Cyber Insurance in 2026: What Insurers Actually Demand and How to Lower Your Premium

Cyber insurance underwriting has fundamentally changed in the last three years. The market that existed before 2022 — where carriers issued coverage based on a short questionnaire and a modest premium increase over last year’s — is gone. In its place is a technical underwriting regime where carriers verify controls, run external scans, demand documented evidence, and deny 41% of applications on first submission, according to Marsh McLennan’s 2025 market data.

This is good news and bad news. The bad news is that cyber insurance is no longer a commodity purchase. The good news is that organisations with the right controls and the right documentation can genuinely lower their premiums — 15 to 30 percent is a realistic range — and get coverage that actually pays out when a claim is filed.

The catch is that the bar has risen, the questions are more specific, and the tolerance for vague answers has collapsed. This guide is a direct read of what carriers demand in 2026, how controls map to premium outcomes, and where the common application failures happen.

The market in 2026: what’s different

Three structural shifts define the 2026 cyber insurance market.

Underwriting is technical, not actuarial. Carriers no longer rely on industry loss ratios and broad risk-category multipliers. They evaluate your specific controls, often by independent scanning, and they ask for evidence. Coalition’s 2024 Cyber Claims Report found that 82% of denied claims involved organisations that lacked properly implemented MFA — a number carriers internalised into their underwriting models. Marsh McLennan’s 2025 market report notes that 99% of cyber insurance applications now include specific MFA questions, a shift from the more generic security attestations of pre-2022 forms.

The controls list is longer, and more prescriptive. Eight controls are now effectively universal requirements across all major carriers: MFA, EDR, email security, tested immutable backups, a tested incident response plan, security awareness training with phishing simulations, privileged access management, and patch management with defined SLAs. Missing any one of these is a material underwriting problem.

Claim denials are being upheld in court. Two cases — International Control Services v. Travelers and Cottage Health v. Columbia Casualty — have established that carriers can void coverage or deny claims when the attested controls are either inaccurate on the application or allowed to lapse after binding. The application is not just a marketing document; it is a contractual attestation that must match reality and must be maintained for the life of the policy.

The combined effect: cyber insurance in 2026 is more rigorous, more expensive for under-prepared firms, and substantially more valuable for well-prepared ones. The gap between the two groups is the biggest it has ever been.

The eight controls that define premium outcomes

Carriers do not weight controls equally. Some are binary — without them, you cannot get coverage at all. Others influence pricing but are not gating. The table below reflects how the major carriers (Coalition, At-Bay, Cowbell, Beazley, Chubb, Travelers, AIG, Hartford) currently treat each control area, synthesised from publicly available application forms and broker intelligence as of early 2026.

The asymmetry is important. MFA, EDR, and backups are coverage-gating at most major carriers — if you fail on any of these, you are not getting coverage at all, or you are paying a premium multiplier that makes the coverage uneconomic. The other controls influence price, but a strong posture on the first three will get you to the quoting table. A weak posture on any of the first three keeps you off it.

MFA: the single most consequential control

No control has had more impact on 2026 cyber insurance outcomes than MFA. The Coalition statistic — 82% of denied claims involved organisations without properly implemented MFA — is the number that reshaped the market. It is also the number that most clearly distinguishes properly implemented MFA from the pattern carriers now treat as non-compliant.

“Properly implemented” in 2026 means:

• Universal scope. MFA enforced on all remote access (VPN, RDP, SSH), all email accounts including SaaS (Microsoft 365, Google Workspace), all privileged and administrative accounts, and all cloud service consoles (AWS, Azure, GCP, plus major SaaS platforms).
• Enforcement, not availability. The application question is not “do you offer MFA?” but “is MFA required for every user on every system in scope?” Organisations that deployed MFA three years ago but allowed opt-outs, service-account exemptions, or legacy protocol fallback are now flagged as non-compliant.
• Phishing-resistant for high-value policies. For policies of $5 million or more, carriers increasingly require FIDO2/WebAuthn hardware keys or equivalent. App-based TOTP (Microsoft Authenticator, Duo, Google Authenticator) is still acceptable for mid-market limits but is increasingly disfavoured for privileged access at any coverage level.
• Documented enforcement. Logs, policy exports, or configuration evidence that demonstrates enforcement is the new standard. A yes/no attestation on an application form is not enough if the carrier runs an external scan and finds exposed RDP or a non-MFA-protected SaaS login.

The International Control Services v. Travelers case made this final point legally consequential. The organisation had attested to MFA on remote access. A forensic investigation after the breach revealed that while MFA was enforced on the firewall, it was not enforced on the remote access system the attackers used. Travelers denied the claim. The court upheld the denial.

The practical implication: before you apply or renew, do a coverage audit. List every system with remote access. List every SaaS platform. List every administrative account. Verify enforcement — not availability — for each. If you find gaps, document them to the carrier accurately. Underwriters consistently prefer honest disclosure with a remediation plan over inaccurate attestation.

The other coverage-gating controls: EDR and backups

EDR has moved from preferred to required, with a specific qualifier that trips up many applicants: active response, not just alerting. A tool that logs events and emails alerts does not meet what carriers are looking for. They want automated containment — isolated endpoints, blocked processes, automatic remediation of known indicators — with human analysts supporting the automation.

MDR services (managed detection and response) satisfy the requirement if they include defined response SLAs and 24/7 coverage. Self-managed EDR with business-hours alerting is considered a gap that needs to be addressed either by moving to MDR or by documenting a robust after-hours response process. The specific vendors carriers recognise — CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, VMware Carbon Black, Palo Alto Cortex XDR — all appear by name on major application forms. Our guide to comparing enterprise SIEM and detection platforms covers the detection stack in more depth.

Immutable backups with tested restore are the ransomware-specific gate. Every major carrier now asks, with different levels of specificity, whether backups are immutable or air-gapped, how often they are tested, and when the last successful restore was performed. The answer “we have backups” fails the bar; the answer “we have immutable backups with quarterly test restores and documented results” passes.

The 3-2-1-1-0 rule (three copies, two media, one offsite, one immutable, zero errors on last restore test) has become the practical standard. Carriers are not universally demanding this specific formulation, but they are demanding its substance. Organisations that cannot produce a test-restore log from the last 90 days are flagged as ransomware risks — which most often results in ransomware-specific coverage exclusions or sub-limits rather than outright denial, but the outcome is the same: your ransomware event is not fully covered.

The controls that influence price without being gating

Once the three gating controls are in place, five further controls influence premium level within a relatively predictable range.

Privileged access management (PAM) is increasingly called out by name on application forms. Carriers ask whether administrative accounts are individual (not shared), whether elevation is time-limited or standing, and whether privileged sessions are recorded. Organisations with CyberArk, BeyondTrust, Delinea, or similar platforms in place signal strong identity posture; organisations where IT staff share an admin account signal the opposite.

Email security configuration has tightened in response to BEC and funds-transfer fraud accounting for approximately 58–60% of filed cyber claims in Coalition’s 2026 data. DMARC policy is now routinely verified via external scan — p=reject is the target, p=quarantine is acceptable, p=none is a flag. Attachment sandboxing, advanced anti-phishing with behavioural analysis, and out-of-band payment verification processes all feed into the BEC sub-limit and pricing.

Patch management with defined SLAs matters particularly for vulnerabilities in the CISA Known Exploited Vulnerabilities catalogue. Carriers are increasingly willing to exclude coverage for breaches that exploit a CISA KEV vulnerability with an available patch older than a threshold window (commonly 30 days for standard critical patches, 72 hours for KEV). End-of-life software in production is flagged directly.

Incident response plan with tabletop evidence means a written plan, tested within the past 12 months, with documented participant lists and remediation tracking. Marsh McLennan research has found that IR planning is one of the controls most strongly associated with lower breach-claim probability — carriers know this and price accordingly.

Security awareness training with phishing simulations is expected quarterly, not annually, at most carriers. Organisations that run quarterly simulations with targeted follow-up training for frequent clickers demonstrate a stronger signal than annual click-through training.

Pricing: what the 2026 market actually looks like

Pricing varies more by control posture than by any other factor, but some baseline ranges are useful.

• Small business ($1M coverage): $1,000–$7,500 annual premium, with professional services firms with strong controls at the lower end ($1,500–$3,000), retailers with PCI-DSS obligations at mid-range ($2,000–$5,000), and healthcare practices with HIPAA requirements at the higher end ($3,000–$7,500).
• Mid-market ($5M coverage): $8,000–$35,000 annual premium, with control posture driving most of the variance.
• Enterprise ($10M+ coverage): increasingly bespoke pricing, typically 3–6% of policy limits, heavily influenced by the technical underwriting outcome.

Failing to meet 2026 requirements can increase premiums by 30–50% or trigger outright denial. Strong control posture can reduce premiums by 15–30% relative to the baseline rate for your industry.

The wider market context: Munich Re projected the global cyber insurance market at approximately $16.3 billion in 2025, with continued capacity expansion favouring well-prepared applicants. This is a growing market, but it is growing selectively.

The application: where most failures happen

The 41% first-submission denial rate is driven by a small number of recurring failures. In order of frequency:

Partial MFA coverage. Organisations attest to MFA without realising they have gaps — a legacy VPN concentrator, an administrative SaaS account, a privileged service account, email protocols with auth fallback. The application says yes to “is MFA enforced for all remote access”; the reality says no. Carriers increasingly verify externally.

Stated EDR that isn’t fully deployed. Procurement records say every endpoint has CrowdStrike; the agent health check shows 78% coverage. The application should say “deployed to 78% of endpoints with remediation plan to 100%” — that answer gets a quoted renewal with a condition. “Yes, deployed everywhere” gets a claim denial when forensics reveals the gap.

IR plan that exists but hasn’t been tested. The plan is a PDF in SharePoint. No tabletop has been run in the last 18 months. The application question is not “do you have an IR plan?” but “when was it last tested?” The empty answer is a flag.

Backup test restores that have never happened. Backups run nightly; the last successful restore was for a 2023 file recovery request; no structured test-restore has been conducted. The application question “when was your last restore test?” cannot be answered, which is itself the answer.

DMARC not at reject. The application says yes to email security. External scan shows DMARC at p=none or missing entirely. This is visible externally, and carriers check.

Shared admin credentials. The office manager and the IT person share the domain admin password, the Microsoft 365 global admin, or the AWS root account. The application question on individual privileged credentials gets a yes that forensics will contradict.

The fix is the same in every case: audit before you apply. Produce a proof pack that mirrors the carrier’s questionnaire, validates actual telemetry (MFA coverage reports, EDR agent-health dashboards, backup-restore logs, IR exercise records, vendor attestations), and presents it as evidence at submission. Brokers increasingly expect this, and submissions that include a proof pack receive faster underwriting and fewer follow-up requests.

The 90-day renewal playbook

For renewals or new applications, the most-common successful pattern runs on a 90-day horizon.

Days 0–30 — assessment. Inventory privileged access paths. Measure MFA coverage across every system in scope. Confirm EDR agent health and coverage. Collect the last IR tabletop output. List critical vendors and current security attestations. Identify gaps against the eight-control baseline and begin remediation on any “must-have” gaps.

Days 31–60 — execution. Run a tabletop exercise if the last one was more than 12 months ago. Finalise vendor security evidence. Close high-risk vulnerabilities, particularly anything on the CISA KEV list. Validate monitoring and alerting flows end-to-end: alert → triage → action → documented outcome. Draft the underwriting proof pack.

Days 61–90 — submission. Freeze configurations where possible to avoid mid-renewal drift. Package evidence. Align with the broker on carrier-specific questions. Submit the application with the proof pack attached. Expect underwriting to take two to four weeks for well-prepared submissions; four to eight weeks for submissions that trigger follow-up questions.

The premium difference between a well-prepared submission and an ill-prepared one can be 30 percent. The coverage-availability difference can be total — some organisations that submit unprepared simply cannot get bound at all.

Maintaining controls post-binding: the Cottage Health problem

Cottage Health v. Columbia Casualty established the principle that cyber insurance coverage requires ongoing maintenance of the controls attested to at binding. The organisation had controls in place when it applied, let them lapse, suffered a breach during the lapse, and had its claim denied. Courts upheld the denial.

This means your policy assumes you maintain the security controls you attested to. If you disable your EDR for a troubleshooting window and get breached during that window, the carrier can argue you failed to maintain a material condition of coverage. If you attest to quarterly phishing simulations and then skip two quarters, the attestation is no longer accurate.

The practical response: attestation drift is a continuous governance problem, not an annual compliance task. Organisations that have survived claim disputes have typically implemented:

• Quarterly control attestation with documented evidence, signed off by the named security leader.
• Automated coverage monitoring for MFA enforcement, EDR agent health, backup success rates — anything that can drift.
• Change-control visibility for any temporary suspensions of attested controls, with compensating controls documented during the suspension window.
• Notification to broker/carrier for any material change in control posture during the policy term.

Carriers do not expect perfection. They expect honesty and active maintenance. The gap between “we have controls” and “we maintain controls with documented evidence” is the gap between coverage that pays and coverage that doesn’t.

Frequently asked questions

How much can I realistically save on premium by improving my controls? Fifteen to thirty percent relative to the baseline for your industry is the realistic range for moving from standard posture to strong posture. Moving from non-compliant (missing gating controls) to standard can be the difference between being denied coverage entirely and being quoted, so the effective “saving” is infinite.

Is SMS-based MFA still acceptable? For standard policies below $5 million, app-based TOTP (Microsoft Authenticator, Duo, Google Authenticator) is acceptable at most carriers. SMS-based MFA is increasingly disfavoured even at this level and is being phased out as an acceptable option for privileged access. For higher-limit policies, phishing-resistant MFA (FIDO2/WebAuthn hardware keys) is increasingly required.

What does “immutable backup” actually mean to a carrier? Backups that cannot be altered or deleted during a retention window by any account — including the backup administrator. This typically means cloud-provider immutability flags (AWS S3 Object Lock, Azure immutable blob storage), storage-native immutability (Veeam Hardened Repository, Rubrik’s architecture), or offline/air-gapped storage. A backup that a ransomware operator with domain admin can delete is not considered immutable.

Does having SOC 2 or ISO 27001 help with cyber insurance pricing? Indirectly, yes — the controls required for SOC 2 Type II or ISO 27001:2022 substantially overlap with the technical controls carriers require, so certified organisations typically arrive at underwriting well-prepared. However, carriers do not treat certification alone as sufficient. They want to see the specific controls, not just the attestation. The SOC 2 Type II process builds much of the control foundation you need for cyber insurance.

Do cyber insurance carriers require NIS2 or DORA compliance? Not directly, but many of the controls demanded by both regulatory regimes overlap with what carriers require. Organisations implementing NIS2 Article 21 measures or DORA’s ICT risk management framework will find that the same controls satisfy most cyber insurance requirements. Our NIS2 checklist and DORA 2026 guide cover the regulatory side.

What coverage should I prioritise if budget is constrained? First-party ransomware coverage and business interruption, if your operational profile makes them relevant. Second, BEC / funds-transfer fraud coverage, given that it accounts for the majority of filed claims. Third-party liability and regulatory defence are also important but are easier to budget around if the first-party coverage is adequate. Discuss your specific risk profile with a specialist cyber broker — the major brokerage networks (Marsh, Aon, WTW, Gallagher) and specialist firms like Woodruff Sawyer all run cyber-specific practices that can structure coverage around actual exposure rather than template policies.

What happens if I have a breach during the policy period? The carrier’s incident response panel typically engages immediately — forensics, legal counsel, breach coaches, PR if needed, ransomware negotiators if applicable. Coalition’s active-response model recovered $31 million for policyholders in 2024; similar active-response functions are now standard across major carriers. The quality of the carrier’s response panel is itself a differentiator worth evaluating before binding coverage. Our 72-hour ransomware response playbook covers the operational side of the first three days.

The bottom line

Cyber insurance in 2026 is a technical underwriting market that rewards documented control posture and punishes ambiguity. The 41% first-submission denial rate is not a carrier ploy — it is an accurate signal that many organisations still attest to controls they have not fully implemented, or have allowed to drift.

The path to favourable outcomes is not complicated, but it is specific. Phishing-resistant MFA across all privileged and remote-access paths. Actively-monitored EDR on every endpoint. Tested immutable backups with documented restore evidence. Tabletop-tested IR plan. DMARC at reject. Individual privileged credentials. Patch SLAs actually met. Quarterly phishing simulations. None of this is exotic; all of it is verifiable; together it is the difference between coverage that pays out and coverage that denies.

The best time to prepare for your renewal was 90 days ago. The second-best time is now.