Your cyber insurance broker probably ran you through five questions on the last renewal call. Acceptable Use Policy. MFA. Backups. Phishing training. Incident response plan. You said yes or “we’re working on it” to all five, and the policy bound.
What the broker did not tell you is that the underwriter who wrote that quote was looking at a list of 7 to 12 documents, not 5. The missing items did not stop binding this year. They will show up on the next major claim or the next hardening of the questionnaire.
This is not a knock on brokers. The good ones know exactly what underwriters want. Most operate at scale across many carriers and surface only the requirements that block binding. The additional policies underwriters look for during deeper review, particularly at higher limits and at claim time, often do not come up.
Here are the 5 to 8 policies typically missing from the short list, why each one matters, and what they cost to put in place.
The 7 that are usually missing¶
1. Information Security Policy (the parent document)¶
The Acceptable Use Policy governs employee behavior. The Information Security Policy governs the organization. It states the company’s posture on information confidentiality, integrity, and availability, names the person accountable (in a 5-person business, that is usually the owner), and references the supporting policies.
Underwriters care because the NAIC Insurance Data Security Model Law (MDL-668), which 25 states had adopted as of early 2026, obligates insurers to verify that their insureds maintain a written information security program. The Acceptable Use Policy alone does not satisfy that test. The parent policy does.
When this matters: at any policy renewal where the carrier has tightened its questionnaire (which most carriers have done in 2024-2026), the underwriter will ask for this by name. Brokers typically do not mention it because it does not appear on the binding checklist.
2. Password and MFA Policy (the written version)¶
Most underwriters now ask whether MFA is in place. Fewer ask whether the use of MFA is documented in a written policy. The control without the policy passes binding. The policy is what gets asked for at claim time, when the carrier is reconstructing what controls were in place when the breach happened. If your only evidence is “we always required MFA,” the adjuster has to take your word for it. A written policy that predates the incident and is referenced in your onboarding documentation is much stronger.
The standards to reference are NIST SP 800-63B and CIS Control 6.
3. Vendor and Third-Party Risk Policy¶
Supply chain is now a top-three source of cyber loss for small businesses. The steady run of MSP and software-supplier compromises since the 2020-2021 SolarWinds incident has made vendor oversight a standard underwriting topic.
Underwriters at higher coverage tiers ($2M and up) will ask how you vet vendors, what controls you require of them, and how you reassess annually. NIST SP 800-161 and CIS Control 15 are the standards to anchor to.
Small business owners often resist this one because they do not feel they have “vendors.” You do. Your accountant, your IT contractor, your cloud backup provider, your practice management system vendor, your payroll service. A 2-page policy that names who is responsible for vendor reviews and what the review covers is enough.
4. Data Retention and Destruction Policy¶
Breach notification cost is dominated by how much sensitive data sat in your environment when the breach happened. If you retain customer or employee records indefinitely because nobody set a retention schedule, your notification cost and litigation exposure are both larger than they need to be.
State privacy laws (CCPA, CPRA, Virginia’s CDPA, Texas DPDPA, the growing list) increasingly require data minimization. NIST SP 800-88 is the destruction standard for media sanitization. A 2-to-3-page policy specifying how long each data category lives and how it is destroyed is what underwriters want to see.
5. Remote Work or Telework Policy¶
If anyone in your company works from outside the office even part-time, you need this. The policy covers home-network minimums (WPA2 or better WiFi, default router credentials changed), VPN or zero-trust access, public WiFi rules, and basic physical workspace security. CISA’s telework guidance is the reference. For fully remote or hybrid businesses, this is non-optional at binding.
6. Mobile Device Management Policy (separate from BYOD)¶
The policy for company-owned devices, distinct from BYOD. If you issue company laptops, phones, or tablets, you need a written policy covering inventory, OS update enforcement, encryption, lost or stolen device reporting, and return-at-offboarding. NIST SP 800-124 and CIS Control 4 are the references. Underwriters at mid-market and above want both BYOD and MDM. Having one without the other is a visible gap.
7. Onboarding and Offboarding Policy¶
The single most-cited control failure in post-breach forensics: a terminated employee whose access was not revoked. Insurers know this. Most carriers ask whether you have a documented offboarding checklist.
The policy is short. It names what access (email, cloud accounts, VPN, shared passwords) gets revoked on the employee’s last day, who executes each revocation, and how asset return is documented. ISO 27001 A.6.5 and CIS Control 6 are the anchors. Smaller businesses skip this because turnover is rare. The first contested separation makes the absence very tangible.
What this means for your renewal¶
If you have the 5 your broker asked about plus the 7 above, you are at 12 documents. That is the upper end of what underwriters require for SMB cyber. With those 12, you can answer any standard questionnaire honestly with yes, and most carriers will quote you favorably.
If you have 5 of the 12, you are in the average position. Your policy will bind at most carriers, but you will be at the higher end of pricing for your risk class and you will have known gaps at claim time.
If you have 0 or 1 written documents, your carrier options are narrowing year over year. The hard cyber market has not fully reversed, and carriers are increasingly comfortable declining to quote uncontrolled risks.
What this costs to fix¶
A traditional consulting engagement to draft all 12 policies for a small business runs $5,000 to $15,000 and takes 6 to 10 weeks. Generic template kits are cheaper but will not survive underwriter review because they will not cite the regulatory anchors (NIST CSF, ISO 27001, CIS Controls) underwriters are trained to scan for.
We built Cyber Essentials specifically for this gap. The Full Pack covers all 12 policies on this list, custom-built for your business at intake, reviewed and signed, for $1,799. The Bundle of 5 is $999 if you only need to fill specific gaps. Individual policies are $299 each.
For SMB owners reading this: Browse the Cyber Essentials bundle at /shop/cyber-essentials/
If you are not sure which policies you are missing, email support@breachsecurity.io with a copy of your most recent cyber insurance application or questionnaire. We will tell you which of the 12 you have, which you are missing, and which tier (single policy, bundle of 5, or full pack) actually fits your gap. Sometimes it is just two policies. Sometimes it is the full set. We will say so honestly.
A note for cyber insurance brokers¶
If you are a commercial cyber broker reading this, you already know underwriters want 7 to 12 documents. The friction is that your clients usually do not have them, renewal timelines are too short to draft properly, and $5K-$15K consulting referrals are a hard ask for a 10-person business.
We run a referral partnership program: 15-20% commission on the first sale (tiered by package), Net 30, white-label option, and a co-branded one-pager you can drop into your renewal-prep emails. The Bundle of 5 at $999 or Full Pack at $1,799 is what most renewing clients can absorb in their compliance budget.
Email support@breachsecurity.io from your brokerage email and we will send the partner one-pager, referral agreement, and a calendar link.