What Cyber Insurers Are Actually Looking For in 2026

If you are renewing a cyber liability policy this year, you have probably noticed that the application looks different. The questionnaire is longer. The questions are more specific. And your broker may be telling you that controls you did not need last year are now mandatory. This is not a temporary trend. The underwriting bar has permanently shifted, and businesses that cannot demonstrate the right controls are facing real consequences: higher premiums, reduced coverage, or outright denials.

This article breaks down exactly what underwriters are looking for, why the requirements have changed, and what you can do about it before your next renewal.

Why Underwriters Have Gotten Stricter

The cyber insurance market has been through a painful correction. Between 2023 and 2025, carriers paid out billions in ransomware claims, many of them from small and midsize businesses that lacked basic security hygiene. The average ransomware payout for an SMB exceeded $250,000 by mid-2025, and breach frequency across organizations with fewer than 500 employees climbed 38% year over year. Carriers responded the only way they could: by tightening requirements and raising rates for policyholders who could not demonstrate adequate controls.

The result is a market that now functions more like commercial property insurance. Just as a building inspector checks for fire suppression and structural integrity before binding a policy, cyber underwriters now verify that specific technical controls are in place before they will offer coverage. If you cannot check those boxes, you either pay significantly more or you do not get a policy at all.

The Seven Controls Underwriters Now Require

While every carrier has its own questionnaire, the industry has converged on a common set of requirements. Here are the seven controls that appear on virtually every cyber insurance application in 2026, along with what each one means in practice.

1. Endpoint Detection and Response (EDR) on All Endpoints

Traditional antivirus is no longer sufficient. Underwriters want to see an EDR solution deployed on every workstation, laptop, and server in your environment. EDR goes beyond signature-based detection by monitoring endpoint behavior in real time, identifying suspicious activity patterns, and enabling rapid containment when a threat is detected. The key word in most questionnaires is "all": partial deployments that cover only some devices will not satisfy the requirement.

2. Multi-Factor Authentication (MFA) Everywhere

MFA on remote access and email is table stakes. In 2026, underwriters expect MFA on every user account, every admin console, and every cloud application. This includes VPN connections, remote desktop sessions, Microsoft 365 and Google Workspace logins, and any SaaS tools that handle sensitive data. If an attacker can reach a critical system with just a stolen password, that is a gap your insurer will flag.

3. Immutable Backups

Ransomware operators routinely target backup systems before encrypting production data. Underwriters now require that your backups be immutable, meaning they cannot be altered, encrypted, or deleted by any account that also has access to your production environment. This typically means air-gapped or write-once storage with retention policies that prevent modification for a defined period. A backup that lives on the same network as your servers, accessible with the same credentials, does not count.

4. Privileged Access Management (PAM)

Admin accounts are the keys to the kingdom, and underwriters know it. PAM controls ensure that privileged credentials are vaulted, rotated on a regular schedule, and accessed only through approved workflows. This also includes eliminating shared admin accounts, enforcing the principle of least privilege, and logging all privileged activity for audit purposes. If your domain admin password is the same one someone set three years ago and six people know it, that is exactly the kind of risk underwriters are trying to eliminate.

5. Incident Response Plan (IRP)

Having a plan on paper is the minimum. Underwriters increasingly want evidence that your incident response plan has been tested within the past twelve months, ideally through a tabletop exercise that involved key stakeholders. The plan should cover roles and responsibilities, communication procedures, containment steps, and recovery timelines. It should also identify your external resources: legal counsel, forensics provider, and insurance carrier notification procedures.

6. Security Awareness Training

Phishing remains the most common initial attack vector for SMBs. Carriers want to see that all employees complete security awareness training at least annually, with regular phishing simulations throughout the year. The training should cover credential theft, social engineering, business email compromise, and safe data handling. Simply sending a compliance email once a year will not satisfy a thorough underwriter; they want to see completion records, simulation results, and evidence of follow-up for employees who fail tests.

7. Vulnerability Scanning

Regular vulnerability scanning of both internal and external assets is now a standard requirement. Underwriters want to see that you are identifying known vulnerabilities on a recurring schedule (monthly at minimum for external scans) and that critical findings are remediated within a defined SLA. This is not a penetration test; it is a systematic process for finding and fixing known weaknesses before attackers exploit them.

How MVTS Professional Covers These Requirements

Each of these seven controls maps directly to capabilities included in our Professional managed service tier. EDR deployment and monitoring across all endpoints is a core deliverable. MFA enforcement and identity monitoring are configured and maintained as part of onboarding. Immutable backup infrastructure is architected and tested quarterly. Privileged access management is implemented with vaulted credentials, automated rotation, and audit logging. Your incident response plan is built collaboratively with your team, tested annually through tabletop exercises, and updated as your environment changes. Security awareness training and phishing simulations run continuously with monthly reporting. And vulnerability scanning covers your full attack surface with defined remediation timelines.

The practical benefit at renewal time is straightforward: when your broker sends you the underwriting questionnaire, you can answer "yes" to every control question and provide documentation to back it up. MVTS clients walk into renewal conversations with evidence packages that demonstrate compliance across all seven areas.

What Happens If You Cannot Check Those Boxes

The consequences of gaps are not hypothetical. Businesses that cannot demonstrate these controls are seeing premium increases of 30% to 100% at renewal. Some carriers are adding exclusions for specific attack types (ransomware exclusions have become increasingly common for higher-risk applicants). In the worst case, carriers decline to renew entirely, leaving businesses to find coverage in a surplus lines market with significantly higher costs and lower limits.

There is also the claims side to consider. If you experience a breach and your insurer discovers that you misrepresented your security posture on the application, they can deny the claim. This is not a theoretical risk: claim denials based on material misrepresentation of security controls increased substantially in 2025. Answering "yes" to a question about MFA enforcement when half your accounts lack it is exactly the kind of misrepresentation that voids coverage when you need it most.

Your Next Step: Find Out Where You Stand

If your renewal is coming up in the next six months, the single most valuable thing you can do right now is assess your current posture against these seven requirements. Not a vague sense of "we probably have most of this" but a concrete, documented evaluation of what is in place, what is partially deployed, and what is missing entirely.

We built our security assessment specifically for this purpose. It is a complimentary review that maps your current controls to the requirements underwriters are asking about. You will walk away with a clear picture of your gaps and a prioritized plan for closing them before renewal, whether you work with MVTS or not.

Cyber insurance is not getting simpler, and the controls bar is not coming back down. The businesses that prepare now will renew with better terms, lower premiums, and the confidence that their coverage will actually hold up when they need it.