← Back to Blog
Security2026-05-0310 min read

Cyber Insurance 2026: 5 Controls Insurers Demand

UK
DevOps & Cybersecurity Engineer · MS Cybersecurity, MS CS · CEH · AWS Certified · 10+ years securing enterprise infrastructure. Editorial standards

Cyber insurance premiums spiked 30 to 60 percent during 2024 and 2025 renewals, then plateaued in early 2026. Underwriters now ask for proof of five specific controls before binding policies, and the answer to each one moves your premium meaningfully. Here is what they actually verify, what their questionnaire is really asking, and how to negotiate the renewal without surprises.

Why premiums went up so fast

Three factors compounded:

  1. Ransomware payouts: average ransomware claim cost crossed $1.5M in 2023, then $2M+ in 2024. Insurers stopped pricing for occasional events and started pricing for regular events.
  2. Business interruption claims: cyber events increasingly take businesses offline for weeks. The MGM Resorts attack of 2023 (~$100M loss), Change Healthcare 2024 (~$2.5B parent loss), and others reset expectations of severity.
  3. Supply chain attacks: SolarWinds, MOVEit, Snowflake breaches. Single attacks now produce hundreds of correlated claims, breaking the diversification model insurers rely on.

The result: premiums up dramatically and questionnaires triple in length. The five controls below are the ones that consistently move underwriting decisions in 2026.

Control 1: MFA on everything that matters

The deal-breaker. No MFA on email, VPN, RDP, privileged access, and you will not get coverage from most carriers in 2026. Period.

What underwriters actually ask:

  • "What percentage of users have MFA enabled?" (target answer: 100%)
  • "What MFA factor types do you allow?" (preferred: hardware keys, authenticator apps; SMS is increasingly excluded)
  • "Is MFA required for remote access (VPN, SaaS)?" (yes)
  • "Is MFA required for privileged accounts (admin, root, DBAs)?" (yes, with hardware key requirement at most carriers)
  • "Is MFA required for email access?" (yes)

Common premium impact: enabling 100% MFA versus partial coverage drops premium 15 to 25 percent at renewal.

The trap: "We have MFA enabled" but service accounts and shared mailboxes do not. Underwriters now ask for evidence at the SaaS provider level. 2FA implementation guide covers the architecture.

Control 2: EDR on every endpoint

Insurers want endpoint detection and response (EDR), not legacy antivirus. The list of acceptable products is short and specific:

  • CrowdStrike Falcon
  • SentinelOne Singularity
  • Microsoft Defender for Endpoint Plan 2 (Plan 1 is increasingly not accepted)
  • Sophos Intercept X
  • Trend Micro Vision One
  • Palo Alto Cortex XDR

What they ask:

  • "What EDR product do you run?" (one of the above, or be prepared to justify)
  • "What percentage of endpoints have EDR installed?" (target: 100%, including servers)
  • "Is the EDR managed in-house or via MDR/MSSP?" (managed gets a discount because 24/7 coverage is verified)
  • "Do you have rollback or quarantine response enabled?" (yes preferred)

Premium impact: EDR with MDR coverage versus self-managed antivirus is typically 10 to 15 percent of premium.

Our EDR vendor comparison covers which to pick for which environment.

Control 3: backup architecture that survives the attack

The 2025 trend: ransomware actors specifically target backup infrastructure first. If your backups are accessible from the same domain credentials that get compromised, your backups are encrypted along with everything else.

What underwriters require:

  • Immutable backups: backups that cannot be deleted or modified within a retention window, even by an admin. AWS S3 Object Lock, Azure Immutable Blob Storage, Wasabi compliance mode, on-prem WORM tape.
  • Air-gapped backups: at least one backup copy that is not network-accessible from production. Tape, separate cloud account, or write-once cloud storage.
  • Tested restoration: documented restore tests at least quarterly with metrics (time to restore, integrity verification).
  • Backup retention: at least 30 days, ideally longer.

Premium impact: documented immutable + air-gapped backups versus standard backup infrastructure is 10 to 20 percent of premium.

The questionnaire trick: insurers ask "have you tested restoration in the past 12 months?" Many teams say yes based on a single test in January. Underwriters increasingly ask for evidence of multiple tests across the year.

Control 4: privileged access management

Once an attacker has a foothold, the attack only matters if they can escalate. Insurers want evidence you make escalation hard.

What they ask:

  • "Do you use a privileged access management (PAM) solution?" (preferred answer involves a specific vendor: CyberArk, BeyondTrust, Delinea, HashiCorp Boundary, Teleport, AWS IAM Identity Center, etc.)
  • "Are admin sessions time-bounded with just-in-time access?" (yes preferred)
  • "Are admin actions recorded for audit?" (yes preferred)
  • "Are domain admin accounts limited to a small number of named individuals?" (target: under 10 named individuals, with named alternates)
  • "Do you separate workstations used by admins from regular workstations?" (yes preferred, called PAW or Tier 0)

Premium impact: documented PAM + JIT access versus shared admin credentials is 10 to 20 percent of premium.

The simple version even for small teams: use AWS IAM Identity Center (or equivalent for your cloud) with time-bounded role assumption. JIT access does not require a $500K vendor.

Control 5: incident response plan and 24/7 detection

Underwriters increasingly want evidence of detection capability beyond endpoint, and an actual IR plan that has been tested.

What they ask:

  • "Do you have a Security Operations Center (in-house or outsourced)?" (yes preferred, 24/7)
  • "Do you have a SIEM with alerting rules?" (yes; Splunk, Sentinel, Elastic, Datadog Security)
  • "Do you have an incident response retainer with a forensic firm?" (yes preferred; Mandiant, CrowdStrike Services, Kroll, Palo Alto Unit 42)
  • "Have you tested your IR plan in the past 12 months?" (yes, with documented tabletop or live drill)
  • "What is your typical MTTD (mean time to detect)?" (target: hours, not days)

Premium impact: documented 24/7 detection + IR retainer versus business-hours-only response is 10 to 15 percent of premium.

The retainer is increasingly required by underwriters as a condition of binding. Even if you never use it, having an IR firm contracted to respond within hours is what insurers want to see. Cost is typically $5K to $30K per year for the retainer.

The five-control summary

ControlPremium impactOperational cost
MFA on email, VPN, privileged access15-25% reductionLow (Okta/Entra ID config)
EDR on all endpoints10-15% reduction$5-15 per endpoint per month
Immutable + air-gapped backups10-20% reductionBackup vendor change, often free
PAM + JIT access10-20% reductionAWS IAM Identity Center is free
24/7 detection + IR retainer10-15% reduction$5K-30K per year retainer + SOC cost

Implementing all five drops your premium 50 to 80 percent compared to having none. The operational cost is often less than the premium reduction.

How to negotiate your renewal

  1. Start the renewal process 90 days early. Underwriting takes longer in 2026 than it used to. If you wait, you get rushed quotes.
  2. Get quotes from 3+ carriers. The underwriting variance between carriers is now substantial. Coalition, At-Bay, Resilience, Beazley, AIG, Chubb each have different appetites for different industries and sizes.
  3. Provide evidence proactively. Do not let the underwriter discover your gaps; describe your controls in the application with attachments. Saves negotiation time and signals maturity.
  4. Negotiate sublimits. Standard $1M policy limits often have $500K sublimits for ransomware, business interruption, or social engineering. Negotiate these explicitly.
  5. Watch the war exclusion clauses. Post-NotPetya, insurers added war exclusions that can void coverage for state-sponsored attacks. Read the language; some carriers exclude broadly, others narrowly.
  6. Document the controls in writing. If you say "we have MFA on 100% of accounts" in the application, the carrier can deny coverage for any breach where MFA was not present. Be precise.

What to do if you cannot meet the controls yet

Some smaller teams cannot get to all five controls in the renewal cycle. Realistic options:

  • Accept higher premium and lower coverage. Buy what you can afford, with the understanding that ransomware sublimits may be very low.
  • Outsource the gaps. MDR services from CrowdStrike, Arctic Wolf, Sophos, or eSentire give you 24/7 detection and IR retainer in one package, often within budget.
  • Use a captive or risk pool. Some industry groups (especially MSPs and healthcare) have group risk pools that price differently than commercial carriers.
  • Self-insure with reserves. For very small companies, the math sometimes works to maintain a cash reserve for cyber response instead of paying premium. This is high-risk and not for the faint of heart.

Document your security controls securely

Cyber insurance applications and audit evidence often contain sensitive details about your security architecture. Share through zero-knowledge encryption with auto-expiring links instead of email.

Create Encrypted Paste

The bottom line

Cyber insurance underwriters in 2026 want proof of five specific controls before they bind. Implementing all five typically drops your premium 50 to 80 percent and costs less than the premium reduction. Renewal is harder than it used to be; start 90 days early, get multiple quotes, and document everything in writing. The expensive choice is treating cyber insurance as a transaction rather than a risk-management exercise.

Related reading: Cyber Insurance Requirements 2026, Cyber Liability Insurance for Small Business, What Cyber Insurance Actually Covers, Cyber Insurance Claims Process, and Ransomware Prevention Guide.