The cyber insurance market has undergone a dramatic transformation. Five years ago, obtaining a cyber insurance policy was relatively straightforward: fill out a basic application, answer some general questions about your security practices, and receive a quote. Today, insurers have significantly tightened their underwriting criteria, and many organizations are finding that their existing security controls no longer meet the minimum requirements for coverage.
This shift was driven by a surge in ransomware claims that devastated insurer profitability between 2019 and 2022. Insurers responded by raising premiums, reducing coverage limits, adding exclusions, and most importantly, demanding that policyholders implement specific security controls before coverage is offered. In 2026, your ability to obtain affordable cyber insurance depends directly on the maturity of your cybersecurity program.
This guide covers the security controls that cyber insurers now require, how to prepare for the application process, and what to expect from the underwriting evaluation.
Why Cyber Insurance Requirements Have Tightened
The hardening of the cyber insurance market is a direct response to financial losses. Ransomware attacks increased in frequency and severity, business email compromise claims grew steadily, and insurers paid out more in claims than they collected in premiums across several consecutive years.
In response, the insurance industry professionalized its approach to cyber risk. Underwriters now employ cybersecurity experts, use automated scanning tools to evaluate applicants’ external security posture, and require detailed evidence of specific security controls. Policies that once covered almost any cyber incident now include explicit exclusions for events that could have been prevented by basic security hygiene.
The result is that cyber insurance applications have become security assessments in their own right. Organizations that cannot demonstrate adequate controls face higher premiums, reduced coverage, or outright denial.
Essential Security Controls Insurers Require
While requirements vary by insurer and policy type, the following controls have become near-universal prerequisites for cyber insurance coverage in 2026.
Multi-Factor Authentication
MFA is the single most frequently required control across all cyber insurers. You must implement MFA for:
- Remote access to your network (VPN, remote desktop)
- Email access (particularly cloud-based email like Microsoft 365 and Google Workspace)
- Privileged and administrative accounts
- Access to backup systems and management consoles
- Cloud management portals (AWS, Azure, GCP)
Many insurers will not offer a quote if MFA is not implemented across all of these areas. Some have added MFA requirements for all users accessing any corporate system, not just privileged accounts. If your organization has any access points where MFA is not enforced, address this before applying for coverage.
Endpoint Detection and Response
Traditional antivirus is no longer sufficient. Insurers now require endpoint detection and response (EDR) solutions that provide real-time monitoring, behavioral analysis, and automated response capabilities on all endpoints. EDR tools like CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, or Carbon Black are expected.
Key requirements include deployment across all endpoints (workstations, servers, and laptops), 24/7 monitoring (either in-house or through a managed detection and response provider), and automated isolation capabilities for compromised endpoints.
Backup and Recovery
Insurers have learned from ransomware claims that backup practices directly determine whether an incident results in a minor disruption or a catastrophic loss. Required backup controls typically include:
- Offline or immutable backups: At least one copy of critical data must be stored in a manner that prevents ransomware from encrypting or deleting it. Air-gapped backups or immutable cloud storage satisfy this requirement.
- Regular backup testing: Backups must be tested regularly to verify that restoration works. Untested backups are equivalent to no backups when a ransomware attack occurs.
- Defined recovery objectives: Organizations should have documented Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical systems.
Patch Management
Insurers expect organizations to maintain a documented patch management program that addresses critical vulnerabilities promptly. Requirements typically include:
- Critical and high-severity patches applied within 14 to 30 days of release
- Internet-facing systems patched on an accelerated timeline
- A documented process for evaluating and prioritizing patches
- Regular vulnerability scanning to identify unpatched systems
Organizations with a history of unpatched critical vulnerabilities face higher premiums or coverage denials.
Email Security
Business email compromise and phishing attacks account for a significant portion of cyber insurance claims. Insurers require robust email security measures including:
- Email filtering and anti-phishing technology
- DMARC, DKIM, and SPF implementation
- Security awareness training for all employees, with specific focus on phishing recognition
- Policies for verifying fund transfer requests through out-of-band communication
Privileged Access Management
The compromise of privileged accounts is a common pathway in ransomware attacks. Insurers look for:
- Principle of least privilege implementation
- Separation of administrative and standard user accounts
- Privileged account monitoring and logging
- Regular review of administrative access
- Dedicated privileged access management solutions for large environments
Incident Response Planning
Insurers want to know that you can respond effectively when an incident occurs. Requirements include:
- A documented incident response plan that is reviewed and updated at least annually
- Regular tabletop exercises to test the plan
- Identified incident response team with defined roles
- Pre-established relationships with incident response firms, legal counsel, and forensics providers
- Communication plans for notifying affected parties, regulators, and the insurer
Network Segmentation
Flat networks allow attackers to move laterally without restriction. Insurers increasingly require network segmentation that isolates critical systems and limits the blast radius of a compromise. This includes segmenting the operational technology environment from the IT network, isolating backup systems, and restricting lateral movement paths between network zones.
Security Awareness Training
Regular security awareness training for all employees is a standard requirement. Insurers typically expect training to be conducted at least annually, with additional phishing simulation exercises throughout the year. Some insurers ask for evidence of training completion rates and simulation results.
The Application Process
Cyber insurance applications have become significantly more detailed. Expect the following during the application process.
Detailed Questionnaires
Applications now include multi-page questionnaires covering your security controls, incident history, data handling practices, and business operations. Answer honestly. Misrepresentations on insurance applications can void coverage when you need it most.
External Scanning
Many insurers conduct automated external scans of your internet-facing infrastructure during the underwriting process. They use tools similar to SecurityScorecard or BitSight to evaluate your external security posture. Open ports, expired certificates, unpatched services, and misconfigured DNS can all negatively affect your underwriting outcome.
Supplemental Documentation
Insurers may request additional documentation such as your incident response plan, recent penetration test reports, SOC 2 or ISO 27001 certifications, and evidence of MFA deployment. Having these documents readily available accelerates the application process and demonstrates security maturity.
Reducing Your Premiums
Beyond meeting minimum requirements, several factors can help you negotiate better coverage terms and lower premiums.
Demonstrate compliance certifications: SOC 2, ISO 27001, and other recognized certifications provide third-party validation of your security program. Insurers view certified organizations as lower risk.
Show continuous improvement: Document year-over-year improvements in your security posture. Trend data from vulnerability scans, penetration tests, and incident metrics demonstrates a maturing program.
Implement advanced controls: Going beyond minimum requirements with capabilities like zero trust architecture, 24/7 SOC monitoring, or continuous penetration testing positions you favorably during underwriting.
Maintain a clean claims history: Organizations with no prior cyber insurance claims typically receive more favorable pricing. Even organizations that have experienced incidents can benefit by demonstrating that they remediated root causes and improved their defenses.
How eShield Consulting Helps with Cyber Insurance Readiness
eShield Consulting provides cyber insurance readiness assessments that evaluate your security controls against insurer requirements, identify gaps, and develop remediation plans. We help organizations implement the controls that insurers demand, prepare documentation for applications, and improve their security posture to qualify for better coverage terms. Our assessments are particularly valuable for organizations that have been denied coverage or quoted excessive premiums due to security deficiencies.
Frequently Asked Questions
Can I get cyber insurance without MFA?
It is increasingly difficult. Most insurers now consider MFA a mandatory requirement, and applications without MFA across key access points are likely to be declined or quoted at significantly higher premiums. Implementing MFA should be your first priority if you are seeking cyber insurance.
What does cyber insurance typically cover?
Standard policies cover incident response costs, data breach notification expenses, business interruption losses, ransomware payments (though this coverage is narrowing), legal defense costs, and regulatory fines and penalties. Coverage varies by policy, so review the specific terms of any policy you are considering.
How much does cyber insurance cost?
Premiums vary widely based on organization size, industry, revenue, security posture, claims history, and coverage limits. Small businesses may pay USD 1,000 to USD 5,000 annually. Mid-market companies typically pay USD 10,000 to USD 50,000. Large enterprises can pay USD 100,000 or more. Organizations with strong security programs receive better pricing.
What is a retention or deductible in cyber insurance?
The retention, also called the deductible, is the amount your organization must pay before insurance coverage begins. Retentions for cyber policies typically range from USD 10,000 for small businesses to USD 250,000 or more for large enterprises. Higher retentions reduce premiums but increase your out-of-pocket costs during an incident.
Does having cyber insurance mean we can relax our security controls?
Absolutely not. Cyber insurance is designed to transfer residual risk after you have implemented appropriate security controls. Insurers explicitly expect policyholders to maintain and improve their security posture throughout the policy period. Failing to maintain required controls can result in claim denials.
What are common cyber insurance exclusions?
Common exclusions include acts of war and nation-state attacks (though definitions are evolving), known but unpatched vulnerabilities, incidents resulting from failure to maintain minimum security standards, social engineering losses above a sub-limit, and previously disclosed incidents. Always read the exclusion language carefully before purchasing a policy.