Cyber insurance compliance

Your cyber policy probably requires SAT. RiskSense satisfies it.

Since the ransomware wave of 2020–2022, almost every cyber insurance insurer has made security awareness training a condition of coverage. Here's what they actually expect, what gets a claim denied, and how to be compliant in under an hour.

Protect your team for freeTalk to us

The shift

From 2020 to 2022, insurers paid out heavily on ransomware claims that came in through phishing. The market hardened quickly. Premiums went up 50–150% on average, sub-limits got tighter, and underwriting questionnaires grew teeth. Security awareness training moved from ‘nice to have’ to a hard condition of coverage on most policies written since.

What most cyber policies now require

Specific wording varies by insurer and policy, but the common baseline since 2023 looks like this:

Multi-factor authentication

On email, remote access, and admin accounts. Often hard-conditioned.

Endpoint detection & response (EDR)

Modern EDR on workstations and servers — not just signature antivirus.

Security awareness training

Where we help

Ongoing programme with phishing simulations and per-employee records.

Verified backups

Backups isolated from production and tested for restore.

Incident response plan

Documented plan, with named contacts and an annual tabletop.

Patching cadence

Documented patch SLAs, especially for internet-facing systems.

What insurers actually verify

The questionnaire is one thing. What gets pulled at renewal or at claim time is usually:

  • Evidence of a recurring SAT programme — not a one-off video at onboarding
  • Per-employee training and phishing completion records, time-stamped
  • Aggregate click and report rates over a rolling 12-month window
  • Post-click remediation: did the staff who clicked get coached, and did the coaching complete
  • Trend data showing the click-rate moving in the right direction

How RiskSense satisfies the requirement

From ‘no programme’ to ‘documented programme’ in an afternoon.

1

Connect in 60 seconds

OAuth into your Microsoft 365 or Google Workspace tenant. No agents, no DNS, no allow-listing.

2

Automated simulations + coaching

AI runs recurring phishing campaigns, Glitch coaches the click. Every interaction is recorded.

3

Renewal-ready reports

Per-employee records, aggregate trend data, and post-click coaching completion — handed straight to your broker.

Cyber insurance & SAT — common questions

Do all cyber insurance policies require security awareness training?

Most major policies underwritten since 2022–2023 do. After the ransomware wave that started in 2020, insurers hardened their requirements significantly. The combination typically required is MFA, EDR, verified backups, an incident response plan, and ongoing security awareness training for staff. Without SAT in place, you'll usually see one of three outcomes at renewal: a higher premium, a tighter sub-limit, or an outright decline.

What does 'security awareness training' actually mean in a policy?

Most policies require that employees receive regular, documented training that covers phishing, social engineering, password hygiene, and safe handling of sensitive data. Insurers increasingly want evidence of ongoing simulated phishing campaigns — not just one-off compliance videos — and they want per-employee completion records they can audit at claim time.

What happens if I have a claim but didn't have SAT in place?

If the policy made SAT a condition precedent to coverage, the insurer can deny the claim in full. Even if it wasn't a hard condition, the absence of SAT will weigh heavily against you during the claim investigation — particularly if the breach came in via phishing (which most do). Most insurers will also non-renew at the end of the term if the gap isn't fixed.

Does the SAT have to be recurring, or is once enough?

Recurring. The standard expectation now is at least quarterly — many policies specify monthly simulated phishing campaigns plus annual policy attestation. One-off training at onboarding doesn't satisfy the ongoing requirement.

How does RiskSense satisfy the requirement?

RiskSense generates recurring AI-driven phishing simulations on your tenant, tracks per-employee click rates and coaching completion, and produces renewal-ready reports for your insurer. Setup takes about 60 seconds via OAuth — no DNS changes, no allow-listing, no template curation. Most customers go from 'no SAT in place' to 'documented ongoing programme' inside an afternoon.

What evidence can I show my insurer at renewal?

RiskSense produces per-tenant reports with: ongoing campaign cadence, per-employee click and report rates, post-click coaching completion, and aggregate trend data. The reports are designed to be handed to a broker or underwriter at renewal time without further preparation.

Is the free training tier enough to satisfy my policy?

The free tier (training-only) gives your team access to the coaching content, but it does not run live phishing simulations on your tenant. If your policy specifies that simulated phishing must be part of the programme — most do — you'll want the paid tier, which adds the live simulations and the per-employee reporting insurers expect.

Already due for renewal?

Setting up RiskSense takes 60 seconds. Showing your insurer you've done it takes one report at renewal time.

Protect your team for freeTalk to us about renewal