A few years ago, buying cyber insurance was relatively simple. You filled out a short application, answered a handful of questions about your business, and received a quote. Premiums were affordable, coverage was broad, and most businesses qualified without much scrutiny. Those days are gone. The cyber insurance market has transformed dramatically, and businesses applying for new policies or renewing existing coverage in 2026 are discovering that the rules have changed completely. Carriers are asking detailed, technical questions. Applications now require evidence of specific security controls. And businesses that cannot demonstrate those controls are facing premium hikes, reduced coverage limits, exclusions, or outright denial.
If you have recently tried to renew your cyber policy and been caught off guard by the questions being asked, or worse, received a non-renewal notice, you are experiencing the new reality of cyber insurance underwriting. The insurance industry has absorbed massive losses from ransomware claims over the past several years, and carriers have responded by tightening requirements to manage their exposure. That tightening is not going to reverse. If anything, requirements will keep getting stricter as attacks grow more sophisticated. This guide explains what cyber insurers are actually asking for, why each requirement matters, and how to build the security posture you need to qualify for coverage at reasonable rates. More importantly, it explains why having these controls in place is about more than checking insurance boxes. It is about actually protecting your business from the incidents your policy is supposed to cover.
Why Cyber Insurance Requirements Changed So Dramatically
Understanding the shift in cyber insurance starts with understanding what happened to the industry between 2019 and 2023. Ransomware attacks exploded during that period, with attackers targeting businesses of every size and demanding increasingly large ransoms. Insurance carriers were paying out claims faster than premiums could keep up, and many carriers experienced loss ratios that made cyber coverage unprofitable. Some carriers exited the market entirely. Others raised premiums dramatically and tightened their underwriting standards.
The result is a market where coverage is still available, but only for businesses that can demonstrate they are doing the work to prevent and recover from incidents. Carriers are no longer willing to assume risk on businesses that have not implemented baseline security controls. From their perspective, insuring a business without multi-factor authentication or tested backups is like insuring a building without smoke detectors or a sprinkler system. It is a bet they are not willing to take.
This shift has significant implications for businesses in every industry. Banking institutions, healthcare practices, insurance agencies, and manufacturing companies all face pressure to demonstrate security maturity as a condition of coverage. Businesses that have treated cybersecurity as something they will get to eventually are discovering that eventually has arrived, and the consequences of being unprepared now include being uninsurable.
The Core Security Controls Cyber Insurers Require
Every carrier has its own application and underwriting process, but there is significant overlap in what they are looking for. Over the past two years, a consistent set of required controls has emerged across the cyber insurance market. If your business can demonstrate these controls are in place and operating effectively, you are in a strong position to qualify for coverage at reasonable rates. If you cannot, you need to address the gaps before your next renewal conversation.
Multi-Factor Authentication Across All Critical Systems
This is the single most important control in cyber insurance underwriting right now. Carriers have concluded, with significant statistical backing, that multi-factor authentication dramatically reduces the likelihood of successful account compromise, and they are treating it as table stakes for coverage. Applications no longer ask whether you have MFA. They ask where MFA is enforced, how it is configured, and what authentication methods are accepted.
At minimum, carriers expect MFA on:
- Email access, particularly Microsoft 365 and Google Workspace
- Remote access tools, including VPN and remote desktop
- Administrative and privileged accounts
- Cloud applications containing sensitive data
- Backup systems and administrative consoles
Carriers are increasingly specific about what counts. SMS-based MFA is being phased out of acceptability because of the risk of SIM swapping attacks, with authenticator apps and hardware tokens becoming the preferred standard. If your current MFA deployment is partial or relies on less secure methods, expect underwriting pushback.
Endpoint Detection and Response
Traditional antivirus is no longer sufficient to meet insurance requirements. Carriers now expect businesses to deploy managed endpoint detection and response (EDR) across all servers and workstations. EDR platforms go beyond signature-based detection by monitoring device behavior, identifying anomalies, and enabling rapid response to active threats.
The distinction matters because ransomware attacks almost always involve an initial compromise that sits undetected for hours, days, or weeks before the encryption phase begins. EDR is designed to catch that dwell time window and stop attacks before they reach the destructive stage. Insurers know this, and they are requiring it because they have seen the difference it makes in claim outcomes.
For small and mid-sized businesses, the "managed" component is often essential. An EDR tool that generates alerts nobody is watching does not satisfy the intent of the requirement. Carriers increasingly want evidence that a qualified team, whether in-house or through a managed security services provider, is actively monitoring and responding to EDR telemetry.
Tested, Offsite, Immutable Backups
Backup requirements have become significantly more technical. Carriers no longer accept "we have backups" as a satisfactory answer. They want to know:
- How often backups run and what data is included
- Where backups are stored and whether they are isolated from the production network
- Whether backups are encrypted at rest and in transit
- Whether backups are immutable (meaning they cannot be modified or deleted by an attacker who gains access)
- When backups were last tested for successful restoration
- How long a full recovery would take
The immutability requirement reflects hard experience. Attackers who successfully deploy ransomware now routinely target backup systems as part of the attack, encrypting or deleting backups to eliminate the victim's ability to recover without paying. Immutable backups, often implemented through cloud-based object lock or air-gapped systems, prevent this attack pattern.
Business continuity and disaster recovery planning that addresses all of these requirements is now a baseline expectation for cyber coverage, not an advanced capability.
Email Security and Anti-Phishing Controls
Email remains the primary attack vector for ransomware, business email compromise, and credential theft, and insurers have responded by requiring more sophisticated email security than basic spam filtering. Applications frequently ask whether you have deployed advanced email security that includes behavioral analysis, URL scanning, attachment sandboxing, and sender authentication protocols like SPF, DKIM, and DMARC.
Many carriers also ask about security awareness training for employees. The reasoning is straightforward: technology alone cannot stop every phishing attempt, so a trained workforce is part of the defense in depth that insurers expect to see. If your business has never conducted formal phishing awareness training, that gap will show up in underwriting.
Privileged Access Management
Administrative accounts are the keys to your kingdom, and insurers have started asking detailed questions about how those keys are managed. The concerns center on whether administrative access is properly scoped, monitored, and protected from compromise.
At a minimum, carriers want to see:
- Separation between regular user accounts and administrative accounts
- MFA enforced on all privileged access
- Use of password management tools to prevent credential reuse and weak passwords
- Audit logging of administrative actions
- Regular review of who has administrative access and why
Some carriers go further and ask about privileged access management (PAM) solutions that provide just-in-time access, session recording, and approval workflows for sensitive operations. These are becoming more common as requirements move up the maturity curve.
Patching and Vulnerability Management
Unpatched systems are a favorite entry point for attackers, and carriers expect businesses to have a defined process for keeping systems current. Applications typically ask how quickly critical patches are applied after release, whether vulnerability scanning is performed regularly, and what the process is for remediating identified issues.
The answer carriers want to see is "within days, not months." 24/7 monitoring and patch management provided by a qualified MSP or internal team is the practical way most small and mid-sized businesses meet this requirement without dedicating full-time staff to the work.
Network Segmentation and Firewall Management
Flat networks, where every system can reach every other system, make it easy for attackers to move laterally after an initial compromise. Carriers increasingly expect evidence of network segmentation that limits the blast radius of a successful attack. This is particularly important for manufacturing operations where operational technology is connected to corporate IT, and for businesses handling regulated data that needs to be isolated from general-purpose systems.
Paired with active firewall monitoring and management, network segmentation demonstrates to underwriters that your environment is designed to contain incidents rather than amplify them.
Incident Response Planning
Carriers want to know that if an incident occurs, your business has a plan for responding to it. This means a documented incident response process, defined roles and responsibilities, tested communication protocols, and a relationship with an incident response partner who can help during a crisis. Businesses that cannot describe their incident response process during an application are at an underwriting disadvantage regardless of their other controls.
A comprehensive cybersecurity risk assessment should produce not just a list of vulnerabilities but also the incident response documentation carriers expect to see.
What Happens When You Cannot Meet the Requirements
The consequences of failing to meet cyber insurance requirements vary depending on where you are in the policy lifecycle, but none of them are good.
At application for new coverage, the most common outcome is either denial or a quote with terms so restrictive and expensive that the coverage is not practical. Some carriers will offer coverage with specific exclusions, meaning certain types of incidents simply are not covered under your policy. Others will offer full coverage but only at premiums several times higher than market rates.
At renewal, businesses are discovering that policies they have held for years are suddenly not being renewed. The carrier has tightened requirements, your business has not kept pace, and the relationship ends. Finding a replacement policy under time pressure is significantly harder than renewing an existing one, and the replacement is almost always more expensive.
At claim time, the worst scenario, businesses are learning that their policies contain conditions they did not fully understand. A claim is filed after a ransomware attack, and the carrier investigates to determine whether the required controls were actually in place at the time of the incident. If the investigation reveals that MFA was not enforced where required, that backups were not tested, or that EDR was not deployed, the claim can be denied. The business bears the full cost of the incident despite paying for what they thought was coverage.
This is the scenario that gets businesses' attention faster than any other. Cyber insurance only works when the claim gets paid, and claims are only paid when the policy conditions have been met.
The Application Process Is Becoming a Security Audit
Cyber insurance applications used to be a page or two of basic questions. Current applications can run 20 pages or more, and they often include technical questionnaires that go into significant depth about your environment. Some carriers are now conducting external scans of your network as part of underwriting, essentially performing a lightweight vulnerability assessment before they decide whether to offer coverage.
This shift has practical implications for how you prepare for renewal. The application is no longer something you can fill out in an hour with your IT lead. It requires documentation, evidence, and in many cases, input from your managed services provider. Businesses that treat the application as a compliance exercise get caught off guard when carriers come back with follow-up questions or request verification of specific controls.
Working with a managed security services provider who understands cyber insurance underwriting can significantly streamline the process. A good MSP has been through the application process with many clients and knows what carriers are asking, what answers satisfy underwriting, and where businesses commonly trip up.
Industry-Specific Considerations
Different industries face different cyber insurance pressures based on their regulatory environment and threat exposure.
Healthcare organizations face particular scrutiny because of HIPAA requirements and the high value of protected health information on the dark web. Carriers writing healthcare policies often ask specifically about HIPAA security rule compliance, breach notification processes, and business associate agreements. Failing to demonstrate HIPAA IT compliance creates underwriting friction on top of the regulatory exposure.
Banking and financial services firms are held to the expectations of FFIEC, GLBA, and PCI-DSS frameworks, and insurers writing financial services coverage often want to see evidence of compliance with these frameworks. Banking cybersecurity compliance is increasingly a condition of coverage, not just a regulatory requirement.
Insurance agencies, perhaps ironically, face some of the strictest requirements when purchasing their own coverage. Carriers know agencies handle high volumes of personally identifiable information and are attractive targets for business email compromise and wire fraud schemes. Expect detailed questions about email security, wire transfer verification procedures, and insurance data security practices.
Manufacturing companies face growing questions about operational technology security as production environments become more connected. Carriers are asking about segmentation between IT and OT networks, monitoring of industrial control systems, and the business continuity impact of a potential OT-affecting incident.
How to Prepare for Your Next Renewal
If your cyber insurance renewal is coming up in the next six to twelve months, now is the time to start preparing. Waiting until the renewal paperwork arrives is too late to make meaningful changes.
Start with an honest assessment of your current security posture against the requirements outlined above. Be specific about what you have, where it is deployed, and whether you can produce documentation. Gaps you identify now can be addressed before they become underwriting problems. Gaps you discover during the application process become immediate crises.
Review your current policy terms carefully. Understand exactly what is covered, what is excluded, what conditions apply to coverage, and what your carrier expects you to maintain during the policy period. If you do not fully understand your policy, talk to your broker or an attorney who specializes in cyber coverage. The time to understand your policy is before a claim, not during one.
Have a conversation with your IT or managed services provider about what they are doing to help you meet insurance requirements. If your provider is not actively aware of cyber insurance underwriting standards, that is a sign they are not operating at the level modern businesses need. A qualified provider should be helping you build toward insurability as part of their ongoing service, not scrambling to meet requirements at renewal time.
Document everything. Carriers want evidence, not assurances. Configuration records, test results, training logs, incident response plans, and assessment reports are all valuable during underwriting. If you have the controls but cannot prove it, you are still at risk of unfavorable terms.
How Harbour Technology Consulting Helps Businesses Qualify for Cyber Coverage
Harbour Technology Consulting works with businesses throughout Dayton, Cincinnati, Columbus, and Indianapolis to build and maintain the security controls cyber insurance carriers require. Since 2000, we have helped clients navigate the shift from loose cyber coverage to the rigorous underwriting standards that define the current market, and we structure our services to keep clients insurable without surprises at renewal time.
Our managed security services include the specific controls carriers are asking about: managed endpoint detection and response, multi-factor authentication, firewall management, tested backups and business continuity planning, patching and vulnerability management, and 24/7 monitoring backed by a qualified team. We also help clients prepare for cyber insurance applications by producing the documentation carriers want to see and walking through application questionnaires together before you submit them.
If you are approaching a renewal and feeling uncertain about whether your current environment will meet what your carrier is asking for, or if you have already received difficult feedback from an underwriter, contact our team for a straightforward conversation. We will assess where you stand, identify the gaps that matter most, and help you build a plan to close them before your next application. Cyber insurance is a safety net, but the net only works when the conditions are met. We make sure the conditions are met.
