Compliance

Cyber Insurance Requirements in 2026: What You Need to Qualify

👤
Security Compliance Guide Editorial Team · ·Updated March 21, 2026 · 9 min read
Cyber Insurance Requirements in 2026: What You Need to Qualify

Cyber Insurance Requirements in 2026: What You Need to Qualify

Cyber insurance has fundamentally changed since 2020. Underwriters that previously accepted basic questionnaire answers now require documented evidence of specific technical controls. Companies that had policies cancelled or saw premiums triple between 2021 and 2023 found out the hard way that the market shifted while they were not paying attention. In 2026, qualifying for meaningful coverage at reasonable rates requires a baseline of security controls that would have seemed ambitious for a mid-market company five years ago.

This guide covers what underwriters actually look for, how compliance frameworks affect your premiums, what coverage costs by company size, why claims get denied, and a practical pre-application checklist.

What Underwriters Look for in 2026

Underwriters have moved from trusting self-reported answers to requiring evidence. The controls they focus on most heavily reflect the loss patterns they have paid out on: ransomware, business email compromise, and data breaches via credential theft.

Multi-factor authentication (MFA). This is the single most scrutinized control. Underwriters want MFA enforced on email (the most common business email compromise vector), remote access (VPN, RDP, remote desktop tools), privileged accounts, and cloud infrastructure consoles (AWS, GCP, Azure). Some underwriters now require phishing-resistant MFA (FIDO2/WebAuthn hardware keys) specifically for administrative and privileged access.

A company that cannot demonstrate MFA enforcement across these systems will either be declined or face a significant premium surcharge. Marsh & McLennan's 2024 cyber insurance survey found that MFA gaps were cited in 64% of declined applications.

Endpoint detection and response (EDR). Standard antivirus is no longer sufficient. Underwriters require EDR solutions that provide behavioral detection, threat hunting capabilities, and centralized visibility. Acceptable solutions include CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Sophos Intercept X, and similar enterprise-grade tools. Consumer antivirus (Windows Defender default, Norton, McAfee consumer) is explicitly excluded by several underwriters.

Offline and immutable backups. Ransomware operators have become sophisticated about destroying or encrypting backup systems. Underwriters require backups that are: stored offline or air-gapped from the primary environment, protected from modification (immutable), tested for restoration at least quarterly, and capable of recovering critical systems within a defined recovery time objective. The 3-2-1-1 backup strategy (3 copies, 2 media types, 1 offsite, 1 offline) is now standard underwriting language.

Incident response plan (IRP). A documented IRP that is tested at least annually. Underwriters look for: named roles and responsibilities, escalation procedures, communication templates for customer notification, regulatory reporting timelines (GDPR 72 hours, SEC 4 business days for material incidents), and relationships with external incident response retainers. Companies that have an IR retainer with a firm like Mandiant, CrowdStrike Services, or Palo Alto Unit 42 on contract often receive premium credits.

Email security controls. SPF, DKIM, and DMARC records properly configured on your email domain, with DMARC set to enforcement (p=quarantine or p=reject, not p=none). Email filtering with attachment sandboxing. Anti-phishing training with documented completion rates.

Vulnerability management. A documented process for identifying and remediating vulnerabilities, with evidence of quarterly scans and critical vulnerability patch timelines (typically 30 days for critical, 90 days for high). Some underwriters are beginning to ask specifically about whether you patch known exploited vulnerabilities (KEVs) from the CISA KEV catalog within specified windows.

Privileged access management (PAM). Separation between standard user accounts and administrative accounts. Privileged accounts should require MFA, have their activity logged, and not be used for routine tasks. Just-in-time (JIT) access provisioning for the most sensitive systems is a positive indicator.

How Compliance Frameworks Affect Your Premiums

Holding a SOC 2 Type 2 report, ISO 27001 certification, or demonstrable alignment with NIST CSF 2.0 or CIS Controls is not just a compliance achievement. It is a premium reduction mechanism.

The mechanism works because these certifications provide independent evidence of controls. Rather than trusting your questionnaire answers, the underwriter can review your SOC 2 report (which documents your controls, any exceptions, and the auditor's conclusions) and make a more confident risk assessment. Confidence reduces uncertainty, and reduced uncertainty translates to lower premiums.

Documented premium reductions by framework:

SOC 2 Type 2: Premium reductions of 10 to 25% compared to equivalent organizations without SOC 2 have been reported by insurance brokers including Gallagher, Aon, and Marsh. The reduction is more significant for SaaS companies and technology service providers where SOC 2 is the expected standard.

ISO 27001: Similar reductions to SOC 2, with some underwriters treating ISO 27001 as equivalent or superior to SOC 2 due to the broader scope of the standard (ISO covers organizational risk management more explicitly).

HIPAA compliance (healthcare companies): Healthcare organizations with documented HIPAA compliance programs, including completed Security Risk Analyses and training records, receive preferential treatment. Those without are often declined outright.

PCI DSS (for companies handling cardholder data): Current PCI DSS Level 1 ROC or valid SAQ reduces premiums and is sometimes required by underwriters as a condition of coverage for organizations with significant payment card data exposure.

CIS Controls v8 Level 2 or higher: Some underwriters are beginning to ask directly about CIS Controls implementation. Level 2 implementation (at least 100 employees) reduces premiums by an estimated 5 to 15%.

Average Cyber Insurance Costs by Company Size in 2026

Pricing stabilized after the rapid increases of 2021 to 2022. Underwriters have better loss data, more mature underwriting models, and the market has more capacity than it did three years ago. However, pricing remains significantly higher than pre-2020 levels.

Small companies (under 50 employees, under $10M revenue):

$500,000 coverage limit: $3,000 to $8,000 per year with standard controls. Without MFA or EDR: $8,000 to $15,000 or declined.

$1,000,000 coverage limit: $6,000 to $15,000 per year with strong controls and SOC 2. Without key controls: $15,000 to $30,000 or declined.

Mid-size companies (50 to 500 employees, $10M to $100M revenue):

$2,000,000 coverage limit: $15,000 to $40,000 per year with documented controls and compliance certifications.

$5,000,000 coverage limit: $35,000 to $90,000 per year. Companies with SOC 2, documented IR plan, and EDR sit at the lower end of this range.

$10,000,000 coverage limit: $70,000 to $180,000 per year. Pricing at this level depends heavily on your industry, prior claims history, and whether you have a formal risk management program.

Enterprise companies (500+ employees, $100M+ revenue):

Coverage at this level is typically placed as a tower structure (primary layer plus excess layers from multiple carriers). Total premiums for $25M to $50M in coverage commonly run $300,000 to $1,200,000 per year depending on industry and risk profile.

Industry surcharges: Healthcare, financial services, education, and government contractors face surcharges of 20 to 100% above baseline rates due to elevated attack frequency and regulatory exposure.

Why Cyber Insurance Claims Get Denied

Denied claims are more common than the industry publicly acknowledges. The most frequent denial grounds:

Misrepresentation on the application. If you answered "yes" to having MFA enforced on all remote access and the forensic investigation reveals that was not true, the insurer can deny coverage under the misrepresentation clause. This is the most consequential denial scenario because it occurs precisely when you need the coverage most. Ensure every person who completes your insurance application understands the specific technical meaning of the questions.

Breach predating the policy. If the forensic investigation reveals the attacker had access to your environment before your policy inception date (called a "prior acts" exclusion), the claim may be partially or fully denied. This is why underwriters ask about known or suspected incidents during the application process.

Failure to maintain required controls post-binding. Many policies require you to maintain the controls you represented during underwriting. If you implemented EDR to qualify for coverage and then let the license lapse, you may be in breach of policy conditions.

War exclusion disputes. Several high-profile claim disputes have involved insurers attempting to invoke war exclusions for nation-state cyber attacks. Merck's $1.4 billion NotPetya dispute with Zurich is the most prominent example (ultimately settled). Review your policy language around war exclusions carefully, particularly if you operate in sectors targeted by nation-state actors.

Policyholder failure to take reasonable steps during the incident. Delaying breach notification beyond statutory deadlines, failing to preserve evidence, or making unauthorized payments to ransomware operators without notifying your insurer can trigger coverage disputes.

Pre-Application Checklist

Before submitting a cyber insurance application, confirm you can document evidence for each of the following:

Identity and Access:

  • MFA enforced on email (not just "offered" or "optional")
  • MFA enforced on VPN and remote access
  • MFA enforced on cloud infrastructure consoles
  • Privileged accounts separated from standard user accounts
  • Shared credentials eliminated or inventoried with justification

Endpoints:

  • EDR deployed on 100% of endpoints (not just some)
  • MDM enforcing full-disk encryption on all company devices
  • Software inventory process for tracking installed applications
  • Patch management process with documented timelines

Data Protection:

  • Backup strategy with offline copy
  • Backup restoration tested within the last 90 days
  • Sensitive data inventory completed
  • Data retention and deletion policy documented

Network:

  • External vulnerability scan completed within the last 90 days
  • Critical and high vulnerabilities from last scan remediated
  • Network segmentation between production and corporate environments
  • Remote access via VPN only (no direct RDP exposure to the internet)

Email Security:

  • DMARC record set to enforcement (p=quarantine or p=reject)
  • DKIM and SPF records configured and validated
  • Email gateway with anti-phishing protection deployed

Incident Response:

  • Written IRP exists and is less than 12 months old
  • IR plan tested via tabletop exercise within the last 12 months
  • External IR retainer in place, or budget allocated for emergency IR engagement

Training:

  • Security awareness training completed by all employees within the last 12 months
  • Phishing simulation conducted within the last 12 months with results documented

Governance:

  • Cyber insurance contact (broker and carrier) identified and known to IT/security team
  • Vendor agreements reviewed for cybersecurity obligations
  • Board or executive-level awareness of cyber risk program

Working with a Cyber Insurance Broker

Do not shop cyber insurance directly with carriers. Use a broker who specializes in cyber, not a generalist commercial insurance broker who added cyber to their portfolio. The specialty cyber brokers (Woodruff Sawyer, Cowbell Cyber, Coalition, Corvus, At-Bay, and the cyber practices at Aon, Marsh, and Gallagher) have relationships with underwriters that give them better market access and the expertise to present your risk favorably.

Coalition and At-Bay are worth particular attention: they are both cyber-specialist MGAs (Managing General Agents) that underwrite their own policies and provide active risk monitoring as part of coverage. Their pricing algorithms pull real-time external scan data, which means maintaining good external security hygiene directly affects your renewal pricing.

Frequently Asked Questions

What is the minimum cyber insurance coverage a small business should carry?

Most insurance professionals recommend at least $1,000,000 in coverage for small businesses handling any customer data. Companies with significant data assets, payment card data, or healthcare information should carry $2,000,000 to $5,000,000. The real floor is set by your largest customer contract requirements: many enterprise customers require their vendors to carry $5,000,000 or more in cyber liability.

Can I get cyber insurance without SOC 2 or any compliance certification?

Yes, but your options narrow and your premium increases as you grow. Sub-$5M revenue companies with strong basic controls (MFA, EDR, backups, IR plan) can typically qualify for $1M to $2M coverage without any formal certification. Above $10M in revenue or above $5M in coverage limits, underwriters increasingly want third-party validation of controls, which means SOC 2, ISO 27001, or at minimum a recent penetration test report.

How often do cyber insurance premiums change at renewal?

Premium changes at renewal depend on your claims history, the broader market, and whether your control environment changed. Companies with no claims and documented control improvements typically see flat or slightly lower renewals in the current market. A single claim can trigger premium increases of 50 to 300% at renewal, or non-renewal from your current carrier.

Does cyber insurance cover ransomware payments?

Most cyber policies cover ransomware extortion payments, but coverage is conditional. Your policy typically requires you to notify the insurer before making a payment, obtain insurer approval for the payment, use the insurer's approved negotiation firm, and comply with OFAC (Office of Foreign Assets Control) sanctions requirements. Payments to sanctioned entities are not covered and may create legal liability. Review your specific policy language before assuming coverage.

Cyber InsuranceCybersecurityRisk ManagementCompliance
👤
Security Compliance Guide Editorial Team
Author
Security Compliance Guide Editorial Team covers topics in this category and related fields. Views expressed are editorial and based on research and experience.
Related Articles
Cybersecurity Compliance for Startups: Where to Start When You Have No CISO
Compliance
Cybersecurity Compliance for Startups: Where to Start When You Have No CISO
March 21, 2026 · 9 min read
 Cybersecurity Compliance Checklist: All Frameworks
Compliance
Cybersecurity Compliance Checklist: All Frameworks
March 20, 2026 · 14 min read
 SOC 2 vs ISO 27001: Which Do You Need First?
Compliance
SOC 2 vs ISO 27001: Which Do You Need First?
March 20, 2026 · 8 min read