The cyber insurance market in 2026 is dramatically harder than it was three years ago. Premiums for SMBs have roughly doubled since 2022. Coverage has narrowed — many policies now exclude ransomware payouts above certain thresholds, and most carriers reserve the right to deny claims if the insured can’t prove specific controls were in place at the time of incident.
What this means for your business: getting cyber insurance is now an underwriting process, not a checkbox. Most carriers will require you to attest to — and increasingly, demonstrate evidence of — a specific list of IT controls before they’ll issue a quote. Miss any of them and you either get denied, get a restrictive policy, or get a quote 2–3× the market rate.
This article covers the 14 controls cyber insurance carriers are routinely demanding in 2026, what each typically costs, how to demonstrate it, and how to use the underwriting process as a forcing function for your security program.
Why underwriting got harder
Three structural shifts in the cyber insurance market over the last three years:
- Loss ratios spiked. 2020–2022 saw major ransomware incidents that bled the carriers. They tightened underwriting to restore margins.
- Carriers built actual cyber expertise. Twelve years ago, a cyber policy was sold by a generalist agent against a single-page questionnaire. Today, most carriers have technical underwriters who know what good looks like.
- Threats got more expensive. A ransomware payout of $50K in 2018 is a $500K event in 2026 (or $5M for mid-market firms). Carriers are pricing for the reality.
The practical effect: your application gets read by someone who knows that “we have antivirus” without specifying EDR is no longer an answer.
The 14 controls almost every carrier asks about
I’ve grouped these by what they map to in a typical cyber liability application. All 14 are common across major carriers (Travelers, Chubb, AIG, Beazley, Coalition, At-Bay, etc.) as of early 2026.
1. Multi-factor authentication on all email, VPN, and admin accounts
The single most common condition for any cyber policy. MFA on email is non-negotiable. MFA on remote access (VPN, RDP) is increasingly required. MFA on every privileged / admin account is now standard.
Typical cost: $0–$5 per user/month if using built-in (Entra ID MFA, Google Workspace 2-Step). $3–$10 per user/month for third-party (Duo, Cisco Secure Access).
2. Endpoint Detection and Response (EDR)
Plain antivirus is no longer accepted as adequate. Carriers want EDR on every endpoint, with active monitoring.
Typical cost: $4–$12 per endpoint/month (Defender for Business, Crowdstrike, SentinelOne, Sophos).
3. 24/7 monitoring (SOC or MDR)
If you have EDR but no one watching the alerts at 2am, you fail this question. Carriers want either an internal 24/7 SOC or an MDR (managed detection & response) service.
Typical cost: $15–$35 per user/month for outsourced MDR.
4. Email security beyond default spam filtering
Anti-phishing, impersonation protection, link rewriting, attachment sandboxing. Defender for Office 365 P1/P2, Mimecast, Proofpoint, Avanan.
Typical cost: $4–$15 per user/month.
5. Backup with offline / immutable copy
The single biggest defense against ransomware demands. Carriers want backups that ransomware can’t encrypt. That means: backup copy stored offline / immutable / in a different cloud / air-gapped; tested recovery within the last 12 months; 30+ days of retention minimum, ideally 90+.
Typical cost: $4–$10 per user/month for cloud SaaS backup with immutability.
6. Privileged access management (PAM)
Domain admin and global admin accounts must be: separate from daily-use accounts; used only when needed (not for everyday work); time-limited / Just-in-Time access if possible; monitored.
Typical cost: Free with Entra ID P2 or paid PAM solutions ($10–$30 per privileged user/month).
7. Email DMARC at “quarantine” or “reject”
DMARC at “p=none” no longer counts. Carriers want enforcement-level DMARC.
Typical cost: Configuration only; if managed by an outside service (Valimail, dmarcian) typically $1,000–$5,000/year.
8. Regular vulnerability scanning
External and internal scans, with remediation of critical findings within an SLA (typically 30 days for Critical, 90 days for High).
Typical cost: $5K–$15K/year for a typical SMB scope (internal Qualys/Tenable + external).
9. Annual penetration test or “ethical hack”
Increasingly required for businesses over ~50 staff or in regulated industries.
Typical cost: $10K–$40K depending on scope.
10. Annual security awareness training for all staff
KnowBe4, Proofpoint, Hoxhunt, etc. Phishing simulations + structured training. Carriers ask about completion rates and click rates.
Typical cost: $20–$60 per user/year.
11. Documented incident response (IR) plan
Written, tested at least annually (tabletop exercise), names a specific IR team, includes vendor contacts (forensics, legal, comms), and is accessible without your network if your network is down.
Typical cost: $5K–$20K to develop initially; ongoing maintenance is internal time.
12. Patch management with documented SLAs
Critical patches deployed within 7–14 days, High within 30. Documented and reportable. “We do it manually” is not enough anymore.
Typical cost: Included in most managed IT contracts.
13. Network segmentation
Even small businesses are now expected to segment their network — production servers separated from user devices, IoT/guest WiFi separated from corporate, payment systems separated from everything (PCI scope).
Typical cost: Network engineering time; typically $2K–$10K one-time for a small office.
14. Vendor / third-party risk management
A list of your critical vendors, the data each handles, and evidence (SOC 2 / pen test attestation) of their security posture.
Typical cost: Internal time; for larger firms, vendor risk platforms (Vanta, Drata, OneTrust) cost $10K–$50K/year.
What each of these costs in aggregate
For a 50-person business in 2026, hitting all 14 controls typically costs:
| Category | Annual cost |
|---|---|
| MFA, EDR, MDR, email security, backup | $50K–$80K |
| Vulnerability scanning + annual pen test | $15K–$50K |
| Security awareness training | $1K–$3K |
| IR plan + tabletop | $5K–$10K |
| Network segmentation (one-time amortized) | $2K–$5K |
| Vendor risk + tooling | $0–$20K |
| Total annual cybersecurity spend | ~$73K–$168K |
That’s the floor for “insurable” in 2026. Many businesses think they’re spending less; the reality is they’re often paying the same money but at a fraction of the coverage (e.g., antivirus instead of EDR, or no MDR coverage).
How underwriting actually goes
The application process for a 50-person firm typically looks like:
Week 1: Broker walks you through the application (8–25 page questionnaire).
Week 2–3: You answer it honestly (with your IT partner). Each answer maps to one or more of the 14 controls.
Week 4: Underwriter reviews. Three possible outcomes:
- Quote at standard rate. All controls are in place; coverage is offered at market rate.
- Quote with conditions / exclusions. A specific control is missing. Some carriers will offer a higher-priced policy with specific exclusions (e.g., “no ransomware coverage until you implement EDR”).
- Decline. Multiple controls missing or known incidents in past 24 months without remediation.
Week 5–6: Negotiation. Some declines can be reversed by quickly implementing the missing control and re-applying.
The honest application is the right strategy. Some businesses are tempted to soft-pedal answers. Carriers are increasingly cross-checking with external scans (BitSight, SecurityScorecard) and post-incident forensics. Misrepresentation can void coverage. Don’t.
How to use underwriting as a security forcing function
The smartest move I see SMBs make: schedule the cyber insurance application for the 30 days BEFORE the renewal. Use the application as a structured walk-through of your security posture. Whatever you can’t honestly answer “yes” to becomes the next 12 months’ security roadmap.
The 14 controls map to a clear sequence:
- MFA, EDR, email security, backup — Quarter 1
- MDR, DMARC, vulnerability scanning — Quarter 2
- Pen test, IR plan + tabletop, awareness training — Quarter 3
- PAM, network segmentation, vendor risk — Quarter 4
By the time renewal comes around, you’ve gone from “barely insurable” to “premium-grade applicant” — and the premium savings often offset the security investment.
Where to start
Schedule a free cyber insurance readiness review →
Or call 1-650-300-7557.
Frequently asked questions
Do all carriers require all 14 controls?
No, but most major carriers require 10+ of them, and the others are increasingly expected.
What if we have one missing control?
Most carriers will quote with an exclusion or a condition (e.g., “must implement within 60 days”). Document that, get the control in place, and the next renewal usually drops the exclusion.
How much does cyber insurance cost in 2026?
For a 50-person professional services business with all 14 controls: typically $8K–$25K/year for $1M–$3M coverage limits. With gaps, easily $20K–$50K/year for narrower coverage.
Should we self-insure?
Almost never for SMBs. Even with all 14 controls, ransomware events and class-action lawsuits can run $1M–$10M.
