Cybersecurity Insurance Requirements in 2026: The IT Controls Your Business Must Have
In 2021, you could get a cyber insurance policy by filling out a 10-question application and writing a check. In 2026, carriers want proof. Not promises — proof. Documented evidence that you've implemented specific security controls before they'll issue coverage, and ongoing verification that those controls remain in place when you file a claim.
The shift happened because carriers lost money. Ransomware claims exploded in 2020-2022, loss ratios exceeded 70% for many carriers, and the industry responded by tightening underwriting requirements dramatically. The result: businesses that can't demonstrate a baseline security posture either can't get coverage at all, or they're paying 2-3x market rates with significant coverage exclusions.
This guide covers exactly what cyber insurance carriers require in 2026, how to document compliance, and the specific technical controls that either qualify you for coverage or disqualify you.
The Mandatory Controls: What Every Carrier Now Requires
These controls appear on virtually every cyber insurance application in 2026. If you answer "no" to any of these, expect either a declination, a sublimit, or an exclusion.
1. Multi-Factor Authentication (MFA)
Requirement: MFA enabled on all remote access (VPN, RDP), all email accounts, all admin/privileged accounts, and all cloud services.
This is the single most common reason for application denial. Carriers have seen too many claims where a single compromised password led to a six-figure loss. They're done accepting "we're planning to implement MFA" — they want it active, now, on every account type.
What carriers verify:
- MFA on Microsoft 365 / Google Workspace for all users (not just admins)
- MFA on VPN and any remote access solution
- MFA on admin portals (Azure, AWS, firewall management, backup console)
- Legacy authentication protocols blocked (protocols that bypass MFA)
What carriers reject: SMS-based MFA is increasingly viewed as insufficient due to SIM-swapping attacks. Leading carriers now prefer app-based MFA (Microsoft Authenticator, Google Authenticator) or phishing-resistant MFA (FIDO2 security keys). Some carriers won't penalize SMS MFA yet, but the trend is clear — upgrade to app-based MFA now.
2. Endpoint Detection and Response (EDR)
Requirement: EDR deployed on all endpoints (workstations and servers) with active monitoring.
Traditional antivirus is no longer sufficient for underwriting purposes. Carriers specifically ask for EDR — platforms like SentinelOne, CrowdStrike, Microsoft Defender for Endpoint, or Bitdefender GravityZone — that provide behavioral detection, automated response, and forensic telemetry.
Why carriers care: EDR dramatically reduces the severity of ransomware incidents. If the EDR catches and isolates the ransomware before full encryption, the claim goes from $500,000 to $5,000. That's a 99% reduction in the carrier's payout. They want EDR because it directly reduces their risk.
If your managed IT provider runs consumer antivirus (Norton, McAfee, basic Windows Defender without the Defender for Endpoint license), you may not qualify for coverage.
3. Backup with Offline/Immutable Copies
Requirement: Regular automated backups with at least one copy that's offline, air-gapped, or immutable (cannot be modified or deleted by ransomware even with admin credentials).
Carriers learned from ransomware claims that attackers routinely destroy online backups before deploying encryption. If your backup server is domain-joined and accessible from the same network as your production servers, ransomware will encrypt your backups too. Then you're left with no recovery option except paying the ransom.
What carriers verify:
- Automated backup schedule (daily minimum)
- Offsite or cloud backup copy
- Immutable storage (WORM — Write Once, Read Many) or air-gapped copies
- Regular restore testing (some carriers ask for documented test results)
- Defined RPO (Recovery Point Objective) and RTO (Recovery Time Objective)
Don't forget SaaS backup. Microsoft's native M365 retention policies are not backup — and carriers know this. You need third-party backup for Microsoft 365 data (mailboxes, SharePoint, OneDrive, Teams).
4. Patch Management
Requirement: Critical security patches applied within 30 days of release, with a documented patch management process.
Some carriers are tightening this to 14 days for critical/high-severity vulnerabilities listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. The logic: if a vulnerability is actively being exploited in the wild and you don't patch it within a reasonable window, the resulting breach is preventable — and the carrier may deny the claim.
What carriers verify:
- Automated patch management system (through RMM platform or WSUS/Intune)
- Patch compliance reports showing current patch levels
- Process for emergency out-of-cycle patching for critical vulnerabilities
- End-of-life software tracking — running unsupported Exchange Server or Windows Server 2012 is an automatic red flag
5. Security Awareness Training
Requirement: Regular security awareness training for all employees, including phishing simulations.
Carriers want evidence that you're training your staff to recognize phishing — the #1 initial access vector. Annual compliance video training isn't enough anymore. Carriers look for:
- Monthly or quarterly phishing simulations (KnowBe4, Proofpoint, Cofense)
- Just-in-time training for employees who fail simulations
- Documented training completion rates
- Special training for high-risk roles (finance, executive assistants, IT helpdesk)
6. Email Security
Requirement: Advanced email filtering beyond native protection, including anti-phishing, anti-spoofing, and attachment sandboxing.
Basic spam filtering doesn't satisfy this requirement. Carriers want to see dedicated email security — either Microsoft Defender for Office 365 Plan 2, Proofpoint, Mimecast, or equivalent — that specifically addresses phishing, BEC (business email compromise), and malicious attachments.
They also verify email authentication: SPF, DKIM, and DMARC configuration on your domain. A DMARC policy of p=none (monitoring only) is insufficient — carriers want to see p=quarantine or p=reject to prevent domain spoofing.
7. Incident Response Plan
Requirement: A written incident response plan that's been tested within the past 12 months.
The plan doesn't need to be 100 pages. It needs to answer: who do you call, what do they do, how do you contain the incident, and how do you communicate with affected parties. Carriers want evidence that you've rehearsed it — a tabletop exercise where leadership walks through a simulated incident scenario.
Your incident response plan should include your SOC/security monitoring provider's escalation procedures, legal counsel contact information, and breach notification requirements for your jurisdiction.
Common Carrier-Specific Requirements
Beyond the universal requirements above, individual carriers have additional controls they evaluate. Here's what we see across major cyber insurance carriers in 2026:
| Control | Coalition | Travelers | Chubb | Hartford |
|---|---|---|---|---|
| MFA on all remote access | Required | Required | Required | Required |
| MFA on email | Required | Required | Required | Required |
| EDR on all endpoints | Required | Required | Preferred | Required |
| Immutable/offline backups | Required | Required | Required | Preferred |
| Patch management process | Required | Required | Required | Required |
| Security awareness training | Required | Preferred | Required | Preferred |
| Incident response plan | Required | Preferred | Required | Preferred |
| Network segmentation | Preferred | Preferred | Required | Preferred |
| Privileged Access Management | Preferred | Required | Required | Preferred |
| 24/7 security monitoring | Preferred | Preferred | Required | Preferred |
"Required" = must have for coverage. "Preferred" = impacts premium and coverage limits.
What Happens When You File a Claim Without These Controls
This is where businesses get burned. They buy a policy, skip the implementation, and assume the insurance will pay out regardless. It won't.
Material Misrepresentation
If you stated on your application that MFA was enabled on all accounts, and the forensic investigation after a breach reveals that MFA wasn't actually enabled on the compromised account, the carrier can deny the claim based on material misrepresentation. You misrepresented your security posture on the application. The carrier relied on that misrepresentation when pricing your policy. The claim is denied.
This isn't theoretical. It happens regularly. Carriers now hire forensic firms (CrowdStrike, Mandiant, Kroll) who, as part of the incident investigation, verify whether the controls stated on the application were actually in place at the time of the breach.
Exclusion Triggers
Many policies include exclusions for:
- Known vulnerabilities: If the breach exploited a vulnerability with a patch available for more than 30 days, the carrier may invoke the "failure to maintain" exclusion
- War/nation-state attacks: Some policies exclude attacks attributed to nation-state actors (this exclusion was tested extensively after NotPetya)
- Social engineering: Wire fraud from BEC attacks may require a separate endorsement — it's not automatically covered under the base cyber policy
- End-of-life software: Running unsupported operating systems or applications (Windows Server 2012, Exchange Server 2016 past its EOL) may void coverage for incidents related to those systems
Pricing: What Cyber Insurance Costs in 2026
| Business Size | Revenue Range | $1M Coverage Premium | $5M Coverage Premium |
|---|---|---|---|
| Small (10-50 employees) | $1M-$10M | $1,500-$4,000/yr | $5,000-$12,000/yr |
| Mid-size (50-200 employees) | $10M-$100M | $3,000-$10,000/yr | $10,000-$35,000/yr |
| Upper mid-market (200-500) | $100M-$500M | $8,000-$25,000/yr | $25,000-$75,000/yr |
These ranges assume you meet all mandatory controls. Businesses with deficiencies pay 50-200% more — if they can get coverage at all. Healthcare organizations and financial services firms pay higher premiums due to regulatory exposure and data sensitivity.
What Reduces Your Premium
- 24/7 SOC monitoring: 10-15% premium reduction. Having a managed SOC demonstrates proactive threat detection.
- Phishing-resistant MFA (FIDO2): 5-10% reduction over standard app-based MFA.
- Annual penetration testing: 5-10% reduction with documented results and remediation.
- SOC 2 Type II certification: 10-20% reduction for businesses or their MSP. Proves audited security controls.
- Zero claims history: 5-15% reduction for 3+ years without a claim.
- Working with a managed IT services provider: Some carriers offer better rates when a qualified MSP manages the client's security, because MSP-managed environments statistically have fewer and less severe incidents.
The Application Checklist: Documenting Your Controls
When you apply for cyber insurance (or renew), you'll need to provide evidence for each control. Here's what to prepare:
| Control | Documentation to Prepare |
|---|---|
| MFA | Screenshot of Entra ID/M365 Conditional Access policies showing MFA enforcement; percentage of users enrolled |
| EDR | Dashboard showing EDR deployment coverage (% of endpoints); product name and vendor |
| Backup | Backup schedule, last successful backup timestamp, last restore test results, confirmation of immutable/offline copy |
| Patching | Patch compliance report from RMM showing current patch level across all endpoints and servers |
| Email security | Product name, DMARC record (p=reject), phishing simulation results |
| Training | Training platform, completion rates, phishing simulation click rates over time |
| Incident response | Written IR plan, date of last tabletop exercise, participants |
| Network segmentation | Network diagram showing VLANs, firewall rules between segments |
| Privileged access | Number of Global Admin accounts, use of PIM/JIT access, separate admin accounts policy |
If your MSP can produce these reports on demand, your renewal process becomes trivial. If they can't, that's a conversation worth having.
Industries Under the Microscope
Healthcare
Healthcare organizations face the most scrutiny because they hold PHI (Protected Health Information), which carries regulatory penalties under HIPAA in addition to breach costs. Carriers typically require HIPAA-compliant hosting, a documented HIPAA risk assessment (updated annually), and a Business Associate Agreement (BAA) with every vendor that touches PHI — including your MSP, your cloud provider, and your backup vendor.
Financial Services
SEC, FINRA, and state regulations impose data retention and security requirements. Carriers evaluate the firm's compliance with applicable financial regulations as part of underwriting. PCI-DSS compliance for payment processing adds another layer of required controls.
Legal
Law firms hold privileged attorney-client communications. A breach exposes the firm to malpractice claims in addition to data breach costs. Carriers evaluate encryption practices, access controls, and data handling procedures for client information.
MSPs and IT Providers
MSPs face elevated scrutiny because they're supply chain risk multipliers — a compromise of one MSP can impact hundreds of clients. Carriers require MSPs to demonstrate SOC 2 compliance, segregated client environments, privileged access management, and security monitoring of their own infrastructure. White-label MSP providers must also maintain these standards.
The ROI of Compliance: Insurance Savings vs. Control Implementation Costs
Here's the math for a 75-person company:
| Control | Annual Cost | Insurance Impact |
|---|---|---|
| MFA (M365 Conditional Access) | $0 (included in Business Premium) | Mandatory for coverage |
| EDR (SentinelOne/Huntress) | $4,500-$7,200 | Mandatory for coverage |
| Immutable backup (Veeam/Axcient) | $6,000-$12,000 | Mandatory for coverage |
| Email security (Defender P2) | $4,500 (or included in E5) | Mandatory for coverage |
| Security training (KnowBe4) | $2,000-$4,000 | 5-10% premium reduction |
| Managed SOC monitoring | $18,000-$36,000 | 10-15% premium reduction |
| Total Control Investment | $35,000-$63,000/yr | Coverage eligibility + 20-30% savings |
Without these controls, a 75-person company either can't get coverage or pays $15,000-$25,000/year for a policy with significant sublimits and exclusions. With these controls, they pay $5,000-$10,000/year for comprehensive coverage with fewer exclusions. The control investment pays for itself through insurance savings alone — before you factor in the breach prevention value.
Action Plan: Getting Insurance-Ready
- Audit your current controls against the mandatory list above. Your IT consultant or MSP should be able to produce a gap analysis in one day.
- Remediate gaps before your renewal. The biggest wins: enable MFA (zero cost, massive impact), deploy EDR (weeks to implement), and configure immutable backups (days to implement).
- Document everything. Screenshots, reports, logs. Carriers want evidence, and your MSP should be able to produce it.
- Work with a cyber-savvy insurance broker who understands the technical requirements and can match you with carriers that fit your risk profile and industry.
- Review annually. Carrier requirements evolve. What was "preferred" last year may be "required" this year. Keep your controls current.
If you need help implementing the controls carriers require, our managed IT team handles MFA deployment, EDR management, backup configuration, and security compliance as part of our standard service. We can also coordinate with your insurance broker to provide the documentation they need for your application or renewal.
Advanced security and device management for businesses that need more than the basics.
Business Premium Plans & PricingTopics
Sreenivasa Reddy G
Founder & CEO • 15+ years
Sreenivasa Reddy is the Founder and CEO of Medha Cloud, recognized as "Startup of the Year 2024" by The CEO Magazine. With over 15 years of experience in cloud infrastructure and IT services, he leads the company's vision to deliver enterprise-grade cloud solutions to businesses worldwide.
