California Regulatory Requirements
Updated California privacy regulations are raising the bar for qualifying businesses. New requirements around documented security controls, risk assessments, and cybersecurity audits are being phased in through 2030.
- Documented security controls proportional to data sensitivity
- Regular risk assessments for businesses handling personal information
- Phased audit requirements for qualifying organizations
- Written incident response procedures
- Evidence of reasonable security measures
Cyber Insurance Requirements
Carriers have significantly tightened underwriting requirements. 41% of first-time applications are denied — most commonly for missing baseline controls that insurers now consider non-negotiable.
- Multi-factor authentication (MFA) on all remote access and admin accounts
- Endpoint detection and response (EDR) on all devices
- Immutable or offline backups with tested recovery
- Written and tested incident response plan
- Annual security awareness training for all employees
- Patch management within 30 days of release
- Documented access controls and least-privilege policies
Both regulators and insurers are converging on the same baseline controls. The quiz below checks your organization against both.
Check Your Readiness
Answer 7 yes-or-no questions to see how your organization compares to what insurers and regulators commonly look for.
Free assessment
7 questions. 2 minutes.
Find out if your organization meets the baseline controls that insurers and California regulators commonly look for.
17%
of SMBs have cyber insurance
$100K
average cyber claim
41%
of first applications denied
Sources: TransUnion/Aviva (2025), Coalition Cyber Claims Report (2024), industry surveys.