Cyber insurance is no longer a nice-to-have for nonprofits. It is a necessary financial protection, and it is becoming harder to qualify for.
Insurers have tightened requirements significantly over the past two years. What got an organization approved in 2021 will not necessarily get it approved today. Nonprofits in Prince George’s County that have not reviewed their security posture recently may be carrying risk they cannot cover, or paying for coverage that will not pay out when they need it.
This post covers what cyber insurers look for, what gets nonprofit applications denied, and how to get ready in 30 days.
What Cyber Insurers Look For
Insurers evaluate nonprofit applicants the same way they evaluate any small organization: they want to see that you take basic security seriously and that you have documented it.
Multi-Factor Authentication
MFA on email and remote access is now a baseline requirement for most cyber insurance carriers. If you cannot answer yes to “Is MFA enforced on all email accounts and remote access?” you will likely be denied, offered a smaller policy, or charged significantly higher premiums.
Documented Security Policies
Insurers want to see that your organization has written policies for how sensitive data is handled. This includes an acceptable use policy, a data handling policy, and some form of incident response procedure. These do not need to be complex, but they need to exist and be current.
Endpoint Protection
You need antivirus or endpoint detection software on all devices used for organizational work. Insurers ask about this specifically. “We use Windows Defender” is an acceptable answer, but you need to know what you have and be able to say it clearly.
Backup Procedures
Regular, tested backups of critical data are a requirement. The key word is tested. Many organizations back up data but have never confirmed the backups actually restore. If something goes wrong, an untested backup is not a backup — it is a hope.
Vendor and Third-Party Access Management
If you give vendors, contractors, or volunteers access to your systems, insurers want to know how you manage that access. Do you revoke access when someone leaves? Do you know who has access to what?
What Gets Nonprofit Applications Denied
The most common reasons PG County nonprofits get denied or see applications stall:
No MFA on Microsoft 365 email. This is the single most common disqualifier. If your staff are logging into email with just a password, most insurers will not write your policy.
No documented incident response plan. Insurers see this as a signal that the organization would not handle a breach well, which increases their expected payout. Many carriers now require a basic incident response procedure as part of the application.
Outdated or unpatched systems. Running Windows systems that are not receiving regular updates is a red flag. Insurers ask about patch management practices. “We update when we remember to” is not a good answer.
No formal security awareness training. Phishing is the number one delivery mechanism for ransomware and credential theft. Insurers want to know that staff have received at least basic training on recognizing and handling phishing attempts.
Poor Microsoft 365 configuration. Beyond MFA, insurers are increasingly asking about broader M365 security settings. Legacy authentication protocols, shared admin accounts, and open external sharing settings all signal elevated risk.
How to Get Ready in 30 Days
Thirty days is enough time to address the most critical gaps for most nonprofits. Here is a realistic sequence.
Week 1 — MFA and Account Security
Turn on and enforce multi-factor authentication across all Microsoft 365 accounts. This includes staff, volunteers, and any shared accounts. Remove shared passwords where possible. Disable legacy authentication protocols in the M365 admin center.
Week 2 — Endpoint and Backup Review
Audit which devices access organizational systems. Confirm endpoint protection is installed and active on all of them. Test your backups by restoring a sample of files. Document the backup schedule and retention period.
Week 3 — Policies and Documentation
Write or update your acceptable use policy and data handling policy. Draft a one-page incident response procedure that covers who to call, who makes decisions, and how the organization communicates during a breach. These do not need to be lengthy — they need to exist.
Week 4 — Security Awareness and Application Prep
Deliver a basic phishing awareness session to staff and volunteers. It can be a 30-minute walkthrough. Document that it happened and who attended. Then pull your cyber insurance application, review every question against what you have documented, and address any remaining gaps before submitting.
Why Microsoft 365 Hardening Matters for Qualification
Most Prince George’s County nonprofits run their operations on Microsoft 365. That makes M365 security the single highest-leverage area for cyber insurance readiness.
An M365 environment with enforced MFA, conditional access policies, properly configured email authentication, and appropriate admin controls checks multiple boxes on a typical cyber insurance application at once. It addresses credential risk, account takeover risk, and email-based attack risk in a single set of changes.
Conversely, an M365 environment with default settings and no security hardening is one of the fastest ways to get an application denied or receive a policy with significant carve-outs.
Hardening M365 before a cyber insurance application is one of the most practical and high-return investments a nonprofit can make. It improves your security and your insurability at the same time.
NexSecure Works With PG County Nonprofits
NexSecure Solutions LLC is a Bowie, Maryland cybersecurity firm that helps nonprofits across Prince George’s County get cyber insurance-ready. We conduct gap assessments, harden Microsoft 365 environments, help write the policies insurers want to see, and build the documentation that supports a strong application.
We understand nonprofit budget constraints. We build engagements at a scope and price that makes sense for mission-driven organizations.
If your nonprofit is preparing for a cyber insurance application or renewal, start with a free discovery call.
Nigel Roberts, CISSP
Founder, NexSecure Solutions LLC
Bowie, Maryland