Security awareness training for cyber insurance: an MSP evidence guide
Security awareness training for cyber insurance should give MSP clients cleaner evidence, not another last-minute questionnaire scramble.

DefendWise
DefendWise
TL;DR
Security awareness training for cyber insurance is not about promising a cheaper premium. It is about helping MSP clients answer risk questions with dated, client-ready evidence instead of screenshots, memory, and rushed spreadsheets.
The MSP job is to make the evidence boring: who was in scope, what training ran, who completed it, what phishing education happened, what exceptions remain, and what the client should do next.
A good evidence pack does not claim that awareness training proves compliance or stops every attack. It shows that the client has a repeatable training program, that users know how to spot and report suspicious activity, and that the MSP can explain the record before the renewal deadline.
What is security awareness training for cyber insurance?
Security awareness training for cyber insurance is the training, phishing education, reporting, and evidence record a client may need when an insurer, broker, auditor, or board asks how the organisation educates users about cyber risk.
For MSPs, the phrase matters because the client often does not ask for “a security awareness program.” They ask for help with a cyber insurance questionnaire.
That questionnaire may ask whether employees receive cybersecurity training, whether phishing is covered, whether users know how to report suspicious messages, and whether the organisation can show current records. The exact wording changes by carrier and policy. The operating problem is steady: the client needs clean answers, and the MSP needs to avoid overclaiming.
Security awareness training is one part of that answer. It sits alongside MFA, backup, endpoint protection, email security, access control, logging, incident response, and recovery planning. The National Cyber Security Centre’s cyber insurance guidance frames insurance as one part of cyber-risk management, not a replacement for security work NCSC cyber insurance guidance.
Training also maps to mainstream security guidance. NIST CSF 2.0 includes awareness and training under Protect, PR.AT: personnel are provided with cybersecurity awareness and training so they can perform tasks with cyber risks in mind NIST CSF PR.AT. CIS Control 14 is dedicated to security awareness and skills training CIS Control 14. CISA tells small and medium-sized businesses to teach employees how to avoid phishing CISA phishing guidance.
Those sources do not say “training guarantees insurance.” They say training is a normal, expected part of managing human risk. That is the safer and more useful position for MSPs.
Why this matters for MSPs
Cyber insurance work often lands on the MSP at the worst possible time.
A client renewal is due. The broker sends a questionnaire. The client forwards it to the account manager or vCISO. The MSP now has to answer questions about controls that may sit across several systems, several service owners, and several months of work.
Security awareness is one of the easier areas to document if the MSP has a repeatable process. It is one of the messiest areas if the MSP only has partial user lists, one-off training exports, and no clear review rhythm.
The commercial risk is not only the questionnaire. It is the relationship damage when the client discovers gaps late.
Common MSP pain points look like this:
- The client asks whether “all employees” received training, but the MSP only trained a purchased seat count.
- The insurer asks about phishing education, but the MSP cannot show whether users were told how to report suspicious messages.
- The account manager has a completion CSV, but it does not explain scope, exceptions, dates, or follow-up.
- The client wants a confident answer, but the MSP can only say “we think so.”
- A renewal deadline turns a simple evidence question into a service-desk scramble.
This is where security awareness training becomes an operations problem, not a content problem.
The MSP needs a service model that can answer the same basic questions for every client:
| Insurance evidence question | What the MSP should keep | Why it matters |
|---|---|---|
| Who was covered? | Client, user group, role, and date-based scope | Prevents vague “all staff” claims when the scope was narrower |
| What did users receive? | Training topics, phishing education, reminders, and campaign dates | Shows the program is real, not a checkbox |
| Who completed it? | Completion status, overdue users, exemptions, and follow-up notes | Turns training into an auditable record |
| How do users report suspicious activity? | Reporting instructions, mailbox/button/process notes, and client comms | Supports CISA-style phishing reporting expectations |
| What changed after review? | Client summary, risks, next steps, and exceptions | Makes the evidence useful for QBRs and renewals |
The best MSPs make that table routine. They do not rebuild it during renewal week.
What MSPs actually need in the evidence file
A cyber insurance evidence file does not need to be theatrical. It needs to be clear.
Start with scope. Scope is where many insurance answers go bad. If the client has 200 users but only 120 were trained, the record should say that. If contractors, shared mailboxes, break-glass accounts, or dormant users were excluded, note the reason. If executives or finance users received extra phishing education, record that too.
Then capture the training record. A useful record shows the topic, audience, launch date, due date, reminders, completion status, and follow-up. For phishing education, include whether users were taught how to report suspicious messages. CISA’s phishing guidance for small and medium-sized businesses focuses on teaching employees to avoid phishing and making reporting easier CISA teach employees to avoid phishing. NIST’s small-business phishing page also treats phishing as a practical risk that users need to recognise NIST phishing guidance.
Add client-ready interpretation. A raw export is not a client report. The client needs to know what the record means: which groups are complete, which exceptions remain, what risk the MSP sees, and what the client should approve next.
Keep the evidence dated. Cyber insurance questions often care whether controls are current. A 14-month-old training export may not support the answer the client wants to give. Even when the questionnaire does not specify a window, an MSP should be ready to show a recent cadence.
Separate training evidence from broader control evidence. Training can support a cyber insurance answer, but it does not prove that MFA is enforced, backups are tested, or incident response is ready. The CISA #StopRansomware Guide covers broader ransomware prevention and response practices beyond user education CISA #StopRansomware Guide. Keep those evidence tracks separate so the MSP does not accidentally turn an awareness report into a claim about the whole security program.
A clean awareness evidence file should include:
- Client name and evidence period.
- In-scope user population and exclusions.
- Training topics and campaign dates.
- Phishing education and reporting instructions.
- Completion summary and overdue users.
- Reminder and follow-up record.
- Exceptions, approvals, and client-owned decisions.
- MSP notes for the next QBR, renewal, or risk review.
That is enough to support a professional answer without making promises the MSP cannot defend.
Step-by-step: building the MSP evidence workflow
1. Start with the questionnaire language
Do not begin with the platform export. Begin with the client’s actual question.
If the questionnaire asks whether employees receive annual training, the evidence pack needs dates, audience, and completion. If it asks about phishing, the pack needs phishing education and reporting workflow notes. If it asks about policies, technical controls, or incident response, do not answer from the awareness report alone.
Copy the exact questionnaire wording into the client file. Then map each answer to evidence, owner, and confidence.
2. Define scope before training launches
Scope is easier to document before the campaign starts.
Decide which users, groups, locations, and client entities are included. Note which accounts are excluded and why. For MSP clients, this often includes new starters, leavers, seasonal staff, shared accounts, executive roles, service accounts, and contractors.
Do not let seat pricing decide security scope by accident. If the commercial model pressures the MSP to train only some users, the evidence file should not later imply that every user was covered.
3. Use recurring training, not a renewal-week rush
A once-a-year panic creates weak evidence.
A monthly or quarterly rhythm gives the MSP better records and better client conversations. The rhythm can be simple: assign a short module, remind overdue users, capture completion, review exceptions, and write a client note.
The point is not constant noise. The point is that the MSP can show current training activity when the insurance question arrives.
4. Tie phishing education to reporting behavior
Phishing training should not only teach users to spot bad messages. It should teach them what to do next.
CISA’s social-engineering guidance explains how attackers use trust, urgency, and familiar-looking messages to manipulate people CISA social engineering and phishing. The NCSC’s phishing guidance also focuses on spotting and reporting suspicious messages NCSC phishing scams guidance.
For MSPs, the evidence record should include the client’s reporting path. That may be an Outlook report button, a shared mailbox, a ticket route, a helpdesk procedure, or an internal escalation path. If the client has no clear reporting path, record that as a gap instead of hiding it.
5. Keep tenant-separated records
MSPs must be able to show one client’s evidence without exposing another client’s data.
That means the evidence workflow needs tenant separation, client-specific exports, and clear naming. A spreadsheet full of mixed client users is not a professional insurance pack. It is a data-handling risk.
Keep the client report narrow: this client, this period, this scope, this result, this next action.
6. Review exceptions with the client
Overdue users are not only an MSP admin problem. They are often a client management decision.
If the client has executives who skipped training, seasonal workers who left, or departments that need a second reminder, note the exception and decide who owns it. The MSP should not silently carry client-owned exceptions until renewal week.
Use a simple status model: complete, overdue, exempt, out of scope, needs client decision.
7. Write the client summary before it is needed
The final evidence pack should include a short client summary.
Keep it plain:
- what ran,
- who was covered,
- what the completion picture looks like,
- what exceptions remain,
- what the MSP recommends next.
That summary is what the account manager, vCISO, client executive, or broker-facing contact can use. It should be understandable without opening the training platform.
What good looks like
Good cyber insurance evidence has 4 traits: it is current, scoped, tenant-specific, and humble.
Current means it reflects recent activity. A client can still keep older records, but the MSP should be able to show a live program, not only a stale annual export.
Scoped means the record says who was included. “Employees trained” is too vague if only some groups were in scope.
Tenant-specific means the MSP can provide one client’s record without leaking another client’s users or reports.
Humble means the evidence does not overclaim. It says what happened. It does not say training prevents all phishing, guarantees insurance coverage, or proves compliance.
A mature MSP evidence pack might look like this:
| Evidence item | Minimum usable version | Better version |
|---|---|---|
| Scope | User count and client name | User groups, roles, exclusions, source system, and date |
| Training record | Completion percentage | User-level status, topic list, reminders, and overdue follow-up |
| Phishing education | A training module was assigned | Training plus reporting path, client comms, and follow-up actions |
| Client report | CSV export | Branded summary with scope, exceptions, next steps, and source links |
| Renewal support | Answer from memory | Dated evidence pack mapped to the questionnaire wording |
That is the difference between “we have training somewhere” and “here is the record.”
Mistakes to avoid
Saying training guarantees insurance outcomes
Do not promise coverage, acceptance, lower premiums, or easier renewal unless the carrier says it in writing.
Security awareness training can support the evidence file. It does not control underwriting.
Treating a completion percentage as the whole story
Completion matters, but it is not enough.
A 94% completion rate is less useful if no one can explain who was in scope, which users were excluded, what phishing education ran, or what happened to the 6% who did not complete.
Mixing client records
MSPs should never have to clean multi-client evidence in a hurry.
If the evidence pack needs manual filtering, the risk of wrong-client data goes up. Tenant separation and client-specific reporting are not nice extras here. They are basic hygiene.
Letting the insurer’s wording drive unsafe claims
Questionnaires can be blunt. That does not mean the MSP should answer broadly.
If a question asks whether all employees receive training, and the honest answer is “all in-scope active users except approved exclusions,” say that. A precise answer is safer than a confident but weak one.
Waiting until renewal month
Renewal month should be packaging time, not discovery time.
If the MSP only reviews training records when the broker asks, every missing user, stale list, and unclear exemption becomes urgent. Build the review into the normal service rhythm.
Framework and control mapping
Security awareness evidence is easier to defend when it maps to known frameworks without pretending to replace them.
NIST CSF PR.AT is the cleanest general map: personnel receive cybersecurity awareness and training so they can perform tasks with cyber risks in mind NIST CSF PR.AT.
CIS Control 14 gives a more direct awareness-training anchor for organisations using CIS Controls CIS Control 14.
CISA’s small-business and phishing resources give MSPs plain-language support for teaching users to spot phishing and report suspicious activity CISA phishing guidance. NIST’s Small Business Cybersecurity Corner is also useful for client education because it treats cybersecurity as a continuous process, not a one-time questionnaire NIST Cybersecurity Basics.
Use those maps carefully. The MSP can say training evidence supports awareness-training conversations under these references. The MSP should not say the training record proves the client meets every related control unless that has been separately assessed.
How a flat-rate MSP SAT platform helps
For MSPs, cyber insurance evidence gets harder when user coverage is rationed by seat cost.
DefendWise gives MSPs a flat-fee, multi-tenant, white-label security awareness training platform with unlimited users, unlimited client organisations, automated onboarding, AI-native training content, Microsoft 365 sync, Zapier integration, and branded reporting. That makes it easier to train broadly, keep client records separated, and create a clearer evidence pack without a per-user bill driving the scope decision.
If cyber insurance questionnaires are becoming part of your client service rhythm, start by fixing the evidence workflow. Cover the right users, document the exceptions, and make the report useful before renewal week.
For the operating pieces behind that workflow, see the related DefendWise guides to security awareness training for MSPs, phishing simulation for MSPs, and recurring security reporting decks for clients.
Start a free 7-day trial and test whether your next client evidence pack can be built without seat-count cleanup.
Frequently asked questions
Does cyber insurance require security awareness training?
Cyber insurance requirements vary by carrier, policy, client size, industry, and risk profile. MSPs should not promise that training will secure coverage, but they should help clients keep clear awareness-training evidence when questionnaires ask about user education, phishing, and security controls.
What security awareness evidence helps with cyber insurance questionnaires?
Useful evidence includes training scope, completion records, campaign dates, reminder history, phishing education, reporting instructions, exception notes, and a dated client summary. The strongest evidence explains what happened and what remains open.
Can phishing simulation lower cyber insurance premiums?
Do not promise premium reductions unless the carrier says so in writing. Phishing simulation can support a stronger evidence file, but premiums and underwriting decisions depend on the insurer and the client’s broader control set.
How often should MSPs review awareness evidence for insurance?
Review it at least before renewal and after any major client change. A monthly or quarterly evidence rhythm is better because the MSP can fix gaps before the renewal questionnaire arrives.
Should MSPs include every user in security awareness training?
The best default is broad coverage with clear exceptions. If some users are excluded, the evidence pack should show why rather than implying that every employee was trained.
What should MSPs avoid saying about cyber insurance and training?
Avoid saying that training guarantees coverage, proves compliance, prevents incidents, or replaces MFA, backup, endpoint, email security, or incident response controls. Treat training as one evidence layer inside a broader risk program.
How does DefendWise help MSPs with cyber insurance evidence?
DefendWise helps MSPs run white-label, multi-tenant security awareness training with unlimited users, automated onboarding, and branded reporting under a flat monthly fee. That supports cleaner evidence packs, but the MSP and client still own the full insurance answer.
Sources
- CISA — Teach Employees to Avoid Phishing: https://www.cisa.gov/audiences/small-and-medium-businesses/secure-your-business/teach-employees-avoid-phishing
- CISA — Avoiding Social Engineering and Phishing Attacks: https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks
- CISA — #StopRansomware Guide: https://www.cisa.gov/stopransomware/ransomware-guide
- CIS — Control 14: Security Awareness and Skills Training: https://www.cisecurity.org/controls/security-awareness-and-skills-training
- NIST CSF 2.0 — PR.AT Awareness and Training: https://csf.tools/reference/nist-cybersecurity-framework/v2-0/pr/pr-at/
- NIST — Phishing: https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/phishing
- NIST — Cybersecurity Basics: https://www.nist.gov/itl/smallbusinesscyber/cybersecurity-basics
- NCSC — Cyber insurance guidance: https://www.ncsc.gov.uk/guidance/cyber-insurance-guidance
- NCSC — How to spot and report phishing scams: https://www.ncsc.gov.uk/collection/phishing-scams
- Verizon — Data Breach Investigations Report landing page: https://www.verizon.com/business/resources/reports/dbir/