Cyber insurance requirements for Active Directory

If you’ve noticed that your organization’s cyber insurance premiums have increased over the last year, you’re not alone. With evolving cyber threats, the rise in ransomware attacks, and the ubiquity of hybrid and remote workforces, insurers are responding by raising prices, tightening eligibility requirements, and reworking the scope of their coverage. So what does this mean in terms of cyber insurance requirements for your Active Directory?

One area that insurance underwriters are heavily scrutinizing is Active Directory access controls. Especially for those still using Microsoft’s on-premises identity and access management system for authentication and access permissions. Due to identity and password compromise remaining one of the top threats for a cyberattack, insurance companies want to understand more details about privileged account use and visibility, offboarding processes, and password policies.

We’ll run through what you need to know and offer some advice that might help you get hold of cyber insurance (or a better price).

The cyber insurance landscape in 2025

In 2025, organizations seeking cyber insurance should be aware of several key factors to ensure they are adequately protected and to avoid potential pitfalls. Here are some important considerations:

1. Rising premiums and deductibles: Cyber insurance premiums have been on the rise due to the increasing frequency and severity of cyber attacks. Organizations should be prepared for higher costs and potentially higher deductibles.
2. Stricter underwriting standards: Insurers are becoming more stringent in their underwriting processes. They may require detailed information about an organization’s cybersecurity measures, including risk assessments, incident response plans, and compliance with industry standards.
3. Exclusions and coverage limits: Policies may include more exclusions and tighter coverage limits. For example, some policies might exclude coverage for certain types of attacks, such as ransomware, or limit the amount of coverage for data breaches.
4. Mandatory security controls: Insurers may require organizations to implement specific security controls as a condition of coverage. These could include multi-factor authentication, regular security audits, and employee training programs.
5. Regulatory compliance: Compliance with the data protection regulations relevant to your region (for example, in Europe it would be such the General Data Protection Regulation GDPR) is crucial. Non-compliance can result in higher premiums or even denial of coverage.
6. Third-party risk management: Insurers are increasingly concerned about the security practices of third-party vendors and partners. Organizations should ensure that their third-party relationships are managed with robust security protocols.
7. Incident response plans: Having a well-documented and tested incident response plan is essential. Insurers may require evidence of such plans to provide coverage.
8. Cybersecurity maturity: Insurers may assess an organization’s cybersecurity maturity level, which can affect the terms and conditions of the policy. Higher maturity levels can lead to better coverage and lower premiums.
9. Data breach notification requirements: Policies may include requirements for timely notification of data breaches. Failure to comply can result in coverage being denied.
10. Vendor selection: Choosing the right cyber insurance provider is important. Organizations should consider the insurer’s reputation, financial stability, and the quality of their claims handling process.

As cybersecurity becomes more critical and complex, cyber insurance rates will continue to rise in order to provide maximum coverage. But there are certain policies and security measures your company can put into practice to reduce the insurance rate needed.

Eligibility requirements and Active Directory

Insurance providers favor companies that can demonstrate the reliability of their security controls over those that are more likely to incur massive financial losses. When applying for cyber insurance coverage, it’s standard to describe the current security measures your company has in place, typically in the form of a self-audit questionnaire. This helps the insurer assess the risks that may be involved when providing coverage.

Some of the security policies and practices insurers may look for include endpoint detection and response, multi-factor authentication, end-user training, vulnerability management, and more. Every cyber insurance policy might have different requirements to meet eligibility, or could assess different risks to determine the rate. In general, these are elements that most cybersecurity programs should have in place.

For organizations using Active Directory, here’s what you need to prepare if you’re considering cyber insurance, or updating your existing coverage. 

Privileged access management and privileged accounts use

Cyber liability insurance companies are asking more pointed questions about how privileged access management is handled in the organization’s Active Directory infrastructure, including who has access to privileged accounts and the visibility of their use by IT. In addition, they want to see processes in place to audit these accounts. In some cases, you may be considered high-risk if you have more than five domain admin accounts.

• What is the number of user accounts in the Domain Administrators group, including service accounts?
• Do you require system administrators to have unique privileged credentials for administrative tasks, separate from their user credentials for everyday access?
• Do privileged accounts (including domain administrators) require multifactor authentication?
• Do you have stronger password policies for your domain admin accounts than regular users?
• Do you have stronger password policies for your service accounts than regular users?

Offboarding processes for terminated employees

Does the organization have an offboarding process in place for handling terminated employees? Stale accounts left in Active Directory pose a tremendous threat, and some insurance providers may consider your organization high-risk if off-boarding doesn’t happen within 24 hours. In the now infamous Colonial Pipeline attack, attackers used stale VPN credentials to gain access to the internal network. Having the proper visibility and tools to discover stale Active Directory credentials is essential, along with the proper offboarding processes to ensure stale accounts are processed correctly.

• What is your target time to off-board users?
• Is the offboarding process automated?

Find stale accounts (and more) in your Active Directory

Specops Password Auditor is a read-only tool that provides visibility to admin accounts, stale accounts, delegable admins, and other dangers in Active Directory. Many of the capabilities provided by Specops Password Auditor allow organizations to meet the account auditing requirements of cyber insurance, while helping to strengthen the password posture of the environment. Download your free tool here.

Authentication requirements

Authentication and password security are critical when considering general Active Directory security and Active Directory specific attacks such as Kerberoasting. Suppose an attacker can infiltrate the network initially and compromise a low-level account. They can then use Kerberoasting and other attacks to compromise higher-level accounts, such as service accounts connected with a service principal name. Most service accounts are not secured with multi-factor authentication due to being tied to critical services running in the environment.

Remote access

Authentication requirements for employees who are remotely accessing the corporate network is another consideration. It is important to note that Active Directory Domain Services does not have native multi-factor authentication built into the solution. As multi-factor authentication has become a requirement for a strong cybersecurity posture, organizations with on-premises Active Directory user accounts will need to consider how to implement multi-factor authentication effectively.

• Does your business require by policy multifactor authentication for all employee remote access to corporate resources?
• Does your business require by policy multifactor authentication for all remote access to corporate resources (vendors, and contractors)?

Active Directory best practices

In addition to the above, insurance providers may also look for these best practices when evaluating your Active Directory security posture:

• Patching and OS updates for domain controllers: Is Active Directory kept up-to-date with the latest security patches and updates to address known vulnerabilities?
• Monitoring and auditing: Are monitoring and auditing mechanisms used to track user activity, detect unauthorized access attempts, or suspicious behavior?
• Encryption: Is encryption used to protect data transmitted between Active Directory components, and to protect sensitive data stored in Active Directory?
• Cyber awareness training: Does your business provide ongoing cyber awareness training to employees, and is the scope/frequency of the training adequate?

Do you need MFA to get cyber insurance?

Multi-Factor Authentication (MFA) is increasingly becoming a requirement for obtaining cyber insurance, especially as insurers look to mitigate risks and ensure that organizations have robust security measures in place. Here are a few reasons why MFA is becoming a critical factor. MFA significantly reduces the risk of unauthorized access to systems and data, making it a key defense against cyber threats. Insurers recognize this and may require MFA as part of their underwriting criteria.

Many regulatory frameworks and industry standards recommend also require MFA. Demonstrating compliance with these standards can improve your chances of obtaining cyber insurance and can also lead to more favorable terms. As insurers are becoming more stringent in their underwriting processes, it’s likely they’ll require evidence of MFA implementation to consider your organization for coverage. Need to add simple, effective MFA to your organization? Speak to us about Specops Secure Access.

Enhance your AD security to boost your chances of obtaining cyber insurance

Active Directory (AD) controls, such as enforcing strong password policies and checking for compromised passwords, are becoming increasingly important for organizations seeking cyber insurance. While not always a strict requirement, these controls are often highly recommended and can significantly influence the terms and conditions of your cyber insurance policy. Here’s why:

1. Risk mitigation: Strong password policies and regular checks for compromised passwords help reduce the risk of unauthorized access and data breaches. Insurers view these measures as essential components of a robust cybersecurity strategy.
2. Underwriting criteria: Many insurers are incorporating AD controls into their underwriting criteria. They may require evidence that your organization has implemented these controls to consider you for coverage.
3. Compliance: Compliance with industry standards and regulations often includes strong password management practices. Demonstrating compliance can improve your chances of obtaining cyber insurance and may lead to more favorable terms.
4. Incident Response: In the event of a cyber incident, having strong AD controls can demonstrate to insurers that you took proactive steps to protect your organization, which can be beneficial during claims processes.
5. Third-Party Risk Management: Insurers may also consider the security practices of your third-party vendors and partners. Ensuring that your AD controls are robust can help manage third-party risks and improve your overall security posture.

To enhance your Active Directory controls, consider Specops Password Policy. You can automatically block the creation of weak passwords with user-friendly tools, plus continuously scan your Active Directory for over 4 billion compromised passwords. If you need help securing your Active Directory, feel free to reach out to us for support.