Cyber insurance has gone from a nice-to-have to a non-negotiable line item — but qualifying for a policy is no longer as simple as filling out a one-page application. Underwriters now require businesses to demonstrate specific, verifiable security controls before they will issue or renew coverage. Fail to meet them and your application gets denied, your premium triples, or your claim gets rejected when you actually need it.
This guide walks through every IT control U.S. cyber insurance carriers ask about in 2026, what each one really means in practice, what it costs to implement, and how to assemble the documentation underwriters want to see. It is written for SMBs and mid-market firms — particularly in regulated verticals like healthcare, legal, finance, and accounting — where a denied claim or a coverage gap can be fatal.
Why Cyber Insurance Requirements Tightened
Between 2020 and 2024, ransomware claims forced carriers to pay out tens of billions of dollars. Loss ratios in the cyber line spiked above 70% at multiple major insurers — meaning carriers were paying out more than 70 cents on every dollar of premium they collected, before even accounting for overhead. The market responded by dramatically tightening underwriting:
- Detailed security questionnaires replaced one-page applications. Some run 60+ questions covering MFA coverage, backup architecture, EDR deployment, and patching cadence.
- External attack-surface scans are now standard. Carriers run their own reconnaissance against your public-facing infrastructure before quoting.
- Sub-limits and co-insurance for ransomware became the norm. Many policies cap ransomware payouts at 50% of the policy limit unless you can prove specific controls.
- Verification shifted from honor-system to evidence-required. Carriers ask for screenshots, console exports, or attestation letters from your MSP.
The bottom line: the days of checking boxes on a self-attested form are over. If you say you have endpoint detection and response (EDR) deployed across all endpoints, your carrier may ask for a coverage report. If you claim 100% MFA on email, they may run a test login attempt against a generic admin account.
The 14 Controls Underwriters Care About in 2026
Different carriers weight these differently, but the following 14 controls show up on virtually every U.S. cyber insurance application in 2026. We have grouped them by category and flagged which ones are typically mandatory for any meaningful coverage versus preferred (you can still get a policy without them, but expect a 20–60% premium loading).
| Category | Control | Status | Typical Evidence Required |
|---|---|---|---|
| Identity | MFA on email, VPN, RDP, all admin accounts | Mandatory | Microsoft 365 / Okta MFA coverage report |
| Privileged access management (PAM) | Preferred | PAM tool config or LAPS deployment proof | |
| Conditional access policies | Preferred | Entra ID Conditional Access policy export | |
| Endpoint & Network | EDR/MDR on every endpoint and server | Mandatory | EDR console screenshot showing full coverage |
| Email security gateway with sandboxing | Mandatory | Defender for Office 365, Proofpoint, or Mimecast | |
| Network segmentation between OT/IT or guest/corp | Preferred | Network diagram or firewall rule export | |
| Backup & Recovery | Immutable, offsite, tested backups (3-2-1-1-0) | Mandatory | Backup architecture diagram + recent restore test log |
| Documented and tested incident response plan | Mandatory | IR plan PDF + most recent tabletop minutes | |
| Vulnerability Mgmt | Patching SLAs (critical <14 days, high <30) | Mandatory | RMM patch report or vuln scan trend |
| External vulnerability scanning quarterly | Preferred | Recent scan report from Qualys, Tenable, or similar | |
| Web application firewall on customer-facing apps | Preferred | WAF configuration evidence | |
| Governance | Annual security awareness training + phishing simulation | Mandatory | Training completion report + phish-fail-rate trend |
| Written information security policy (WISP) | Mandatory | Signed WISP / ISMS document | |
| Vendor risk management program | Preferred | Vendor inventory + due-diligence questionnaire samples |
1. MFA Coverage — The Single Biggest Question
If you take only one thing away from this guide: comprehensive multi-factor authentication is the control underwriters scrutinize most. A single MFA gap on a privileged account is enough to trigger denial or a major premium loading. Carriers want MFA on:
- All email accounts — including service accounts, distribution groups, and mailbox-only delegated access
- Remote access — VPN, RDP gateways, jump boxes, and any browser-based remote access tools
- Privileged accounts — domain admins, global admins, root accounts, and any accounts with delegated administrative permissions
- SaaS applications — particularly anything tied to financial systems, file storage, or customer data
- Backup admin consoles — Veeam, Datto, Rubrik, and the cloud admin portals that control them
| MFA Method | Carrier Acceptance | Phishing-Resistant? | User Friction |
|---|---|---|---|
| FIDO2 / WebAuthn (hardware keys, passkeys) | Strongly preferred | Yes | Low after enrollment |
| App-based push (Authenticator, Duo) | Accepted | Partial — vulnerable to MFA fatigue | Low |
| TOTP codes (Google Authenticator) | Accepted | No — phishable | Medium |
| SMS / voice codes | Acceptable as fallback only | No — SIM-swap risk | Low |
| Email OTP | Often rejected | No | Low |
If you are still using SMS-only MFA, expect at least a 15–25% premium loading. Several carriers will outright decline coverage for privileged accounts protected by SMS only. The fastest upgrade path for most SMBs is enabling Microsoft Authenticator with number matching, then layering FIDO2 keys on the top tier of admin accounts.
2. EDR / MDR — Antivirus Is Not Enough
Traditional antivirus is now insufficient for cyber insurance qualification at most carriers. Underwriters specifically ask whether you have endpoint detection and response (EDR) — and increasingly, whether that EDR is supplemented by 24×7 managed detection and response (MDR) services. Acceptable platforms in 2026 include CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint (Plan 2), Palo Alto Cortex XDR, and Sophos Intercept X. Free or built-in antivirus rarely satisfies underwriters without supplemental controls.
Coverage matters. If you have EDR on 80% of endpoints but the remaining 20% are unmanaged contractor laptops or legacy point-of-sale systems, that is the gap an underwriter will flag. The expectation is that EDR is deployed on every Windows, macOS, and Linux endpoint plus every server (including domain controllers, file servers, and hypervisor hosts).
3. Immutable, Tested Backups
Ransomware is the loss driver behind cyber insurance, and recoverable backups are the single biggest factor in getting back online without paying a ransom. The classic 3-2-1 rule — three copies, two media, one offsite — has evolved into 3-2-1-1-0:
- 3 copies of your data
- 2 different media types (disk, tape, cloud object storage)
- 1 copy offsite
- 1 immutable copy — written once, cannot be altered or deleted within the retention window even by an admin with stolen credentials
- 0 errors on the most recent restore test
The 1 immutable and 0 errors are the parts most often missing. Immutability means using object lock on AWS S3, Azure Blob immutability, or vendor-native features like Veeam Hardened Repository or Datto’s immutable cloud storage. Carriers want to see written restore-test procedures and dated logs of completed restores — not just "backups are running."
4. Patching and Vulnerability Management SLAs
Carriers expect documented SLAs for how quickly you patch critical and high-severity vulnerabilities. Common 2026 underwriter expectations:
| Severity | Time to Patch (Carrier Expectation) | Examples |
|---|---|---|
| Critical / actively exploited | 14 days from disclosure (often 7 if on CISA KEV list) | Zero-days in Exchange, VPN appliances, MOVEit-class file-transfer software |
| High | 30 days | Most patch-Tuesday remote code execution issues |
| Medium | 90 days | Privilege escalation requiring local access |
| Low | Best effort, included in regular maintenance windows | Information disclosure with low impact |
The mechanism matters as much as the SLA. Underwriters want evidence of an automated patching tool (Microsoft Intune, Action1, NinjaOne, ConnectWise Automate, or similar) plus a documented exception process for systems that cannot be patched on schedule.
5. Email Security and DMARC
Business email compromise (BEC) is the single largest source of cyber insurance claims by frequency. Carriers expect:
- An email security gateway with attachment sandboxing and URL rewriting (Defender for Office 365 P2, Proofpoint, Mimecast, or equivalent)
- SPF, DKIM, and DMARC published for every domain you own — DMARC at minimum at
p=quarantine, ideallyp=reject - External-sender warning banners on inbound email
- Wire-transfer and vendor-banking-change procedures that require out-of-band verification
DMARC adoption is a free, fast win that visibly improves your underwriting profile. If you are not at p=quarantine or p=reject on your primary email domain, that is the easiest 30-day improvement you can make before your next renewal.
6. Privileged Access Management
Privileged access management (PAM) is increasingly a make-or-break for mid-market quotes. The underwriter view is simple: if every IT admin shares a single domain admin password, a single phished credential becomes a domain-wide ransomware event. Acceptable PAM evidence includes:
- A PAM tool (CyberArk, BeyondTrust, Delinea, or similar) for credential vaulting and just-in-time elevation
- Microsoft LAPS (Local Administrator Password Solution) for randomizing local admin passwords across endpoints
- Tiered admin model in Active Directory / Entra ID separating workstation admins, server admins, and domain admins
- Privileged Identity Management (PIM) with time-bound elevation in Microsoft 365 / Entra ID
7. Incident Response Plan and Tabletop
An incident response plan is mandatory. A tested incident response plan is what differentiates an average premium from a preferred one. Carriers ask for the date of your most recent tabletop exercise and the issues that surfaced. A plan written three years ago that no one has rehearsed is treated almost the same as no plan at all.
At minimum, your IR plan should specify: who has authority to declare an incident, who notifies the carrier and within what window, who handles legal notifications under state breach laws, who manages communications with employees and customers, and what the predetermined triage steps are for ransomware, BEC, and data exfiltration scenarios. Run a tabletop at least once a year, document the lessons learned, and update the plan accordingly.
8. Security Awareness Training
Annual training plus quarterly phishing simulations is the floor. Carriers want:
- Documented training completion for 100% of employees (typically tracked through KnowBe4, Hoxhunt, Arctic Wolf, or similar)
- Phishing simulation cadence at minimum quarterly, ideally monthly
- Trending data showing fail rates declining over time
- Targeted retraining for repeat clickers
What Cyber Insurance Costs in 2026
Premiums depend heavily on industry, revenue, and security posture. The numbers below are typical 2026 ranges for $1 million in coverage with a $10–25k retention:
| Business Profile | Annual Premium Range | Common Loadings |
|---|---|---|
| SMB < $5M revenue, basic controls | $2,500 – $6,000 | +30% if no EDR; +20% if SMS-only MFA |
| SMB $5–25M revenue, full control set | $5,000 – $15,000 | Discount available with MDR + tabletop evidence |
| Mid-market $25–100M revenue | $15,000 – $60,000 | Underwriter wants annual pen test report |
| Healthcare or financial services (any size) | +25–40% over baseline | Industry loading on top of underwriting |
| Prior claim history within 5 years | +50–200% over baseline | Some carriers will decline outright |
Pre-Renewal Checklist (60 Days Before Expiration)
Cyber insurance renewals get harder, not easier. Start preparing 60 days before expiration:
- Pull MFA coverage reports from your identity provider — verify 100% on email, admin accounts, VPN, RDP
- Pull EDR coverage report — every endpoint and server enrolled and reporting
- Run a test restore from immutable backup; capture the log
- Update your information security policy with a 2026 review date and an executive signature
- Run a tabletop exercise (even a 90-minute one) and document outcomes
- Confirm DMARC is at
p=quarantineorp=rejecton every owned domain - Pull patch compliance trend report from your RMM
- Pull security awareness training completion report and phishing fail-rate trend
- Run an external vulnerability scan and remediate any criticals before submitting the renewal app
- Gather a vendor inventory and confirm that any vendor with access to regulated data has signed a current data-protection addendum
How a Managed IT Provider Helps
The 14 controls above are not impossible to assemble, but they are time-consuming to operate and document — and the documentation is what wins favorable premiums. A managed IT provider with a security focus can:
- Implement and maintain every mandatory control as a packaged service
- Generate the evidence and screenshots underwriters want, on a defined schedule
- Run quarterly or annual tabletops and produce the minutes
- Co-author the application with you, anticipating which questions will trigger loadings and pre-emptively answering them
- Coordinate with your broker and the carrier during a claim, which is when most uninsured-feeling moments happen
At ACS, we work with insurance brokers across the U.S. on behalf of mid-market clients in healthcare, legal, finance, and professional services. The goal is not just to qualify for coverage — it is to qualify at the preferred-tier rates that reward demonstrably mature security programs.
Frequently Asked Questions
What happens if I misrepresent my controls on the application?
If you claim controls you do not actually have and later file a claim, the carrier can deny the claim for material misrepresentation and rescind the policy retroactively — leaving you exposed to the full cost of the breach. This is the largest preventable failure mode in cyber insurance and the reason brokers strongly recommend involving your IT provider in completing the application.
Can my company self-insure instead?
For most SMBs and mid-market firms, no. The ransomware payment is rarely the largest cost — forensics, legal, breach notification, regulatory fines, and class-action defense routinely run into hundreds of thousands of dollars per incident. Self-insurance is generally only viable above $500M revenue with a captive insurance entity.
Does my general liability or BOP policy cover cyber events?
Almost never to a meaningful degree. Most general liability and business owner’s policies explicitly exclude cyber events or include only minimal cyber coverage as an endorsement. Standalone cyber policies remain the only way to get adequate first-party (your own losses) and third-party (lawsuits from affected parties) coverage.
How long does the underwriting process take?
For SMBs with clean controls and clean claim history, 5–10 business days is typical. For mid-market firms or businesses with prior incidents, 3–6 weeks including external scans and follow-up questionnaires. Renewals usually move faster but still take 2–3 weeks.
What is the most common reason for a denial?
Inconsistent or unverifiable MFA coverage, followed by lack of EDR, followed by no documented incident response plan. The first two are the leading reasons; the third is the leading reason for premium loadings rather than outright denials.
Can a managed IT provider help me with cyber insurance compliance?
Yes — and an MSP that has done it before is dramatically faster than self-assembling. A good MSP will implement and maintain every control, generate the evidence on a recurring schedule, and walk through the questionnaire with you so the answers reflect what is actually deployed.
Bottom Line
Cyber insurance in 2026 rewards businesses that can demonstrate a mature security program — not just claim one. The 14 controls above are now table stakes for any meaningful coverage. The good news: implementing them tightens your real-world security posture too, so the work done to qualify for insurance is the same work that prevents you from needing to use it.
Need help getting renewal-ready? ACS works with U.S.-based SMBs and mid-market firms to assemble the controls, evidence, and documentation that drive favorable cyber insurance premiums. Contact us for a no-cost gap assessment against the 14 controls above.
