Identity resilience is critical for cyber insurance

MFA on all privileged accounts

Universal requirement—refusal criteria if absent

“Is MFA enforced on all admin, Domain Admin, and privileged accounts?”

“Are service accounts protected with MFA or equivalent controls?”

• Detects all admin accounts without MFA—generates exportable findings report
• Identifies Tier 0 accounts (Domain Admins, Schema Admins, Enterprise Admins) with missing MFA
• Surfaces service accounts with over-privileged access or no MFA equivalent
• Continuous monitoring alerts on new privileged accounts created without MFA

• Free identity security assessment report showing 0 unprotected admin accounts 
• Screenshot of privileged account audit dashboard
• Exported policy report showing MFA enforcement status

• Coalition
• Beazley
• AIG
• At-Bay
• All others

Least privilege / PAM

Increasingly required for >$5M policies

“Do you have privileged access management (PAM) controls?”

“Are admin accounts separate from daily-use accounts?”

“Is just-in-time (JIT) access provisioning in place?”

• Identifies over-privileged accounts, excessive Domain Admin membership
• Detects accounts with permanent privileged access vs. JIT patterns
• Flags delegation abuse and overlapping admin permissions
• Automated remediation workflows—remove delegation, disable stale accounts, addition of admin accounts

• Privilege escalation risk report from identity security assessment (pre and post-remediation)
• Domain Admin group membership audit export
• Access remediation change log from Directory Services Protector (DSP)

• Beazley
• Chubb
• AIG
• Travelers
• Coalition (partial)

Continuous AD monitoring

Real-time change detection

“Do you continuously monitor Active Directory for unauthorized changes?”

“Can you detect privilege escalations in real time?”

“Do you monitor GPO, group membership, and Tier 0 asset changes?”

• Real-time monitoring of all AD changes: GPOs, group memberships, user attributes
• Instant alerts on high impact changes to Tier 0 assets
• Automatic remediation as configured
• Detects LDAP reconnaissance, DCSync, Golden/Silver Ticket attacks

• Live monitoring dashboard screenshot showing alert history
• Sample alert showing detection of simulated privilege escalation
• SIEM integration log confirming AD event forwarding

• Coalition
• Beazley
• At-Bay
• Cowbell

Audit trail & log retention

Min. 90 days required by most carriers

“Do you maintain audit logs for privileged account activity?”

“What is your log retention period?”

“Can you produce who changed what, when, and from where?”

• Complete audit trail of all AD changes: actor, timestamp, source, changed attribute
• Immutable log store—tamper-resistant change history
• Automated remediation of unwanted or malicious changes—no manual recovery point search
• Exportable compliance reports for insurer submission

• Exported change log showing 90+ days of AD audit history
• Sample report showing full audit trail for sample privilege change event
• Log retention policy documentation

• Travelers
• Hartford
• AIG
• Chubb

AD misconfiguration detection

Risk scoring for underwriting

“Do you conduct regular assessments of Active Directory misconfigurations?”

“Are stale, orphaned, or dormant privileged accounts identified and removed?”

“Do you have a process to detect Kerberoastable accounts?”

• Continuous monitoring and scoring against CIS, MITRE ATT&CK, MITRE D3FEND, ANSSI, and Microsoft
• benchmarks
• Identifies stale accounts, orphaned accounts, Kerberoastable SPNs, weak delegations
• Risk-prioritized remediation queue with severity levels

• Purple Knight/DSP assessment with risk score (before/after remediation)
• Stale account remediation log
• Quarterly trend showing posture improvement—premium negotiation evidence

• Coalition
• At-Bay
• Cowbell
• Tokio Marine

Access reviews & certification

Quarterly minimum for most carriers

“Do you conduct regular access reviews for privileged accounts?”

“How often are admin group memberships reviewed and certified?”

“Is there a defined offboarding process that includes AD account revocation?”

• Continuous visibility into all user and privileged account permissions
• Automated detection of access drift—accounts accumulating privileges over time
• Dormant and orphaned account detection with automated alert and removal workflow
• Access change timeline for every user — supports access certification workflows

• Scheduled access review report (quarterly cadence documentation)
• Orphaned account remediation log showing active governance
• Policy showing AD account review SLA

• Chubb
• AIG
• Cowbell
• Beazley (partial) 

AD forest recovery capability

Direct ransomware coverage requirement

“Do you have a tested (i.e., actual recovery) Active Directory forest recovery plan?”

“How long would AD recovery take after a ransomware attack?”

“Are AD backups stored offline / air-gapped and tested regularly?”

“What is your last clean backup validation date?”

• Automated AD forest recovery—reduces 22-step manual process to a few clicks
• Recovery with postbreached security assessment
• Air-gapped, immutable AD backups with configurable frequency
• Tested recovery RTO: minutes to hours (not days)
• Cleanroom recovery: restore AD onto new OS, eliminating malware reinjection risk
• Hybrid recovery: on-prem AD + Entra ID in single recovery workflow

• Documented recovery RTO from last recovery test (date + time result)
• Backup schedule and air-gap configuration screenshot
• Ransomware IR playbook section covering AD recovery steps
• Cleanroom recovery test completion certificate

• All carriers

Ransomware IR playbook

Required by all carriers for ransomware coverage

“Do you have a documented ransomware incident response playbook?”

“Does your playbook include identity system recovery steps?”

“Has the playbook been tested via tabletop exercise?”

• Cohesity provides pre-built ransomware IR runbook template including AD recovery steps
• Role-based response workflow: who does what, in what order, after an AD compromise
• Detection -> containment -> recovery timeline 1documentation

• Signed, dated ransomware IR playbook with AD recovery section

• All carriers
• Beazley (specific ask)
• Coalition (specific ask)