Article
AI-generated attacks have pushed underwriters to tighten their requirements sharply. What North and South Carolina businesses need to demonstrate to get covered and keep premiums from spiraling.
Cyber insurance used to be a checkbox. A business filed the application, answered questions about whether they had antivirus and a firewall, paid the premium, and moved on. That era is over for most North and South Carolina businesses, and the shift is not gradual. Underwriters who were approving broad coverage with minimal controls in 2021 are now declining applications, adding exclusions, or requiring evidence of specific technical controls before binding a policy.
The driver is not just the frequency of attacks. It is the economics. AI has made several categories of attack, especially phishing, credential theft, and ransomware delivery, dramatically cheaper to run and harder to defend against. When the claims experience for an underwriter looks like it does right now, the controls required to transfer risk shift accordingly.
If you are a business in North or South Carolina renewing a cyber policy or buying one for the first time in 2026, here is what the landscape looks like and what you need to have in place.
The insurance problem starts on the attack side. Underwriters price risk based on probability and severity of loss. Both numbers have moved in the wrong direction for the same reason: AI has reduced the cost and skill required to run attacks that used to require significant resources.
Phishing quality. Three years ago a targeted phishing email required a skilled attacker who understood the target organization, researched the right employee to impersonate, and wrote convincing prose. AI-assisted phishing does this at scale, at speed, and without a skilled human doing most of the work. A Greenville manufacturing company that received generic “Nigerian prince” style emails in 2020 is receiving highly targeted, contextually accurate messages impersonating its controller or CFO in 2026. The sophistication gap between large enterprises and mid-market businesses, which used to be a real protection, has collapsed.
Ransomware delivery. The ransomware-as-a-service ecosystem has used AI to lower the floor for operators, make initial access tooling more reliable, and compress the time between initial access and full encryption. Dwell times that used to be measured in weeks are now measured in hours for some attack groups. This compresses the window during which defensive controls can catch and stop an intrusion.
Credential stuffing. Automated testing of stolen credential lists against Microsoft 365 and Azure portals now happens at a speed and scale that makes reused passwords almost a certainty to be exploited within days of a breach list being published. Charlotte financial services firms with employees who reused a password from a retail or social media breach are seeing authentication logs that reflect this reality.
Underwriters know all of this. Their claims data tells them which controls, when absent, correlate with losses. The policy application has become an audit of your security posture. Providing wrong answers costs you at claim time.
The list of baseline requirements has converged across most major cyber insurance carriers. For a Carolinas business in the $5M to $500M revenue range, expect to be asked about, and expected to demonstrate, the following.
Multifactor authentication on email and remote access. This is no longer optional and is not satisfied by SMS text-based MFA for most underwriters. TOTP authenticator apps (Microsoft Authenticator, Google Authenticator) meet the requirement for most carriers. Phishing-resistant authentication (FIDO2 hardware keys, Microsoft’s passkey support in Entra ID) is becoming required for privileged users, finance roles, and executive accounts at carriers writing higher policy limits. If you are seeking limits above $5M, expect questions about how admin accounts are specifically protected.
Endpoint detection and response. Traditional antivirus is not sufficient. Underwriters want to see EDR with behavioral analysis, not just signature-based detection. Microsoft Defender for Endpoint, included in Microsoft 365 Business Premium and E5 plans, satisfies this requirement for most carriers. CrowdStrike Falcon, SentinelOne, and similar tools also satisfy it. The important word is “response” in EDR: the tool needs to be configured to act on detections, not just log them.
Privileged access controls. Application questions now ask whether privileged accounts (domain admins, global admins, finance system administrators) are protected with separate credentials, time-limited access, and monitored sessions. Microsoft Entra Privileged Identity Management, available in Entra ID P2 licensing which is included in Business Premium and E5, provides the time-limited elevation and audit trail that underwriters are looking for. Using a named global admin account as your daily work account for email and Teams is a material control gap at policy renewal.
Email security beyond the default. Microsoft 365 Defender, specifically the anti-phishing, anti-spoofing, and Safe Links configurations, must be actively configured and not left at defaults. Underwriters with technical questions now include specifics about DMARC, DKIM, and SPF records for your domain. All three should be published and enforced. A Raleigh-Durham tech company that acquired a smaller firm with legacy email infrastructure and never cleaned up the DNS records is a common example of an unnoticed gap that shows up on applications.
Immutable backup with tested recovery. The backup question has evolved. Underwriters want to know three things: how frequently data is backed up, whether those backups are isolated from the primary environment (immutable, not accessible from a compromised admin account), and whether recovery has been tested. A backup that has never been restored is not a backup from an insurance perspective, it is an assumption. For Microsoft 365 environments, native retention policies are not sufficient as a backup answer. Third-party backup tools, Azure Backup for workloads, or Microsoft 365 Backup add-on coverage for SharePoint, OneDrive, and Exchange are the appropriate answers.
Incident response planning. Many carriers now require documented incident response procedures, not just a policy document, but an actionable playbook with named roles and tested procedures. For Eastern NC businesses that do not have a formal IR plan, this is increasingly a requirement for coverage above certain limits rather than a best-practice recommendation.
The good news for Carolinas businesses already in the Microsoft ecosystem: Microsoft 365 Business Premium and E5 cover most of the technical control requirements above, when properly configured. The bad news: having the license is not the same as having the control in place. Default configurations do not satisfy underwriter requirements.
Business Premium includes: Microsoft Defender for Endpoint (EDR), Entra ID P2 (Conditional Access, Identity Protection, Privileged Identity Management), Microsoft Defender for Office 365 Plan 1 (anti-phishing, Safe Links, Safe Attachments), Intune for device management, and Microsoft Purview Information Protection for data classification.
E3 plus E5 Security, or full E5, adds Defender for Office 365 Plan 2, Microsoft Sentinel integration, and Defender XDR correlation across the full stack.
What this means in practice: a Charlotte financial services firm with 75 users on Business Premium that has properly configured Conditional Access, enabled Identity Protection, deployed Defender for Endpoint on all managed devices, hardened its email authentication, and documented its incident response plan can walk into a cyber insurance renewal and answer the control questions accurately. The configuration work, not the license purchase, is what produces an insurable posture.
The configuration gap is where we see most Carolinas businesses stumble. The licenses have been purchased. The admin portal exists. The controls have not been turned on, or they are in audit-only mode, or MFA was deployed for most users but not finance and not the IT admin accounts.
Cyber insurance applications have lengthened considerably. For limits above $1M, expect a questionnaire that asks specifically about:
Some carriers at higher limits now require either an attestation from your IT provider or a third-party security assessment. For Research Triangle life sciences companies subject to HIPAA, the overlap between HIPAA security rule requirements and cyber insurance requirements has become significant: demonstrating HIPAA security rule compliance provides substantial evidence for many underwriter questions.
Completing the application with accurate answers requires knowing what you have and what you do not. Answering inaccurately, either overstating controls or genuinely not knowing the state of your environment, creates coverage risk. A claim denial based on material misrepresentation on the application is a real outcome that happens when control gaps are discovered during the investigation of a loss.
It is worth noting that underwriters are also using AI on their side of this equation. Several major carriers now run automated pre-binding assessments that scan publicly visible indicators of your security posture: open ports, certificate status, email authentication records, dark web credential exposure for your domain, and technology stack signals from public sources. These scans happen before underwriting conversations in many cases, and the results influence whether the application proceeds and at what price.
For Upstate South Carolina manufacturing businesses with externally exposed management interfaces (RDP, VPN concentrators on default ports, unpatched public-facing applications), these pre-binding scans surface findings that either delay coverage or add specific exclusions. The scan results are the starting point for the underwriter, not a separate process.
Before your next renewal or a first-time application:
Identity and access controls:
Endpoint and email protection:
Backup and recovery:
Governance and documentation:
For most Carolinas businesses, the gap between current state and the state required to answer a cyber insurance application accurately is a configuration and documentation project, not a major technology procurement. The tools are usually already in the Microsoft 365 subscription. The question is whether they are turned on and correctly configured.
Addressing the gaps before the renewal conversation, rather than during it, produces better outcomes: fewer exclusions, lower premiums, and a coverage position that actually transfers the risk it is supposed to transfer. The policy that costs the most and covers the least is the one purchased without understanding what the controls questions are actually asking.
Devsoft Solutions works with businesses across North and South Carolina on Microsoft 365 security configuration, Entra ID hardening, and cyber insurance readiness. If you are preparing for a renewal or want to assess your current control posture, get in touch.
— Continue reading
AI is making phishing, credential theft, and lateral movement faster and harder to detect. Here is what Zero Trust looks like in practice on the Microsoft stack for North and South Carolina businesses in 2026.
Microsoft 365 comes in three Business tiers for SMBs. As AI tools like Copilot reshape how Carolinas companies work, picking the right plan matters more than it used to. A plain-language guide for NC and SC small and mid-sized businesses.
For Carolinas SMBs and mid-market companies in 2026, choosing between Microsoft 365 and Google Workspace is no longer just a productivity question. It is a decision about which AI platform your business will run on for the next several years.
— Related services
Tailored Microsoft 365 plans, deployment, and ongoing support — designed for businesses that need reliable productivity infrastructure without the in-house overhead.
Greenville-area IT support from a Microsoft Partner. Support agreements, project work, and the team you call when something breaks.
Outsourced IT operations for businesses too small for a full team and too established for ad-hoc support. Microsoft-stack focused, SLA-backed.
