Cyber Liability Insurance: What Underwriters Require in 2026
Posted: December 31, 1969 to Cybersecurity.
The Evolving Landscape of Cyber Liability Insurance
Cyber liability insurance has transformed from a niche product into a business necessity. As cyber attacks grow more frequent, more damaging, and more costly, organizations of every size are seeking insurance coverage to transfer some of the financial risk associated with data breaches, ransomware attacks, and other cyber incidents. But obtaining coverage in 2026 is not as simple as filling out an application and writing a check. Underwriters have become increasingly sophisticated in evaluating cybersecurity posture, and organizations that cannot demonstrate adequate security controls face higher premiums, restrictive coverage terms, or outright denial.
At Petronella Technology Group, we have spent more than 23 years helping businesses in Raleigh, NC and throughout the region build cybersecurity programs that protect their operations and satisfy the requirements of cyber insurance carriers. This guide explains what cyber liability insurance covers, what underwriters require, and how your organization can position itself for the best possible coverage and premiums.
What Cyber Liability Insurance Covers
Cyber liability insurance policies vary significantly between carriers, but most cover two broad categories of costs: first-party costs incurred by the insured organization and third-party costs arising from claims by others.
First-party coverage typically includes incident response costs such as forensic investigation, legal counsel, and crisis management. It covers notification costs required by data breach notification laws, including printing, mailing, and call center operations. Business interruption losses resulting from cyber incidents are covered, including lost revenue and extra expenses incurred to maintain operations. Data recovery and system restoration costs are included, as are ransom payments in some policies, though this coverage is becoming more restrictive and may require prior approval from the carrier. Reputational harm and public relations costs to manage the fallout from an incident may also be covered.
Third-party coverage includes defense costs and settlements arising from lawsuits by affected individuals, customers, or business partners. Regulatory defense and fines resulting from investigations by regulators such as the FTC, HHS (for HIPAA violations), or state attorneys general are typically covered. Payment card industry fines and assessments resulting from a breach involving credit card data may also be included. Media liability coverage for claims arising from website content, social media, or digital advertising is sometimes included as well.
Understanding the scope and limitations of your policy is critical. Exclusions vary by carrier but commonly include losses resulting from known but unpatched vulnerabilities, acts of war or state-sponsored attacks (though this exclusion is evolving), failure to maintain minimum security standards as specified in the application, and incidents that occurred before the policy inception date. Read your policy carefully and work with a broker who specializes in cyber insurance to ensure you understand what is and is not covered.
The Underwriting Questionnaire: What Carriers Want to Know
The cyber insurance application process has become significantly more rigorous in recent years. Where applications once consisted of a few general questions, today's underwriting questionnaires are detailed technical assessments that probe every aspect of an organization's cybersecurity program. Carriers want to understand not just what technologies you have deployed, but how they are configured, managed, and monitored.
Answering these questionnaires accurately is essential. Misrepresentations on an insurance application can void coverage when you need it most. If you claim to have multi-factor authentication deployed across all remote access and an investigation reveals that MFA was not enabled on a VPN that was used in the attack, the carrier may deny the claim.
The following sections cover the specific security controls that underwriters consistently evaluate.
Multi-Factor Authentication: The Non-Negotiable Requirement
If there is one security control that every cyber insurance carrier requires in 2026, it is multi-factor authentication (MFA). Most carriers will not issue a policy without confirmation that MFA is deployed on all remote access points (VPN, RDP, cloud applications), all email accounts, all privileged and administrative accounts, and all access to backup systems and management consoles.
The type of MFA matters. Carriers are increasingly distinguishing between strong MFA methods such as hardware security keys, authenticator apps, and push notifications, and weaker methods such as SMS-based verification codes, which are vulnerable to SIM swapping attacks. Some carriers now specifically ask whether SMS-based MFA is used and may require a plan to migrate to stronger methods.
MFA is not just an insurance requirement. It is the single most effective control for preventing unauthorized access. Microsoft has reported that MFA blocks more than 99 percent of credential-based attacks. Implementing MFA across all access points should be the top priority for any organization seeking cyber insurance coverage.
Endpoint Detection and Response Requirements
Traditional antivirus software is no longer sufficient to satisfy underwriting requirements. Carriers now expect organizations to deploy endpoint detection and response (EDR) solutions that provide real-time monitoring, behavioral analysis, and automated response capabilities on all endpoints, including workstations, laptops, and servers.
Underwriters want to know which EDR solution is deployed, whether it covers all endpoints (including servers), whether it is monitored 24/7, and who is responsible for investigating and responding to alerts. Organizations that rely on unmonitored EDR, where alerts are generated but no one reviews them in real time, may face scrutiny from underwriters.
Many carriers now ask specifically about managed detection and response (MDR) services, which combine EDR technology with a dedicated team of analysts who monitor alerts, investigate suspicious activity, and respond to threats around the clock. Organizations that use MDR services typically receive more favorable underwriting treatment because the monitoring eliminates the gap between detection and response that characterizes many breaches.
Backup Requirements: The Ransomware Safety Net
Backup and recovery capabilities are scrutinized heavily because they directly determine whether an organization can recover from a ransomware attack without paying the ransom. Underwriters evaluate several aspects of your backup strategy.
Backup isolation is critical. Carriers want confirmation that backups are stored in a location that is not accessible from the production network. If ransomware can encrypt both your production systems and your backups, the backups provide no protection. Air-gapped backups (physically disconnected from the network) and immutable backups (which cannot be modified or deleted, even by administrators) receive the most favorable treatment.
Backup testing frequency is another key factor. Carriers ask how often backup restorations are tested and whether full system restorations have been successfully completed. A backup that has never been tested provides false confidence. Organizations should conduct full restoration tests at least quarterly, documenting the results and the time required to complete the restoration.
Recovery time objectives (RTOs) and recovery point objectives (RPOs) demonstrate that the organization has thought critically about its recovery capabilities. How long would it take to restore critical systems from backup? How much data could be lost between the last backup and an incident? Carriers want to see that these questions have been answered and that the answers align with business requirements.
Employee Security Awareness Training
Underwriters recognize that technology alone cannot prevent cyber attacks. Human error remains a factor in the majority of breaches, and carriers expect organizations to invest in security awareness training for all employees.
The specific aspects of training that underwriters evaluate include training frequency (annual training is the minimum; quarterly or monthly training is preferred), phishing simulation programs that test employees' ability to recognize and report phishing attempts, role-specific training for high-risk employees such as executives and finance staff who are targeted by business email compromise attacks, new employee training that covers security policies and expectations from day one, and documentation of training completion and assessment results.
Organizations with robust training programs that include regular phishing simulations and measurable improvement in employee performance typically receive better underwriting outcomes. Training is one of the most cost-effective security investments an organization can make, and its impact on both insurance and actual security posture is significant.
Incident Response Plan Requirements
Every cyber insurance carrier expects the insured to have a documented incident response plan. But having a plan is not sufficient. Underwriters want to know that the plan has been tested through tabletop exercises, that it defines roles and responsibilities clearly, that it includes contact information for key responders (internal and external), and that it is reviewed and updated regularly.
The incident response plan should address specific scenarios that are most relevant to your organization, such as ransomware attacks, data breaches involving customer data, business email compromise, and insider threats. Each scenario should include specific steps for detection, containment, eradication, recovery, and post-incident review.
Many carriers ask whether the organization has pre-negotiated retainer agreements with incident response firms, forensic investigators, and legal counsel. Having these relationships in place before an incident occurs ensures faster response times and eliminates the need to negotiate contracts under crisis conditions. Our incident response planning guide provides a comprehensive framework for building and testing your plan.
How Compliance Frameworks Affect Premiums
Organizations that can demonstrate compliance with recognized cybersecurity frameworks often receive more favorable insurance terms. Compliance serves as evidence that the organization has implemented a structured, comprehensive approach to cybersecurity rather than deploying controls in an ad hoc manner.
CMMC compliance is increasingly relevant for defense contractors and their subcontractors. The Cybersecurity Maturity Model Certification provides a structured framework for implementing cybersecurity controls based on the sensitivity of the information being protected. Organizations that have achieved CMMC certification can demonstrate to underwriters that they meet a rigorous, independently verified standard for cybersecurity.
HIPAA compliance is relevant for healthcare organizations and their business associates. The HIPAA Security Rule requires specific administrative, physical, and technical safeguards for protecting electronic protected health information. Organizations that can demonstrate HIPAA compliance through risk assessments, policies, and technical controls are better positioned in the underwriting process.
SOC 2 attestation demonstrates that an organization has implemented controls for security, availability, processing integrity, confidentiality, and privacy. While SOC 2 is most commonly associated with technology service providers, any organization that undergoes a SOC 2 audit can leverage the results in the insurance underwriting process.
The relationship between compliance and insurance is not just about checking boxes. Compliance frameworks require organizations to implement comprehensive security programs that address risk assessment, access control, incident response, and continuous monitoring, which are exactly the capabilities that underwriters want to see. Investing in compliance pays dividends in both security and insurability.
Cost Factors and How to Reduce Premiums
Cyber insurance premiums are influenced by several factors, many of which organizations can control through proactive security investments.
Industry and revenue are primary factors. Healthcare, financial services, and retail organizations face higher premiums because they handle large volumes of sensitive data and are frequently targeted by attackers. Revenue determines the scale of potential losses and influences coverage limits and premiums accordingly.
Claims history affects premiums just as it does with other types of insurance. Organizations that have filed previous cyber insurance claims will face higher premiums and may have difficulty finding coverage. This creates a strong financial incentive for preventing incidents, not just insuring against them.
Security posture is the factor organizations have the most control over. Every security control you implement, from MFA and EDR to backup isolation and employee training, can positively influence your premium. Some carriers offer explicit premium reductions for specific controls, while others factor security posture into their overall risk assessment.
Coverage limits and deductibles allow organizations to adjust premiums by accepting more or less risk. Higher deductibles reduce premiums but increase out-of-pocket costs in the event of a claim. Lower coverage limits reduce premiums but may leave the organization underinsured for a catastrophic incident. Work with a knowledgeable broker to find the right balance for your organization's risk tolerance and budget.
To reduce premiums, focus on implementing the controls that underwriters value most: MFA everywhere, 24/7 monitored EDR, isolated and tested backups, regular employee training with phishing simulations, and a tested incident response plan. These investments pay for themselves through reduced premiums, reduced likelihood of a successful attack, and reduced impact when incidents do occur.
Preparing for Your Cyber Insurance Application
Before completing a cyber insurance application, conduct an honest internal assessment of your security controls. Gather documentation of your MFA deployment, EDR coverage, backup architecture, training program, and incident response plan. Identify any gaps between your current posture and what underwriters expect, and develop a plan to address those gaps before applying.
Working with a managed IT services provider can help you implement the controls that underwriters require, document your security posture accurately, and respond to underwriter questions with confidence. An experienced provider can also help you avoid the common pitfall of overstating your security capabilities on an application, which can lead to coverage disputes after an incident.
Cyber insurance is not a substitute for cybersecurity. It is a complement to a strong security program. The organizations that get the best coverage at the best prices are those that invest in prevention first and use insurance to cover the residual risk that no security program can eliminate entirely.
If your organization needs help preparing for a cyber insurance application, implementing the controls that underwriters require, or building a comprehensive security program that reduces both risk and premiums, contact Petronella Technology Group. Our team has more than 23 years of experience helping businesses build the security foundations that insurers demand and that your business deserves.
Craig Petronella hosts the Encrypted Ambition podcast, where he discusses cybersecurity trends, compliance challenges, and technology strategy with industry leaders. With over 90 episodes, the podcast reflects PTG ongoing commitment to educating businesses about the threats they face and the practical steps they can take to protect themselves.
