top of page
Search

The Cyber Insurance Crackdown on Shadow IT

The Cyber Insurance Crackdown on Shadow IT
The Cyber Insurance Crackdown on Shadow IT

If you’ve noticed tougher questionnaires, “must-have” controls, and underwriters asking for proof—not promises—you’re seeing the cyber insurance crackdown on Shadow IT. The fastest path to compliance (and lower premiums) is visibility: Waldo Security discovers every SaaS app and account in minutes (including shadow and AI tools), flags SSO/MFA gaps, governs risky OAuth scopes, automates offboarding, and exports audit-ready evidence. Start with Instant SaaS Discovery, then keep your artifacts clean with our SaaS Compliance Overview.


Why carriers are tightening the screws

After years of heavy losses, insurers are rewarding organizations that can prove strong controls and penalizing those that can’t. Marsh’s 2025 market update links stable rates to better controls and underwriting confidence—translation: evidence moves the needle on price and capacity. (Marsh)

Underwriters aren’t just reading PDFs anymore. They’re verifying MFA, EDR/MDR/XDR, and 24/7 monitoring—often through telemetry or external validation rather than self-attestations. RPS’s 2025 update explicitly calls out verifying MFA and endpoint protections and the industry’s shift away from “trust us” questionnaires. (RPSIns)

And core control expectations (MFA, backups, training) are now table stakes; several carriers publish public checklists reflecting what they’ll expect at binding and claim time. (Coalition)


Shadow IT is the deal-breaker

Shadow apps, duplicate tenants, and unmanaged OAuth connections don’t just increase breach risk—they break your insurance story. If your policy requires MFA/SSO “across the environment,” those unknown tools can become grounds for coverage disputes.

That’s not hypothetical. In July 2025, the City of Hamilton (Ontario) disclosed its insurer denied a multi-million-dollar claim after a 2024 ransomware incident, citing lack of fully implemented MFA—an explicit policy condition. Local reporting and the city’s own release confirm the denial and cost. (Global News, Yahoo News, City of Hamilton)

Lesson: if you can’t prove control coverage across all services—not just the big suites—you’re betting your balance sheet on exceptions.


Yes, underwriters can already see your shadow estate

Insurers and reinsurers increasingly use external attack surface data during underwriting to spot exposed services, outdated software, and shadow assets. Coalition publicly describes “public web scanning” as part of its Active Risk Platform; Bitsight markets underwriting data to carriers; Gallagher Re has published analyses correlating external scan data with claims outcomes. (Coalition, Bitsight)

In plain English: assume your carrier has a partial map of your internet-facing footprint before you even apply. Your job is to make sure your map is better—and matches reality inside the firewall, where SaaS and identities live.


What carriers are really checking (and how Shadow IT undermines each)

  1. MFA/SSO coverageExpectation: MFA everywhere that matters—email, VPN, admin, privileged, remote access, and high-risk SaaS.Shadow risk: personal accounts, unmanaged tenants, and OAuth “Sign in with…” consents with offline_access bypass front-door MFA. (RPSIns)

  2. Endpoint & detectionExpectation: EDR/MDR/XDR with 24/7 response.Shadow risk: unregistered devices accessing unsanctioned apps produce blind spots that negate those investments. (RPSIns)

  3. Backups & recoveryExpectation: tested, segmented, quick-restore backups.Shadow risk: data created in unsanctioned apps may be outside retention and recovery plans. (Coalition)

  4. Third-party hygieneExpectation: vendor oversight and hard requirements in contracts.Shadow risk: “micro-vendors” and AI plug-ins slip through vendor risk management entirely—until a breach or a claim.


A simple playbook to pass underwriting—and sleep at night

1) Get a living SaaS inventory (non-negotiable)

Aggregate IdP sign-ins, email/collab logs, DNS/proxy, browser extensions, and expense data. Tag each app with owner, department, SSO/MFA status, admin count, OAuth scopes (*.ReadWrite.All, offline_access), and data sensitivity. This gives you the only answer underwriters truly trust: what exists, who uses it, and how it’s secured.

Waldo builds this inventory in minutes and highlights the gaps that underwriters will question.

2) Close SSO/MFA bypass paths

  • Require SSO for high-risk apps; disable local passwords.

  • Restrict user consent to verified publishers and low-risk scopes; require admin approval for tenant-wide or write scopes.

  • Revoke unused persistent tokens; time-box admin elevation.These are the exact failure modes that derail claims (see Hamilton). (Global News, City of Hamilton)


3) Align to what carriers validate

Mirror the control sets carriers already check: MFA everywhere it counts, EDR/MDR/XDR visibility, tested backups, and continuous monitoring—with exportable proof. RPS’s guidance on verification is a good proxy for what you’ll be asked to show. (RPSIns)


4) Prepare for outside-in scans

Review external attack surface findings and fix easy exposures (stale subdomains, open services, weak crypto). If an insurer can see it, an attacker (and an underwriter) can too. (Coalition, Bitsight)


5) Operationalize evidence

Pipe SaaS audit logs to your SIEM; generate monthly packets: SSO/MFA coverage, admin changes, OAuth diffs, offboarding timestamps, and exceptions. When pricing or renewal time comes, you won’t be scrambling for screenshots. Marsh notes controls + evidence are translating to more favorable outcomes. (Marsh)


KPIs underwriters (and boards) actually respect

  • Unknown → Known: % of traffic/spend tied to inventoried apps

  • SSO/MFA coverage: across high-risk SaaS and privileged users

  • OAuth health: # of high-privilege grants with offline_access; % reduced MoM

  • External exposure: # of critical outside-in findings open >30 days

  • Evidence freshness: % of artifacts updated in last 30 days

Hit these, and you’ll feel the “crackdown” less as friction and more as leverage.


Where Waldo fits

  • Discovery that finishes: See sanctioned and shadow SaaS (including AI tools) fast.

  • Guardrails, not gates: Enforce SSO/MFA, right-size roles, and set consent policies without slowing teams.

  • OAuth governance: Spot and kill the persistence-plus-privilege combos that derail claims.

  • Long-tail offboarding: Remove access and tokens everywhere, not just in the big suites.

  • Audit-ready proof: One-click, framework-aligned exports via the SaaS Compliance Overview.


Bottom line: Carriers are done taking your word for it. Shadow IT turns “we have MFA” into “we almost had MFA”—and that’s now the difference between a paid claim and a painful headline. Get the map, close the gaps, and keep the receipts. Waldo makes that routine instead of heroic. Start with Instant SaaS Discovery.


 
 
 

Comments

bottom of page