Cyber Insurance

Cyber Insurance in 2026: What Underwriters Actually Look For

Getting cyber insurance used to be a formality. Now it's a technical audit. Here's what carriers are requiring, what gets applications denied, and how to position your business for better coverage and lower premiums.

Updated January 2026

Cyber Insurance Isn't What It Used to Be

Five years ago, getting cyber insurance was straightforward. Fill out a short questionnaire, check a few boxes, and you'd have a policy. Premiums were low, underwriting was light, and carriers were eager to write policies.

Then the claims started rolling in. Ransomware alone drove billions in payouts. Business email compromise, data breaches, and system outages pushed loss ratios past 70% for many carriers. The industry responded by getting significantly more selective about who they insure and what they require.

In 2026, a cyber insurance application looks more like a security audit than a simple form. Underwriters are asking specific technical questions, requiring evidence of controls, and denying applications that don't meet their minimum standards. Renewals aren't automatic either — carriers are re-evaluating existing policyholders and dropping those who haven't improved.

The Controls Underwriters Require

While every carrier has its own questionnaire, the core requirements have converged around a set of controls that underwriters consider non-negotiable. If you're missing any of these, expect higher premiums, coverage exclusions, or outright denial.

Multi-Factor Authentication (MFA)

Required on all remote access, email, privileged accounts, and cloud services. This is the #1 control carriers ask about. No MFA = no policy for most carriers in 2026.

Endpoint Detection and Response (EDR)

Traditional antivirus isn't sufficient. Carriers want EDR or XDR with active monitoring on all endpoints. Some specifically ask which vendor you use. Learn how MDR and XDR work.

Backup and Recovery

Immutable, tested backups with offline or air-gapped copies. Carriers want to know your backup frequency, retention, and when you last tested a full restore.

Patch Management

Documented patching process with defined timelines. Critical patches within 14 days is the common expectation. Automated patching with reporting is strongly preferred.

Security Awareness Training

Regular employee training with phishing simulations. Annual training is the minimum; quarterly is preferred. Carriers want completion rates and program documentation. AI-generated phishing makes effective training more critical than ever.

Incident Response Plan

A documented plan that's been tested. Carriers ask who your IR retainer is, when the plan was last updated, and whether you've conducted tabletop exercises.

What Gets Applications Denied

Carriers have gotten comfortable saying no. Here are the most common reasons we see businesses get denied coverage or face significant premium increases:

No MFA on email or remote access — this alone disqualifies most applicants

Using end-of-life operating systems without ESU or a documented migration plan

No EDR solution deployed (basic antivirus only)

No tested backup and recovery process

Previous breach with no documented remediation

Flat network with no segmentation between IT and OT environments

No security awareness training program

Incomplete or inaccurate application responses

What Gets You Better Rates

Carriers reward businesses that demonstrate a mature security posture. These aren't just "nice to have" — they directly translate to lower premiums and better coverage terms:

Managed Detection and Response (MDR) through a qualified MSSP

Phishing-resistant MFA (FIDO2 keys, authenticator apps over SMS)

Documented and tested incident response plan

Regular penetration testing with remediated findings

Compliance certifications (SOC 2, ISO 27001)

Privileged access management and just-in-time admin access

Email security beyond native Microsoft/Google protections

Employee security training with measured improvement over time

The Claims Process: What Actually Happens

It's worth understanding what happens when you file a claim, because it directly affects how you should prepare. When a covered incident occurs:

First, the carrier assigns a breach coach — usually an attorney — who coordinates the response. They'll bring in a forensics firm to investigate the incident, determine the scope, and identify how the attacker got in.

Here's where it gets critical: if the forensics investigation reveals that you misrepresented your security controls on the application, the carrier can deny the claim. If you said you had MFA on all accounts and the attacker got in through a non-MFA account, that's a material misrepresentation. We've seen claims denied for exactly this reason.

This is why accuracy on your application matters more than checking every box. It's better to honestly disclose a gap and pay a slightly higher premium than to claim a control you don't actually have and risk a denied claim when you need it most.

How to Prepare for Your Next Renewal

Audit your current controls

Review your MFA deployment, EDR coverage, backup status, and patch compliance. Identify gaps before your carrier does.

Fix the dealbreakers first

If MFA isn't on every account, start there. Then address EDR gaps, backup testing, and patching cadence.

Document everything

Carriers want evidence, not promises. Screenshot your MFA policies, export your EDR deployment report, and save your backup test results.

Be honest on the application

Misrepresenting controls is worse than disclosing gaps. A denied claim due to misrepresentation costs far more than a higher premium.

Work with your MSSP

Your security provider should be able to generate the reports and documentation your carrier needs. If they can't, that's a sign they're not managing your security effectively.

Frequently Asked Questions

Do we really need cyber insurance if we have good security?

Yes. No security is perfect, and the cost of a breach extends beyond what security tools can prevent — legal fees, notification costs, business interruption, regulatory fines, and reputational damage. Insurance is a financial safety net for the scenarios where prevention fails.

What does cyber insurance typically cover?

Most policies cover incident response costs (forensics, legal, notification), business interruption losses, ransomware payments (though this is becoming more restricted), data recovery, regulatory fines and penalties, and third-party liability claims.

Can our MSSP help us get better rates?

Absolutely. Working with a qualified MSSP demonstrates to carriers that your security is professionally managed. We provide documentation, reports, and evidence packages that directly support your insurance application.

What happens if we get breached and our claim is denied?

You're responsible for all costs out of pocket — forensics, legal, notification, regulatory fines, lawsuits, and business losses. For a small business, this can easily reach six or seven figures. That's why accuracy on your application and maintaining the controls you claim to have is critical.

Free Checklist

Get Our Pre-Underwriting Security Checklist

We'll review your current security controls against what carriers are asking for in 2026 and give you a clear pass/fail report — so you know exactly what to fix before your renewal.

Request Your Pre-Underwriting Review View Our Services

Vantz Stockwell

Co-Founder & CFO

Vigil Cyber provides 24/7 managed security operations for small and mid-sized businesses across the Southeast. Our team combines rigorous operational discipline with enterprise security expertise.

Compliance & Risk

Compliance as a Continuous Service

One-time audits are not enough. Learn how continuous compliance monitoring keeps your business audit-ready year-round.

7 min read