What Insurers Require in 2026
The cyber insurance market has shifted from a questionnaire-based underwriting model to an evidence-based one. In 2024 you could check a box that said "we have MFA" and move on. In 2026 the underwriter wants proof. Screenshots. Configuration exports. Dated reports with your company name on them.
This shift happened because carriers lost money. They paid out billions in ransomware claims between 2020 and 2024 and discovered that many policyholders had overstated their security posture on their applications. The response was predictable: tighter requirements and harder enforcement.
Here is what nearly every carrier now mandates before they will write or renew a cyber liability policy:
- Multi-Factor Authentication (MFA)
- Required on all user accounts, all admin accounts, all remote access points and all cloud services. SMS-based MFA is increasingly rejected. Carriers want authenticator apps or hardware tokens.
- Endpoint Detection and Response (EDR)
- Antivirus alone is no longer sufficient. Carriers require EDR with 24/7 monitoring on every endpoint that connects to the corporate network. This includes servers, not just workstations.
- Documented Incident Response Plan
- A written IR plan that names specific roles, communication procedures, containment steps and recovery procedures. The plan must be reviewed and updated at least annually.
- Annual Penetration Test
- A third-party penetration test conducted within the last 12 months. Internal vulnerability scans do not satisfy this requirement. The test must cover external and internal attack surfaces.
- Tabletop Exercise
- At least one tabletop exercise per year where leadership walks through a simulated incident scenario. The exercise must produce an after-action report documenting lessons learned and remediation steps.
- Backup and Recovery Testing
- Backups must exist, be tested and be stored offline or in an immutable format. Carriers want evidence that you have restored from backup within the last 12 months. Untested backups are treated as nonexistent.
- Privileged Access Management (PAM)
- Admin accounts must be separated from daily-use accounts. Privileged access must be logged and time-limited. Standing admin privileges for IT staff are a red flag on every underwriting questionnaire.
The Checklist
Print this. Hand it to your IT team. Work through it line by line before your renewal date.
| ☐ | Requirement | Why Insurers Care | How to Document It |
|---|---|---|---|
| ☐ | MFA on all accounts | Credential theft is the entry point in 80%+ of breaches. MFA stops it. | Export MFA enrollment report from your identity provider. Screenshot the conditional access policy. Date everything. |
| ☐ | EDR on all endpoints | Ransomware moves laterally through endpoints without EDR coverage. | Export device inventory from your EDR console showing agent status on every machine. Include servers. |
| ☐ | Documented IR plan | Organizations without a plan take 2-3x longer to contain a breach, multiplying the insured loss. | PDF of your IR plan with a revision date within the last 12 months. Include the distribution list showing who received it. |
| ☐ | Annual penetration test | Validates that your controls actually work against real attack techniques. | Executive summary from a third-party pentest firm. Must include scope, methodology, findings and remediation status. |
| ☐ | Tabletop exercise | Tests whether leadership can execute the IR plan under pressure. | After-action report (AAR) with date, participants, scenario description, decisions made and improvement items. |
| ☐ | Backup testing | Ransomware victims with untested backups pay ransoms. Carriers pay for those ransoms. | Restore test log showing date, data set restored, time to recovery and success/failure status. |
| ☐ | Privileged access management | Compromised admin accounts cause the largest losses because they have unrestricted access. | PAM tool report showing admin account inventory, session logging status and time-limited access policies. |
| ☐ | Security awareness training | Human error remains the most frequent initial attack vector. | Training completion report with dates and percentage of staff who completed it. Include phishing simulation results. |
| ☐ | Email filtering and DMARC | Business email compromise is the highest-dollar claim category. | DMARC record at enforcement (p=reject or p=quarantine). Email gateway configuration showing attachment and URL scanning. |
| ☐ | Encryption at rest and in transit | Reduces regulatory exposure and breach notification costs when data is exfiltrated. | BitLocker/FileVault deployment report for endpoints. TLS configuration for email and web services. |
What Happens When You Don't Have These
This is not theoretical. These outcomes are happening right now in 2026.
Claim denial. A mid-market manufacturer suffered a ransomware attack in late 2025. The attacker gained access through a VPN account that did not have MFA enabled. The carrier denied the $2.3 million claim citing a material misrepresentation on the application. The insured had attested that MFA was enforced on all remote access. One account was missed. One was enough.
Premium increases. Organizations that cannot demonstrate compliance with baseline controls at renewal are seeing premium increases of 40-100%. Some are losing coverage entirely and being forced into surplus lines markets where premiums are triple the standard market rate.
Coverage exclusions. Even when carriers renew the policy they are adding specific exclusions for controls that are not in place. If you cannot prove EDR deployment on servers, the carrier may exclude server-related incidents from coverage. You are paying for a policy that will not pay when you need it.
Retroactive rescission. In extreme cases carriers are rescinding policies retroactively when post-breach forensics reveal that the insured's security posture did not match their application. This means the policy is treated as if it never existed. Every dollar spent on premiums is wasted.
How to Document Compliance for Your Broker
Your broker is your advocate but they can only work with what you give them. The stronger your documentation package the better your terms will be. Here is what to assemble before your renewal meeting.
Penetration test report. The executive summary is what the underwriter reads. Make sure it includes the scope (external, internal or both), the methodology (PTES, OWASP or similar), a risk-rated findings list and the remediation status for each finding. If critical findings are remediated, include the retest results.
Tabletop exercise after-action report. This document proves that your leadership team has practiced responding to an incident. Include the date, the scenario (ransomware, BEC, data exfiltration), the participants by title, the key decisions made during the exercise and the improvement actions identified afterward. A two-page AAR is sufficient.
MFA enrollment evidence. Export a report from Azure AD, Okta, Duo or whatever identity provider you use. The report should show total accounts, accounts with MFA enrolled and accounts exempted. If any accounts are exempted, document the business justification and compensating controls.
EDR deployment records. Pull a device inventory from your EDR console. It should show every endpoint in your environment with the agent version and last check-in time. If you have 500 endpoints in Active Directory, the EDR console should show 500 agents. Gaps will be questioned.
Backup restore test log. Document your most recent restore test. What data was restored, from what date, to what target and how long did it take. If you test restores quarterly, provide the last four logs.
IR plan revision history. Show that the plan has been reviewed within the last 12 months. A simple version history table at the front of the document is sufficient.
Most Pentests Are Covered by Insurance
This is the part most IT directors miss. Many cyber insurance policies include a risk improvement or loss prevention benefit that reimburses proactive security assessments. Penetration testing is almost always an eligible expense under these provisions.
The process is straightforward:
- Review your policy for language about "risk mitigation," "loss prevention" or "security improvement" benefits. These are often buried in the endorsements section.
- Contact your broker and ask specifically about pentest reimbursement. Get confirmation in writing.
- Submit a pentest proposal before the engagement starts. Most carriers require pre-approval for reimbursement.
- After the test is complete, submit the invoice along with the executive summary to your broker for reimbursement processing.
Reimbursement amounts vary by carrier. Some cover the full cost up to $10,000 or $25,000. Others cover a percentage. Either way it is money that reduces your out-of-pocket cost for a test that you need anyway for renewal.
If your current policy does not include this benefit, ask your broker to negotiate it into the next renewal. Carriers are generally willing to add it because pentests reduce the likelihood of a claim.
Start Now
Do not wait until 60 days before renewal to start gathering evidence. A penetration test takes 2-4 weeks to schedule and execute. A tabletop exercise needs at least 3 weeks of lead time for planning and participant coordination. Remediation of pentest findings can take months depending on the severity. Run a free security scorecard today to identify your most visible gaps before the underwriter does.
Start 120 days before your renewal date. That gives you time to test, fix, retest and document everything without scrambling.