Cyber Insurance for Critical Infrastructure and Utilities: What Carriers Require
Cyber insurance underwriting has tightened across every sector, and critical-infrastructure operators face the hardest scrutiny of all. Z Cyber acts as your cybersecurity operating partner, running an Insurance Readiness model on Glance that shows carriers what they need to see before a quote or renewal is on the line.
For a water utility, a regional power cooperative, or a pipeline operator, cyber insurance has stopped being a checkbox at renewal. Carriers now ask hard questions, demand evidence, and walk away from applicants who cannot show the controls in place. The questionnaire that used to take an afternoon now decides whether you get a quote at all, and at what price.
Z Cyber is a cybersecurity operating partner, not a software vendor. We embed a forward-deployed security team that implements and runs your program on Glance, our AI-native GRC platform. One of the things that program produces is a defensible, evidence-backed view of where you stand against what cyber insurers actually require. This post walks through what carriers look for from utilities and critical-infrastructure operators, why renewals have gotten harder, and how to be ready before the deadline lands on your desk.
Why cyber insurance got harder for critical infrastructure
The broad story is well documented. After a wave of ransomware losses, carriers tightened underwriting across the board. They raised the bar on the controls applicants must demonstrate, they shrank coverage where exposure was concentrated, and they moved from trust-based questionnaires to evidence-based review.
Critical infrastructure sits at the sharp end of that shift for reasons specific to the sector. These are high-consequence targets. A successful intrusion against a utility can threaten safety and service continuity, not just data. Operators often run a mix of modern IT and long-lived operational technology, where legacy systems cannot be patched on a normal cadence and were never designed for internet exposure. Regulatory attention is intense, and a single incident can trigger reporting obligations, public scrutiny, and follow-on liability. Underwriters price all of that in. They want proof that the foundational controls are present and that the boundary between corporate IT and operations is real.
What carriers commonly require before they will quote
There is no single universal checklist, and every carrier words its application differently. In practice, though, a consistent core of foundational controls shows up across underwriting questionnaires. If you cannot evidence these, expect higher premiums, narrower coverage, sub-limits on ransomware, or a declined application.
| Control area | What underwriters want to see |
|---|---|
| Multi-factor authentication | MFA on all remote access, email, and privileged or administrative accounts, not just a subset of users. |
| Endpoint detection and response | EDR deployed across endpoints and servers with active monitoring, not legacy antivirus alone. |
| Backups | Immutable or offline backups that are tested through actual restores, with documented recovery objectives. |
| Incident response plan | A written plan that has been tested through a tabletop or live exercise, with defined roles and contacts. |
| Email security | Filtering, anti-phishing controls, and protections against business email compromise. |
| Privileged access management | Control and monitoring of administrative credentials, with least-privilege enforcement. |
| Network segmentation | Separation that limits lateral movement, and a defensible boundary between IT and OT environments. |
| Security awareness training | Regular training with phishing simulation, evidenced by completion records. |
| Vulnerability management | A repeatable cycle of scanning, prioritization, and timely patching with documented timelines. |
The pattern matters as much as the list. Underwriters are not just asking whether a control exists. They are asking whether you can show it, consistently, with evidence. A claim that MFA is enabled "everywhere" carries little weight without proof of coverage. The applicants who quote well are the ones who can attach the receipts.
Heading into a renewal without clear evidence?
Z Cyber maps your controls to what carriers ask and shows you the gaps before the deadline.
The OT question underwriters keep asking
For utilities and other infrastructure operators, the conversation does not stop at IT controls. Underwriters weigh your operational technology exposure directly, because that is where the catastrophic, hard-to-quantify loss lives. The questions tend to cluster around a few themes.
First, segmentation. Carriers want to know that a compromise of the corporate network cannot pivot into systems that run physical operations. They look for a real boundary, with monitored crossings, not a flat network with optimistic intentions. Second, business continuity for operations. If a cyber event hits, can you keep delivering service, and how quickly can you recover control systems to a known-good state? Third, the maturity of OT-specific monitoring and access control, since the tooling and patch cadence in that environment differ sharply from IT.
The operators who struggle in underwriting are often the ones treating IT and OT as a single undifferentiated estate. The ones who do well can describe the architecture, point to the segmentation, and show that operational resilience has been planned and tested. This is also why the broader security program for a utility and its insurability are tightly linked. The same controls that reduce real risk are the ones the carrier rewards.
The renewal scramble, and why it costs you
The recurring failure mode is timing. The questionnaire arrives, the deadline is weeks out, and the team scrambles to gather evidence under pressure. Screenshots get pulled, spreadsheets get assembled, and gaps get discovered far too late to fix before the carrier wants an answer. Worse, an honest "no" or a vague "we think so" on a key control can move a premium, trigger a sub-limit, or sink the application.
That scramble is avoidable. The information a carrier wants is the same information a well-run security program produces continuously. The problem is rarely that the controls are entirely absent. It is that the evidence is scattered, stale, or never assembled in a form a broker can present. Readiness is an ongoing posture, not a fire drill you run once a year.
How Z Cyber runs Insurance Readiness on Glance
Z Cyber operates an Insurance Readiness model on Glance, built around the controls carriers actually evaluate. Rather than handing you a questionnaire to fight through alone, our forward-deployed team maps your environment to those controls and maintains the evidence behind each one as part of running your program.
The output is concrete. Glance produces a readiness score across the core controls underwriters weigh, from MFA coverage and EDR deployment to backup testing, incident response readiness, segmentation, and vulnerability management. Each control carries an evidence-confidence rating, so you can tell the difference between a control that is fully substantiated and one that needs work before a carrier sees it. That distinction is the whole game. It tells you, ahead of any deadline, exactly where the soft spots are.
From that, Z Cyber produces a carrier-grade report your broker can take to market. Instead of a self-attested questionnaire, you present a structured, evidence-backed picture of your security posture. Brokers and underwriters move faster when an applicant arrives organized, and a credible, well-documented submission gives you a stronger position in the conversation about coverage and terms.
| The usual renewal | With Z Cyber Insurance Readiness |
|---|---|
| Evidence gathered in a deadline-driven scramble. | Evidence maintained continuously as part of the program. |
| Self-attested answers, hard to defend. | Each control carries an evidence-confidence rating. |
| Gaps discovered too late to fix. | A readiness score surfaces soft spots ahead of time. |
| A questionnaire your broker has to interpret. | A carrier-grade report your broker can present. |
Getting ready before the deadline
If a renewal is on the horizon, the work is straightforward in shape even when it is hard in detail. Inventory the foundational controls carriers expect and confirm coverage, not just existence. Pull the evidence for each one and judge honestly how defensible it is. Treat the IT-to-OT boundary as a first-class concern, because underwriters will. Fix the gaps that are fixable before the application goes out, and document the compensating controls and roadmap for the ones that are not.
This is exactly the work Z Cyber does as your operating partner, run on Glance and maintained year-round rather than reconstructed every renewal cycle. For a deeper walk-through of the controls and how to evidence each one, see our cyber insurance readiness guide. The goal is simple. When the questionnaire arrives, you already have the answers, and the proof behind them.
Get a readiness score before your next renewal.
Z Cyber runs your program on Glance and delivers a carrier-grade report your broker can present.
Frequently Asked Questions
What do cyber insurers require from utilities?
Carriers commonly require evidence of foundational controls before they will quote or renew: multi-factor authentication on remote access and privileged accounts, endpoint detection and response, immutable and tested backups, a tested incident response plan, email security, privileged access management, network segmentation, security awareness training, and vulnerability management. For utilities, underwriters also weigh operational technology exposure and the segmentation between IT and OT environments.
Why are cyber insurance renewals harder for critical infrastructure?
Underwriting has tightened across all sectors after a wave of ransomware losses, and critical infrastructure faces particular scrutiny because it is a high-consequence target. Operators often run legacy operational technology alongside modern IT, and a single incident can threaten safety and service continuity. Carriers now demand evidence of controls rather than self-attestation, so applicants who cannot prove their posture face higher premiums, narrower coverage, or declined applications.
What is a cyber insurance readiness score?
A cyber insurance readiness score measures how well your security controls map to what carriers evaluate during underwriting. Z Cyber produces one on the Glance platform across the core controls underwriters weigh, such as MFA coverage, EDR deployment, backup testing, incident response readiness, segmentation, and vulnerability management. Each control carries an evidence-confidence rating so you can see, ahead of any deadline, which controls are fully substantiated and which need work before a carrier sees them.
Does OT exposure affect cyber insurance underwriting?
Yes. For utilities and infrastructure operators, underwriters weigh operational technology exposure directly because that is where catastrophic loss can occur. They look for real segmentation between corporate IT and operational systems, business continuity planning for operations, and the maturity of OT-specific monitoring and access control. Operators who can describe the architecture and show that operational resilience has been tested are in a stronger underwriting position.
Subscribe for Updates
Get cybersecurity insights delivered to your inbox.
