Plain-English glossary
The cyber insurance words nobody explained to you
Every term you'll meet on a cyber insurance application — MFA, EDR, attestation, incident response plan — in one sentence, plus why the carrier is asking. No security degree required.
Access & identity
Access control
Access control covers how accounts are created, what each role can reach, and — critically — how access is revoked when someone leaves. Orphaned accounts from departed employees are a classic breach entry point.
On your application: Carriers ask how quickly access is removed at offboarding; a documented same-day process is the strong answer.
Related: Least privilege, Offboarding
Least privilege
The principle of least privilege means every user, app, and system gets the minimum access required to do its work. It limits the blast radius: if one account is breached, the attacker can only reach what that role could.
On your application: Reflected in application questions about access reviews and who can reach sensitive data.
Multi-factor authentication (MFA)
also: 2FA, two-factor authentication, two-step verification
MFA requires a second proof of identity when you log in: a tap on a phone app, a one-time code, or a physical security key. Because attackers usually have only your password (from a leak or a phishing page), that second factor stops the vast majority of account takeovers.
On your application: The single most-required control on cyber applications. Carriers ask whether MFA is enforced on email, remote access, and admin accounts — a 'no' is the most common reason a small business is declined.
Related: Phishing-resistant MFA, Credential stuffing, Privileged / administrator account
Offboarding
Offboarding is the documented process — email disabled, sessions revoked, SaaS accounts removed, devices collected, shared passwords rotated — run when someone leaves. Done same-day and on a checklist, it closes a common and cheap-to-fix gap.
On your application: A named application question; 'same day, on a checklist' is what underwriters want to hear.
Related: Access control
Phishing-resistant MFA
Ordinary MFA codes can still be phished — an attacker relays the code you type into a fake site. Phishing-resistant methods (FIDO2 security keys, passkeys) bind the login to the real website, so a fake page gets nothing usable.
On your application: Increasingly favored by carriers for administrator and high-risk accounts; recommended by CISA for privileged users.
Related: Multi-factor authentication (MFA), Phishing
Privileged / administrator account
also: admin account, domain admin
Administrator accounts can change security settings, add or remove users, and access all data. If an attacker captures one, a small intrusion becomes a total compromise, so these accounts deserve the strongest protection and shouldn't be used for daily email or browsing.
On your application: Applications ask specifically whether MFA protects privileged accounts and how many exist.
Related: Multi-factor authentication (MFA), Least privilege, Access control
Single sign-on (SSO)
SSO lets employees sign in once (usually through Microsoft 365 or Google) and reach many connected apps without separate passwords. It reduces password sprawl and gives you one place to enforce MFA and shut off access.
Devices & networks
Asset inventory
An asset inventory records every computer, server, network device, and key application, with details like operating system and support status. It's the foundation for patching, access control, and knowing your exposure.
Related: Patch management, End-of-life (EOL) system
Attack surface
Your attack surface is the sum of all entry points exposed to potential attackers. Reducing it — closing unused services, retiring old systems, limiting internet exposure — is a core defensive goal.
Related: Vulnerability, Remote Desktop Protocol (RDP)
End-of-life (EOL) system
also: unsupported system, legacy system
An end-of-life system (like an old Windows Server or an unsupported app) stops receiving security patches. It can't be made safe by patching, so it must be replaced or strictly isolated from the network and internet.
On your application: A named application question; disclosed and isolated is defensible, hidden on the main network triggers surcharges or declination.
Related: Patch management, Compensating control
Endpoint
An endpoint is a device where work happens and data lives or passes through. Each one is a potential entry point, which is why protecting and inventorying endpoints is foundational.
Related: Endpoint detection and response (EDR), Asset inventory
Endpoint detection and response (EDR)
also: endpoint protection, next-gen antivirus
EDR runs on your computers and servers ('endpoints'), watching for the suspicious activity that precedes ransomware — not just known virus signatures. It can isolate a compromised machine automatically and gives someone a console to see and respond to alerts.
On your application: Many 2026 applications ask for EDR by name and may list acceptable products. Unmanaged antivirus usually doesn't count.
Related: Endpoint, Ransomware, Managed detection and response (MDR)
Managed detection and response (MDR)
MDR pairs EDR-style tooling with a human team (a security operations center) that watches alerts 24/7 and acts on real threats — useful for small businesses with no in-house security staff.
On your application: A strong compensating control to mention when you lack internal monitoring.
Patch management
also: patching, updates
Patch management is the routine of applying security updates to operating systems, applications, and network gear on a known schedule. Unpatched, internet-facing software is now a leading way attackers get in.
On your application: Applications ask how fast you apply critical patches and whether you run any end-of-life systems.
Related: Vulnerability, End-of-life (EOL) system, Asset inventory
Remote Desktop Protocol (RDP)
RDP lets someone operate a Windows machine from elsewhere. Exposed directly to the internet without protection, it's one of the most common ransomware entry points; it should sit behind a VPN with MFA.
On your application: Applications ask whether RDP is exposed to the internet; 'no' or 'only behind VPN+MFA' is the safe answer.
Related: Virtual private network (VPN), Ransomware, Multi-factor authentication (MFA)
Virtual private network (VPN)
A VPN creates a protected connection between a remote device and your network, so traffic isn't exposed on public networks. Remote access should require MFA even through a VPN.
Related: Remote Desktop Protocol (RDP), Multi-factor authentication (MFA)
Vulnerability
A vulnerability is a flaw — a coding bug, a misconfiguration, a default password — that can be abused. Vulnerability management is the ongoing work of finding and fixing them, often via scanning and patching.
Related: Patch management, Vulnerability scanning
Vulnerability scanning
A vulnerability scanner probes your devices and internet-facing services for known weaknesses and reports what to fix. CISA offers free Cyber Hygiene vulnerability scanning to US organizations.
On your application: Recommending free CISA scanning is a no-cost remediation step that also builds trust.
Related: Vulnerability, Attack surface
Data & backups
3-2-1 backup rule
The 3-2-1 rule is a simple resilience recipe: three copies of your data, on two different types of storage, with at least one kept off-site (and ideally offline or immutable). It protects against hardware failure, disaster, and ransomware at once.
Related: Immutable / offline backup, Backup / restore testing
Backup / restore testing
A restore test means recovering real files or a system from backup and confirming they're usable. Backups fail silently, so an untested backup is treated as no backup by both experts and carriers.
On your application: Applications increasingly ask 'are backups tested?' — a dated restore-test note is your evidence.
Related: Immutable / offline backup, 3-2-1 backup rule, RTO / RPO
Data classification
Data classification labels information by how damaging its exposure would be, so you can apply stronger controls — access limits, encryption, retention rules — to the confidential material and not waste effort on the rest.
Related: Encryption, Personally identifiable information (PII)
Encryption
Encryption converts data into unreadable form unless you hold the key. 'At rest' protects stored data (like a laptop's disk); 'in transit' protects data moving across networks (like HTTPS). Full-disk encryption on laptops is a common baseline expectation.
On your application: Applications ask whether laptops and sensitive data are encrypted.
Related: Data classification
Immutable / offline backup
also: air-gapped backup, offline copy
Immutable backups can't be altered once written; offline (air-gapped) backups aren't reachable from your network. Either one survives a ransomware attack that deletes reachable backups first, which modern ransomware routinely attempts.
On your application: Better applications ask specifically whether you keep an offline or immutable copy — it's what makes refusing to pay a ransom possible.
Related: Ransomware, Backup / restore testing, 3-2-1 backup rule
Personally identifiable information (PII)
PII is information that can identify an individual, especially sensitive combinations like a name plus a Social Security number, bank details, or health data. Losing it can trigger legal breach-notification duties and is a major driver of breach cost.
On your application: Applications ask what sensitive data you hold and roughly how many records — this sets both premium and coverage.
Related: Data classification, Breach-notification law, Protected health information (PHI) / HIPAA
RTO / RPO
also: recovery time objective, recovery point objective
Recovery Time Objective is the acceptable downtime before systems must be restored; Recovery Point Objective is how much recent data loss is tolerable (which sets how often you back up). Together they shape your backup and continuity plans.
Related: Backup / restore testing, Business continuity / disaster recovery (BC/DR)
Email & fraud
Business email compromise (BEC)
In BEC, attackers impersonate an executive, vendor, or partner — often after quietly reading a compromised mailbox — to request a wire transfer, a change of bank details, or sensitive data. It relies on trust and urgency, not malware.
On your application: Business email compromise and funds-transfer fraud drive the majority of small-business cyber claims (58% per Coalition 2026).
Related: Funds-transfer / wire fraud, Phishing, Funds-transfer verification (call-back rule)
Funds-transfer / wire fraud
Funds-transfer fraud is the theft that follows a successful BEC: a bookkeeper pays a fraudulent 'updated' invoice or a fake urgent request. The money moves instantly and is rarely recovered, which is why a verification step matters so much.
On your application: Some carriers require a documented payment-verification procedure for full funds-transfer-fraud coverage.
Related: Business email compromise (BEC), Funds-transfer verification (call-back rule)
Funds-transfer verification (call-back rule)
This procedure requires verifying any new payee, bank-detail change, or unusual payment request by calling a previously known number — never one from the request itself. It's free, one page, and prevents the most common small-business loss outright.
On your application: A named question on crime/funds-transfer supplements; documenting it can be a coverage condition.
Related: Funds-transfer / wire fraud, Business email compromise (BEC)
Phishing
Phishing lures a person into handing over credentials or running malware by imitating a trusted sender. Variants include spear-phishing (targeted), smishing (text), and vishing (voice). Training and email filtering are the main defenses.
On your application: Applications ask about email filtering and whether you run phishing-awareness training and simulations.
Related: Business email compromise (BEC), Security awareness training, SPF / DKIM / DMARC
SPF / DKIM / DMARC
These three DNS records let receiving mail servers verify that email claiming to be from your domain is legitimate. Together they make it much harder for attackers to send convincing fakes 'from' your company to your customers.
On your application: Increasingly asked about under email-security questions; publishing them is a low-cost, visible improvement.
Related: Phishing, Business email compromise (BEC)
Incident response
Business continuity / disaster recovery (BC/DR)
Business continuity keeps critical operations going during a disruption; disaster recovery restores IT systems afterward. For a small business this can be lightweight, but knowing your recovery priorities and backup restore steps is the core.
On your application: Related to backup and IR questions; signals maturity to underwriters.
Related: Incident response plan (IRP), RTO / RPO, Backup / restore testing
Incident response plan (IRP)
also: IR plan
An incident response plan names roles, contains contact numbers (including your carrier's hotline), and lays out the first steps to isolate systems, preserve evidence, notify the right people, and restore from backups. In a real incident the first hours decide the cost.
On your application: A written AND tested IR plan is a hard requirement on most applications; untested plans are treated as shelfware.
Related: Tabletop exercise, Business continuity / disaster recovery (BC/DR), Ransomware
Tabletop exercise
A tabletop is a discussion-based drill where the team walks through a scenario (say, ransomware on a Monday morning) and finds the gaps — a dead phone number, an unclear decision-maker — before a real incident does. Dated notes from it are your proof of testing.
On your application: Satisfies the 'has the plan been tested?' application question when documented.
Related: Incident response plan (IRP)
People & training
Security awareness training
Security awareness training turns employees from the most-targeted layer into a defense. Effective programs are recurring (not just at onboarding), documented with attendance, and often include simulated phishing to measure improvement.
On your application: 'Documented training' is a standard application checkbox — the attendance log is the proof it happened.
Related: Phishing, Business email compromise (BEC)
Insurance & underwriting
Attestation
An attestation is your signature affirming the application's answers are accurate. It converts your answers into warranties: if a later claim reveals an answer was false — even an honest mistake — the carrier can dispute or deny coverage.
On your application: This is why Surable never coaches shading an answer: the honest path is the one that keeps your coverage real.
Related: Underwriting, Material misrepresentation, Claim denial
Claim denial
A denied claim leaves you paying for a loss the policy was supposed to cover. Common causes: the application misrepresented controls, an attested control lapsed before the incident, notice came too late or through non-approved vendors, or an exclusion applied.
Related: Attestation, Material misrepresentation, Exclusion
Compensating control
When a control isn't feasible (say, an old system that can't run modern security), a compensating control is a different safeguard that reduces the same risk — isolating that system, extra monitoring. Disclosed accurately, underwriters can price it; hidden, it becomes a misrepresentation.
On your application: The honest alternative to a false 'yes' — the close-or-disclose path.
Related: End-of-life (EOL) system, Attestation, Material misrepresentation
Cyber insurance
also: cyber liability insurance
Cyber insurance (or cyber liability insurance) covers costs from incidents like data breaches, ransomware, and funds-transfer fraud — including forensics, legal, notification, business interruption, and third-party claims. Coverage and requirements vary widely by carrier.
Related: Underwriting, Attestation, First-party vs. third-party coverage
Exclusion
Exclusions carve specific scenarios out of coverage — for example some funds-transfer fraud unless verification controls are in place, acts of war, or risks tied to a disclosed weakness. They're part of the deal; the time to understand them is before binding.
On your application: Ask your broker exactly what's excluded before you bind — especially funds-transfer terms.
Related: Claim denial, Cyber insurance
First-party vs. third-party coverage
First-party cyber coverage pays for your direct costs — forensics, restoration, business interruption, ransom. Third-party coverage responds to liabilities from others harmed by an incident (customers, partners), including legal defense and settlements.
Related: Cyber insurance
Material misrepresentation
If an application statement was false and 'material' (it would have changed the insurer's decision), the carrier may rescind coverage or deny a related claim. Optimistic answers about controls you don't actually have are the classic trap.
On your application: The core reason to answer accurately and keep evidence for every 'yes' you sign.
Related: Attestation, Claim denial
Supplemental application / questionnaire
Beyond the main application, carriers often send supplemental questionnaires focused on high-risk areas (ransomware readiness, backups, funds-transfer controls). They're detailed and specific, and they're exactly what our application-mapping guide is built around.
On your application: These forms are where under-prepared applicants stumble; mapping documents to each question is the fix.
Related: Underwriting, Attestation
Underwriting
Underwriting is the insurer's risk assessment. For cyber, it has become a security audit: the carrier reviews your controls (via the application and sometimes an external scan) and prices or declines the policy accordingly.
On your application: Your application answers ARE the underwriting inputs — which is why accuracy and documentation matter.
Related: Cyber insurance, Attestation, Supplemental application / questionnaire
Compliance & regulation
Breach-notification law
All 50 US states have breach-notification laws with deadlines that start when a breach is discovered. Depending on your data and location, you may have to notify affected individuals, state attorneys general, or regulators within a set window.
On your application: Why your IR plan must know who to call fast — notification clocks start at discovery.
Related: Personally identifiable information (PII), Incident response plan (IRP)
CIS Controls (IG1)
The CIS Critical Security Controls are a prioritized set of defensive actions. Implementation Group 1 (IG1) — 56 safeguards — is defined as essential cyber hygiene for small organizations with limited IT staff, making it the practical remediation menu.
Related: NIST Cybersecurity Framework (CSF)
NIST Cybersecurity Framework (CSF)
The NIST CSF (version 2.0, 2024) is a voluntary, free framework that structures cybersecurity into six functions. It's the common language many tools, consultants, and — in Surable's case — the readiness scorecard are built on.
Related: CIS Controls (IG1), NIST Cybersecurity Framework (CSF)
PCI DSS
The Payment Card Industry Data Security Standard applies to any organization that stores, processes, or transmits cardholder data. Even small merchants must meet a level of it (often via a self-assessment questionnaire), and it overlaps with general cyber hygiene.
On your application: Card-accepting SMBs may see PCI questions; the controls overlap heavily with cyber-application requirements.
Related: Data classification, Encryption
Protected health information (PHI) / HIPAA
PHI is individually identifiable health information. Businesses that handle it (providers, and their 'business associates') must meet the HIPAA Security Rule's safeguards. Cyber applications ask about HIPAA when your industry touches health data.
On your application: Healthcare-adjacent applicants get extra scrutiny; HIPAA documentation overlaps with cyber readiness.
Related: Personally identifiable information (PII), Breach-notification law
Threats & attacks
Credential stuffing
Because people reuse passwords, attackers take credentials leaked from one site and try them everywhere else automatically. Unique passwords (a password manager) plus MFA defeat it.
On your application: Part of why MFA and password hygiene are baseline application requirements.
Related: Multi-factor authentication (MFA), Phishing
Ransomware
Ransomware encrypts your files and systems and demands a ransom for the key; modern variants also steal data first and threaten to leak it ('double extortion'). Tested, offline backups plus a response plan are what let victims recover without paying.
On your application: The loss cyber policies are most associated with; a record 86% of victims refused to pay in 2026, backed by good backups (Coalition).
Related: Immutable / offline backup, Incident response plan (IRP), Endpoint detection and response (EDR)
Supply-chain / third-party attack
Attackers increasingly compromise a vendor, software update, or service provider to reach that vendor's customers. It's why carriers now ask how you vet third parties with access to your systems and data.
On your application: Third-party involvement appeared in ~48% of breaches in 2026 (Verizon DBIR); vendor questions are rising.
Related: Vendor / third-party risk management, Attack surface
Vendor / third-party risk management
Vendor risk management means keeping an inventory of third parties with access, doing proportionate diligence (do they enforce MFA? encrypt your data?), and putting breach-notification terms in contracts.
On your application: A named and growing application area; a one-page vendor inventory answers most of it at SMB scale.
Zero-day
A zero-day is a vulnerability unknown to the vendor (so there's 'zero days' of warning) being actively exploited. Defenses lean on layered controls — EDR, least privilege, monitoring — since patching isn't yet possible.
Related: Vulnerability, Patch management, Endpoint detection and response (EDR)
Now see which of these you'd pass
The free Readiness Check scores you across the ten control domains these terms describe — in five minutes, no email required.