If your cyber insurance renews this summer, the questionnaire your broker sends back in 60 days is going to ask a different set of questions than it did last year. Carriers used to ask eight or nine questions about your IT posture; in 2026 most are asking fourteen, and a growing share are running an external scan against your firewall, DNS, and exposed services before they bind the renewal. The gap between the firms that get a clean renewal and the firms that get hit with a 15–25% premium loading is no longer “did you have a breach” — it’s “did you check the underwriters’ boxes.”
TL;DR
Cyber insurance carriers now score SMB renewals against 14 specific controls, run external scans before binding, and load 15–25% premium on flagged firms. Five of the controls have free DIY fixes. The other nine are where most SMBs need help. Run this self-audit 60 days before renewal.
Quick stats: 14 controls scored · 5 DIY fixes · 60-day prep window · 22% premium swing · 50% ransomware sublimit risk if backups not documented
This post is the practical self-audit U.S. SMBs and mid-market firms can run themselves, 60 days before renewal, against the 14 controls carriers actually score on in 2026. Five of those controls have free or low-cost DIY fixes that close most of the gap with a few hours of focused work. The rest are where ACS clients typically get help — but you’ll get more out of that conversation if you show up already knowing where you stand. Pair this with our deeper Cyber Insurance Requirements: IT Controls Your Business Needs to Qualify for the long-form context behind each control.
What’s in this article
- Why 2026 underwriting is different
- The 14 controls underwriters score in 2026
- The 5 most-failed controls and how to DIY-fix them
- When to call in help
- Common mistakes
- Frequently asked questions
- Bottom line and free audit through May 31
Why 2026 Underwriting Is Different
Three shifts are reshaping how carriers evaluate SMB cyber risk this year, and you should know about all three before you fill out the questionnaire.
External scans before binding. Most major carriers and an increasing number of MGAs now scan your public-facing IP space, DNS records, exposed services, and SSL configuration before they bind a renewal. If your firewall has an unpatched CVE that’s 90 days old, they see it before you’ve finished the application. If your domain has no DMARC record at all, that’s a flag visible from anywhere on the internet.
BEC has overtaken ransomware as the #1 claim type. Business email compromise — the wire-fraud-via-spoofed-email pattern — now produces more SMB cyber claims than ransomware. Carriers have responded by loading premium for firms without DMARC at quarantine or stricter, MFA on email and admin accounts, and finance-process controls for wire approvals.
Restore tests are now mandatory, not optional. “We have backups” used to be enough. In 2026, carriers want documented evidence that backups actually restore — typically a quarterly restore test with a written report. Firms that can’t produce a restore-test log are increasingly seeing exclusions on ransomware coverage.
The renewal questionnaire isn’t just paperwork. It’s the evidence package that determines what your premium and coverage actually look like for the next 12 months.
The 14 Controls Underwriters Score in 2026
Here is the consolidated list ACS sees across major carriers’ 2026 questionnaires. Treat each as a yes/no — if you can’t answer “yes” with documented evidence, you have a gap.
| # | Control | What Underwriters Look For |
|---|---|---|
| 1 | DMARC at p=quarantine or p=reject | Public DNS record visible to their external scan |
| 2 | MFA on email | All users, including admins; no exceptions |
| 3 | MFA on admin and privileged accounts | Phishing-resistant where possible (FIDO2, passkeys) |
| 4 | MFA on remote access (VPN, RDP, BYOD portals) | Coverage of every external entry point |
| 5 | EDR on all endpoints | Modern endpoint detection, not just signature AV |
| 6 | Backups with off-site copy | 3-2-1 model or equivalent, immutable preferred |
| 7 | Documented quarterly restore test | Written log with date, scope, and result |
| 8 | Patching cadence under 30 days for critical CVEs | Evidence of cadence, not just intention |
| 9 | Email security gateway / phishing filter | Above and beyond M365 / Workspace defaults |
| 10 | Security awareness training program | Quarterly phishing simulation + completion log |
| 11 | Written incident response plan | Tested annually; named contacts; comms templates |
| 12 | IR retainer or named provider | Pre-arranged so you’re not shopping mid-incident |
| 13 | Privileged access management / separate admin accounts | Day-to-day accounts not used for admin actions |
| 14 | Vendor / fourth-party risk inventory | At minimum, knowing who your critical SaaS vendors are |
Every one of those should sit in a folder somewhere with a screenshot, a configuration export, or a written log. That’s the evidence package — and “we have a folder we can send you” is the answer underwriters are looking for.
The 5 Most-Commonly-Failed Controls — and How to DIY-Fix Them
Across hundreds of SMB pre-renewal audits ACS has run in the last 18 months, the same five controls show up as gaps over and over again. Each of these has a DIY fix that costs little or nothing and closes most of the gap. Run these before you call a broker — you’ll get a better quote.
1. DMARC at p=quarantine or stricter
Roughly 60% of SMBs we audit have either no DMARC record at all or a record set to
p=none.
This is the biggest single underwriting flag and one of the cheapest to close. Carriers now scan for it externally and load premium against firms without it.
The DIY fix (about 2 hours): Inventory your sending domains. Publish SPF and DKIM records for each. Then publish a DMARC record starting at p=none for two weeks of monitoring, and once you’ve confirmed legitimate email is aligning correctly, raise it to p=quarantine. After another two weeks of monitoring, raise to p=reject if your environment supports it.
Cost: Free if you do it yourself. The hardest part is auditing every legitimate sender (your CRM, your marketing platform, your invoicing app) so you don’t accidentally quarantine your own legitimate mail. Tools like Valimail, Dmarcian, and EasyDMARC have free tiers that help. See our deeper Email Security Guide and Phishing Protection for the full walkthrough.
2. MFA on email and admin accounts
The second-most-common gap. Many SMBs have MFA on email enabled in name only — meaning the policy exists, but exception users (the CEO, the bookkeeper, the senior partner) are exempted. Carriers increasingly ask whether MFA is enforced with no exceptions.
The DIY fix (about 4 hours): In Microsoft 365, enable Security Defaults or build a Conditional Access policy that requires MFA for all users with no exemption. In Google Workspace, enable 2-Step Verification with the “Enforcement on” setting. For admin accounts, require phishing-resistant MFA (FIDO2 hardware key or passkey) rather than SMS or app-based codes — see our Multi-Factor Authentication Guide for Businesses in 2026 for the why.
Cost: Free in most cases. Hardware keys for admin accounts run $25–$50 each.
3. Documented quarterly restore test
This is the gap that catches firms by surprise. Backups are running, the dashboard is green, the IT person says “we have backups.” But when the underwriter asks for the most recent documented restore test, there isn’t one. Carriers now treat this as equivalent to having no backup.
The DIY fix (about 1 day every quarter): Pick a non-trivial dataset — a file share, a database, an email mailbox — and actually restore it to a test environment. Document the date, the scope, the time it took, what worked, what didn’t. Save it as a PDF in a folder labeled “Restore Tests.” Repeat quarterly.
Cost: Free. The cost is the time discipline of doing it on a schedule.
4. Separate admin accounts
Most SMB IT users do everything from a single account that has both email/calendar/Teams and domain-admin or Microsoft 365 global-admin rights. That single account compromised through a phishing email gives the attacker the keys to the entire environment.
The DIY fix (about 2 hours): For every user with privileged rights, create a second account with admin rights. Use the second account only for admin actions and never for email, browsing, or daily work. Sign out of admin sessions when finished. Apply MFA to both.
Cost: Free in most cases — the licensing for a second admin-only account is usually included or minimal.
5. Off-site backup copy
The 3-2-1 backup pattern (three copies, two media types, one off-site) is decades old, and yet most SMBs we audit either have everything on a single NAS, or have “cloud backup” that’s actually just file sync to the same Microsoft 365 tenant that’s already at risk. Underwriters now ask explicitly whether your backup is in a separate failure domain.
The DIY fix (varies — $50 to $200/month): Add a second backup destination in a different cloud or geographic location. Backblaze, Wasabi, AWS S3 with Object Lock, and Azure Backup with immutability are common patterns. The key requirement: an attacker who compromises your primary tenant cannot also delete the backup.
Cost: $50–$200/month for an SMB-sized environment. The cheapest control on this list with the highest carrier weighting against ransomware claims.
When to Call in Help
Five of the fourteen controls are realistically DIY for most SMBs. The other nine usually aren’t — they require either deeper technical work or operational discipline that’s hard to maintain without dedicated staff. Here’s the honest list of where ACS clients usually want help:
- MFA on legacy auth systems (older EHRs, accounting platforms, line-of-business apps that don’t natively support modern auth)
- Patching cadence — staying under 30 days for critical CVEs across endpoints, servers, network gear, and SaaS plugins requires either a tool or a rhythm most SMBs don’t have in-house
- EDR deployment and tuning — the technology is straightforward; the alert triage is what trips most SMBs up
- Email security gateway above M365 / Workspace defaults — Mimecast, Proofpoint, Abnormal, or similar
- Quarterly phishing simulation + awareness training — the program design and the run-rate
- Written incident response plan with annual tabletop — the doc plus the drill
- IR retainer with a named provider — the contract pre-positioning
- Privileged access management beyond just-having-separate-accounts
- Vendor risk inventory — knowing your critical fourth parties and their security posture
If you ran the self-audit above and got stuck on more than three of the fourteen controls, that’s the conversation to have with your IT partner before your renewal lands. For sizing what an outside engagement looks like, see our breakdown of Cybersecurity Risk Assessment Cost: What SMBs Actually Pay.
Common Mistakes
- Filling out the questionnaire from memory instead of from documented evidence
- Treating “we have backups” as equivalent to “we have a documented restore test”
- Assuming the broker is going to fight for you on questions you couldn’t answer
- Waiting until 30 days before renewal — most fixes need 60+ days to land cleanly in the carrier’s evidence window
- Ignoring DMARC because “we don’t really get spoofing problems” (the carrier’s external scan sees the gap regardless)
- MFA with carve-outs for the executive team — this is the single most-flagged gap on resubmission
- Single-account admin rights for the IT person who also reads email
- Backup that all lives in the same Microsoft 365 tenant being protected
- No written incident response plan, or a plan that’s been written but never tested
- Not saving the questionnaire response as a baseline you can compare to next year
Frequently Asked Questions
How early should I start the self-audit?
Sixty days before your renewal date is the sweet spot. Most fixes — especially DMARC progression, restore-test documentation, and IR retainer contracting — take 30 to 60 days to land cleanly. Starting earlier gives you flexibility; starting later forces compromises.
What if I can’t answer “yes” to all 14 controls — should I lie?
No. Carriers run external scans now and many cross-reference questionnaire answers against scan results. A questionnaire answer that doesn’t match the scan is a red flag that triggers either a higher load, a coverage exclusion, or — in some cases — a denial at first claim. The defensible path is to be honest about the gap and show the remediation plan. Most carriers reward “we know we don’t have it; here’s our plan and timeline” with better terms than “yes” answers that don’t survive a scan.
Does my broker do this for me?
Brokers help you complete the questionnaire and shop the market. They generally aren’t your IT remediation partner — they don’t write your DMARC record or document your restore tests. The defensible posture is to do the technical work yourself or with an IT partner before you hand the questionnaire back.
What’s the typical premium swing between a clean renewal and a flagged one?
Across SMB clients we see in the Bay Area, Texas, and New England, the difference between a clean renewal (all 14 controls evidenced) and a flagged one (3+ gaps with no remediation plan) is usually a 15–25% loading on premium and sometimes a 50% reduction in ransomware sublimit. On a $4,500/year policy that’s $700–$1,100 a year of avoidable cost.
Does this apply to healthcare practices and HIPAA-regulated firms?
Yes — and harder. HIPAA-regulated firms get an extra layer of underwriter scrutiny on PHI handling, EHR access controls, and BAA inventory. See our 2026 HIPAA Security Rule Changes for the regulated-industry overlay on top of the 14 controls above.
Is there a downloadable version of this self-audit?
A printable version of the 14-control checklist is included with our free Cyber & Network Audit — the deliverable underwriters actually want to see at renewal.
Bottom Line
The cyber insurance renewal questionnaire your broker sends in 60 days is the single highest-leverage IT document in your business this year. Run the 14-control self-audit yourself, fix the five common gaps that have free DIY fixes, and document everything in a folder you can send your broker on day one of renewal cycle. The firms that do this consistently get clean renewals, lower premiums, and broader coverage. The firms that don’t get loaded, sub-limited, and surprised. The choice is which of those two stories you want to be telling your CFO this summer.
Free Cyber & Network Audit — through May 31, 2026
ACS runs free 60-day pre-renewal audits for SMBs through May 31, 2026. The deliverable is the exact 14-control questionnaire pre-fill your broker will ask for, plus identity audit, backup posture review, and documented restore-test setup. LinkedIn-network only.
Related reading: Cyber Insurance Requirements: IT Controls Your Business Needs to Qualify · Multi-Factor Authentication Guide for Businesses in 2026 · Email Security Guide and Phishing Protection · 2026 HIPAA Security Rule Changes · Cybersecurity Risk Assessment Cost: What SMBs Actually Pay
