Cybersecurity Insurance: What Underwriters Check in 2026

Posted: March 4, 2026 to Compliance.

The State of Cybersecurity Insurance in 2026

Cybersecurity insurance has transformed from a nice-to-have policy add-on into a critical business requirement. The global cyber insurance market surpassed $16 billion in premiums in 2025 and is projected to reach $28 billion by 2028, according to Munich Re. But obtaining coverage has become dramatically more difficult. Premiums have increased by 50% to 100% over the past three years, deductibles have risen, coverage limits have dropped, and the application process has shifted from a simple questionnaire to a rigorous technical audit.

Underwriters are no longer taking organizations at their word. They are scanning your external attack surface, reviewing your security controls, and in many cases, requiring proof of specific technical implementations before they will issue or renew a policy. Organizations that fail to meet minimum security standards face denial of coverage, exclusions on key risk categories, or premiums that make the insurance economically unviable.

This guide explains exactly what cyber insurance underwriters evaluate, the specific controls they require, and how to position your organization for the best coverage at the most competitive rates.

Why Underwriting Standards Have Tightened

The tightening of cyber insurance requirements is a direct response to the claims experience of the past several years. The ransomware epidemic that peaked between 2020 and 2023 devastated insurer loss ratios. Some carriers reported combined loss ratios exceeding 70%, meaning they were paying out nearly as much in claims as they were collecting in premiums. Major incidents like the Colonial Pipeline attack ($4.4 million ransom), the JBS Foods breach ($11 million ransom), and countless mid-market ransomware events forced carriers to fundamentally reassess their risk models.

The result is a market where underwriters have become de facto cybersecurity auditors. They have learned which controls actually prevent or limit claims, and they now require those controls as conditions of coverage. This is not arbitrary gatekeeping. The data shows that organizations with these controls in place experience fewer incidents, smaller losses, and faster recovery when incidents do occur.

The Security Controls Underwriters Require

1. Multi-Factor Authentication (MFA)

MFA is now a non-negotiable requirement for virtually every cyber insurance policy. Underwriters want to see MFA enforced on:

• Email access (especially Microsoft 365 and Google Workspace)
• Remote access solutions (VPN, RDP, remote desktop gateways)
• Administrative consoles for cloud services, security tools, and IT management platforms
• Privileged accounts (domain admins, database admins, network equipment access)
• Backup administration consoles

Simply having MFA available is not sufficient. Underwriters ask whether MFA is enforced, meaning users cannot opt out or bypass it. Many policies now explicitly exclude coverage for breaches that result from compromised credentials where MFA was not enabled.

2. Endpoint Detection and Response (EDR)

Traditional antivirus is no longer accepted by most underwriters. They require endpoint detection and response (EDR) solutions that provide behavioral detection, automated response, and forensic investigation capabilities. EDR must be deployed on all endpoints, including servers, workstations, and laptops. Unmanaged or unprotected endpoints are a red flag that can result in higher premiums or coverage denials.

Specific capabilities underwriters look for include:

• Real-time threat detection using behavioral analysis, not just signature matching
• Automated or one-click endpoint isolation to contain active threats
• 24/7 monitoring by trained analysts (either in-house or through an MDR service)
• Rollback capabilities that can reverse ransomware encryption
• Integration with SIEM or SOC for centralized visibility

3. Email Security and Phishing Protection

Phishing remains the primary initial access vector for ransomware and business email compromise (BEC) attacks. Underwriters expect to see:

• Advanced email filtering that goes beyond basic spam filtering to detect sophisticated phishing, spoofing, and malware attachments
• DMARC, DKIM, and SPF authentication configured at enforcement level (p=quarantine or p=reject) to prevent domain spoofing
• Employee security awareness training conducted at least quarterly, with simulated phishing exercises
• Protection against business email compromise, including policies for verifying wire transfer requests and changes to payment information

4. Backup and Recovery Controls

Backup quality directly correlates with ransomware claim severity. Organizations with tested, air-gapped backups can recover without paying ransoms. Those without them face catastrophic losses. Underwriters now ask detailed questions about:

• Backup frequency (daily minimum for critical data)
• Offline or air-gapped backup copies that cannot be reached by ransomware traversing the network
• Backup encryption and access controls (admin credentials for backup systems must be separate from domain admin accounts)
• Regular recovery testing (at least quarterly) with documented results
• Backup of cloud and SaaS data (Microsoft 365, Google Workspace), which many organizations incorrectly assume is automatically backed up by the provider

5. Patch Management and Vulnerability Remediation

Unpatched vulnerabilities are among the most common attack vectors exploited in cyber insurance claims. Underwriters expect a documented patch management program that includes:

• Critical and high-severity patches applied within 14 to 30 days of release
• Emergency patching procedures for actively exploited zero-day vulnerabilities
• Regular vulnerability scanning (at least monthly) with documented remediation tracking
• Coverage of all systems: operating systems, applications, firmware, and network devices
• End-of-life system identification and remediation plans

6. Privileged Access Management (PAM)

Compromised privileged accounts are the keys to the kingdom in a cyberattack. Underwriters increasingly ask about:

• Separation of administrative and standard user accounts (admins should not use their privileged accounts for email and web browsing)
• Just-in-time (JIT) privileged access that grants elevated permissions only when needed and automatically revokes them
• Monitoring and logging of all privileged account activity
• Password vaulting for service accounts and shared credentials
• Regular access reviews to ensure privileges remain appropriate

7. Incident Response Plan

Underwriters want to know you have a plan before a crisis hits. They look for:

• A written incident response plan that documents roles, responsibilities, communication procedures, and escalation paths
• Evidence that the plan has been tested through tabletop exercises or simulations within the past 12 months
• Pre-established relationships with incident response partners, forensic investigators, and legal counsel experienced in cyber incidents
• Business continuity and disaster recovery plans that address prolonged outages
• A communications plan that addresses notification requirements for customers, regulators, and law enforcement

8. Network Security Controls

Foundational network security remains a baseline expectation:

• Next-generation firewalls with intrusion detection and prevention
• Network segmentation that isolates critical systems and limits lateral movement
• Secure remote access (VPN with MFA, or zero trust network access)
• DNS filtering and web content filtering
• Disabling of unnecessary protocols and services (especially RDP exposed to the internet, which is a dealbreaker for many underwriters)

The Application Process: What to Expect

Modern cyber insurance applications are extensive. Depending on the carrier and coverage level, you can expect:

Pre-Application Scanning

Many carriers now perform external attack surface scans before you even apply. They use services like SecurityScorecard, BitSight, or their own scanning tools to identify exposed services, known vulnerabilities, compromised credentials, and misconfigured DNS records. A poor score can result in an automatic decline or significantly higher premiums.

Detailed Questionnaires

Applications typically include 50 to 200+ questions covering your security controls, governance practices, incident history, and business operations. Answer honestly. Material misrepresentations on the application can be grounds for claim denial or policy rescission.

Technical Verification

Carriers increasingly require evidence beyond self-attestation. You may be asked to provide screenshots of MFA configurations, EDR deployment reports, backup test results, or vulnerability scan summaries. Some carriers conduct interviews with your IT or security leadership.

Supplemental Applications

If your organization has had a prior claim, operates in a high-risk industry (healthcare, financial services, education), or seeks higher coverage limits, expect supplemental questionnaires that dive deeper into specific areas.

How to Get Better Coverage at Lower Premiums

Your security posture directly affects your premiums. Organizations that demonstrate strong controls and mature security programs consistently receive better rates. Here are strategies to optimize your coverage:

• Implement the controls underwriters prioritize: MFA, EDR, backup testing, and incident response planning have the largest impact on premiums.
• Document everything: Underwriters reward evidence. Keep records of security awareness training completion, patch management activities, vulnerability scan results, backup recovery tests, and incident response exercises.
• Work with a specialized broker: Cyber insurance is a specialized product. A broker who focuses on cyber risk can match you with carriers that are the best fit for your industry, size, and risk profile.
• Consider higher deductibles strategically: A higher deductible can significantly reduce premiums. If you have strong security controls and incident response capability, the tradeoff may make sense.
• Address findings proactively: If your renewal application identifies gaps, remediate them before the next renewal cycle. Demonstrating improvement year over year signals maturity.

Common Reasons for Claim Denial

Understanding why claims get denied helps you avoid the same pitfalls:

• Material misrepresentation: Stating that MFA is enforced when it is not, or claiming all endpoints have EDR when some are unprotected. This is the most common basis for denial.
• Failure to meet minimum controls: If the policy requires specific controls and you fail to maintain them, the carrier may deny the claim or reduce the payout.
• Late notification: Most policies require notification within 24 to 72 hours of discovering an incident. Delayed notification can jeopardize coverage.
• Excluded attack vectors: Some policies exclude specific attack types (nation-state attacks, social engineering, acts of war). Review exclusions carefully.
• Using unauthorized vendors: Many policies require you to use the carrier's panel of approved incident response firms, forensic investigators, and legal counsel. Using unauthorized vendors can void coverage.

Prepare Your Organization With Expert Help

The intersection of cybersecurity and insurance requirements demands expertise in both domains. Petronella Technology Group helps businesses implement the specific security controls that underwriters require, document their security posture for insurance applications, and maintain continuous compliance with policy requirements. With over 23 years of experience navigating compliance frameworks including CMMC, HIPAA, and NIST 800-171, PTG understands what underwriters are looking for and how to get there efficiently.

Facing a cyber insurance renewal or applying for the first time? Contact Petronella Technology Group to schedule a pre-insurance security assessment. We will identify gaps, help you remediate them, and position your organization for the best possible coverage and rates.