The fine print becomes real after a breach.
When a clinic buys cyber insurance, the application asks whether certain security controls are in place. It is easy to tick the boxes and move on. The problem shows up later: if there is a breach and the insurer finds a required control was missing, or was never actually configured, the claim can be reduced or denied.
So these are not just best practices. They are the conditions your coverage depends on. The list below is the set we see most often, in plain terms, with how a clinic or its IT provider would actually meet each one.
The four that qualify you for coverage.
Required · missing any of these can void a claim
Tested offline backups
Back up critical data regularly to a cold, offline, or immutable location that a problem with your live environment cannot reach, and test that the backups actually restore. Daily is the goal, and insurers increasingly want to see that restores are tested, not just that backups run. If you can recover quickly, ransomware loses its leverage. Many platforms have backup built in; otherwise use a cloud backup service or external drives kept disconnected and secured. Backup guidance.
Multi-factor authentication (MFA)
Require MFA on cloud email and on all remote access to your network, and increasingly on admin accounts too. A password alone is no longer enough, especially for cloud services like Microsoft 365. MFA adds a second check at sign-in, so a stolen password is not enough on its own. Favour phishing-resistant methods, an authenticator app with number matching or a hardware key, over text-message codes, which insurers now treat as the weak option. It is built into most cloud services and just needs enabling. What MFA is.
No remote access without a VPN
Do not expose remote-access services directly to the internet. Attackers constantly scan for open Remote Desktop (RDP) and probe it for weaknesses. Putting remote access behind a VPN hides it and adds a strong layer of protection. Many routers and firewalls already include VPN functionality that just needs to be turned on. VPN guidance.
Annual security awareness training
At least once a year, provide cyber security awareness training, including anti-phishing, to everyone with access to your network or to confidential and personal data. Staff are the front line, and technical defences only go so far. Training helps people spot the risk before it becomes an incident. Free training resources.
The three that round it out.
Required · expected on any clinic we secure
Patch promptly, retire end-of-life software
Apply critical updates as soon as practical, and stop using software that is no longer supported. Patches fix the vulnerabilities attackers rely on, so keeping current is a core security task, not an optional chore. Many policies now exclude losses traced to an unpatched, known vulnerability, so this one protects both your systems and your claim. When a vendor announces a product is end of life, plan its replacement. Patch management guidance.
Scan incoming email for malicious content
Email is the top way attackers reach your staff. An email gateway filters spam, viruses, and phishing before it lands, quarantining or blocking malicious messages. Most email platforms offer basic filtering that should be enabled; specialist gateways do more. Recognizing phishing.
Endpoint protection on every device
Protect every device with endpoint detection and response (EDR), not just legacy anti-virus. Insurers now ask for EDR by name, because it does more than block known malware: it logs activity so you can spot the patterns that signal an attacker is already inside, something a firewall or basic AV cannot do. Choosing protection software.
Ticked is not the same as applied.
The gap that voids claims: a control marked "yes" on the application but never actually configured, MFA bought but not enforced, backups running but never test-restored, a VPN installed but RDP still open. After a breach, the insurer checks what was real, not what was promised.
This is why the controls need to be genuinely in place and documented from the start. The difference between a paid claim and a denied one is often whether you can show the control was working, not just that it was purchased.
The list keeps growing.
Underwriters tighten their requirements every renewal. Beyond the seven above, applications increasingly ask for a few more, and it is worth getting ahead of them:
A tested incident response plan
A short written plan for who does what in the first hour and the first week of a breach, reviewed or exercised within the last year. Insurers want to know you will not be improvising.
Email authentication (SPF, DKIM, DMARC)
Records that stop attackers from spoofing your clinic's domain and help your own mail land safely. Increasingly expected alongside the email scanning above.
Separated admin accounts
Day-to-day work does not happen on an account with admin rights. Keeping privileged access separate limits how far an attacker gets with one stolen login.
Questions clinics ask us.
What does cyber insurance usually require to qualify?
Most policies list four critical controls: tested offline backups, MFA on cloud email and all remote access, no remote access without a VPN, and at least annual security awareness training for everyone with access to the network or personal data. If these are not in place, a claim can be reduced or denied.
What if our controls were not in place when the policy started?
On most applications you attest that these controls are in place. If a breach happens and the insurer finds a required control was missing or never actually configured, they can reduce or deny the claim. That is why it matters to have them genuinely implemented and documented from the start, not just ticked on a form.
We are a small clinic. Do these really apply to us?
Yes. The requirements do not scale with size, and small clinics are common targets precisely because controls are often missing. The good news is most of these are built into tools you already pay for, such as Microsoft 365, and just need to be turned on and configured correctly.
Can Clinibyte check our clinic against these requirements?
Yes. We review your clinic against each requirement, document what is actually in place versus what is assumed, and put together a short plan to close any gaps. The output is something you can hand to a cyber insurer, a privacy officer, or a regulator.
Find out before your insurer does.
We check your clinic against each requirement, document what is real, and give you a clear plan to close the gaps. Serving healthcare teams across Eastern Ontario.
or send a message