accounts),” not “mostly deployed.”
4. Configuration proof: How it's configured: “hardware keys required, no exceptions,” not “MFA enabled.”
5. Operational evidence: Proof it's monitored, tested, and producing results: “24/7 MDR monitoring with 30-minute response SLA,” not “we have a security team.”
6. Timestamps: When this evidence was collected: “Evidence collected: 2026-01-20”, not undated screenshots.

Control Coverage Maps: The Master View

Beyond individual control evidence, leading organizations maintain control coverage maps that show the complete picture:

A matrix showing:

• Rows: All in-scope assets (accounts, endpoints, systems, services)
• Columns: All required controls (MFA, EDR, backup, patching, logging, etc.)
• Cells: Coverage status (✓ Deployed, ⚠ Exception, ✗ Gap)

This map allows you to answer questions like:

• “What percentage of privileged accounts have phishing-resistant MFA?” → 100% (23/23)
• “How many endpoints lack EDR coverage?” → 3 (documented exceptions with compensating controls)
• “Which systems aren't included in our backup scope?” → 2 (test/dev systems explicitly excluded)

From Reactive Scrambling to Proactive Readiness

The organizations succeeding with evidence-based insurability share one characteristic: they treat evidence collection as a continuous process, not an annual fire drill during renewal season.

When evidence is collected continuously—with clear asset scope, measured control coverage, and timestamped proof—three things happen:

1. Renewals become faster because you're providing comprehensive evidence upfront, not responding to follow-up questions for weeks.
2. Claim disputes decrease because there's a documented trail showing what was in place and when.
3. Audit cycles shrink because you can produce evidence packages on demand rather than scrambling to reconstruct what was true six months ago.

The shift from “we have it” to “here's the proof” isn't just about satisfying insurers. It's about knowing, with confidence, that your controls are protecting your environment the way you think they are.

‍