Cyber Insurance Requirements 2026: What Insurers Want
Cyber insurance premiums have tripled since 2020, and insurers are no longer just checking boxes. In 2026, getting covered — and staying covered — requires demonstrable security controls. Here is exactly what underwriters look for, and how to position your organization for the best coverage at the lowest premium.
The cyber insurance market has undergone a fundamental transformation. In 2019, you could get a policy by answering a 10-question form. In 2026, underwriters are deploying their own security scanners against your external attack surface, requiring evidence of specific technical controls, and writing coverage exclusions that invalidate claims if you misrepresented your security posture. This is not a compliance exercise — it is a technical audit with financial consequences.
The 12 Controls Every Cyber Insurer Now Requires
Based on analysis of application forms from the top 20 cyber insurers (Coalition, Corvus, At-Bay, Beazley, Chubb, AIG, Hartford, Travelers, and others), these are the controls that are now effectively universal requirements:
1. Multi-Factor Authentication (MFA)
Required by: 100% of insurers
MFA must be enforced on all remote access points (VPN, RDP, SSH), all email accounts, all privileged/admin accounts, and all cloud service consoles (AWS, Azure, GCP). SMS-based MFA is increasingly disfavored — insurers prefer authenticator apps or hardware tokens. If you do not have MFA, you will not get coverage. Full stop.
2. Endpoint Detection and Response (EDR)
Required by: 95% of insurers
Traditional antivirus is no longer sufficient. Insurers require EDR solutions (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Carbon Black) deployed on all endpoints, including servers. The EDR must have active monitoring — installed but unmonitored does not count. Many insurers specifically ask which EDR vendor you use.
3. Email Security and Anti-Phishing
Required by: 90% of insurers
Email filtering with advanced threat protection, including attachment sandboxing and URL rewriting. SPF, DKIM, and DMARC must be configured for your domains. Some insurers specifically ask about DMARC enforcement policy (reject vs. quarantine vs. none).
4. Backup and Recovery
Required by: 95% of insurers
Encrypted backups stored either offline or in an immutable storage system. The 3-2-1 backup rule (3 copies, 2 media types, 1 offsite) is the minimum. Insurers want to know: how frequently you back up, whether backups are tested, whether backup credentials are separated from production credentials, and your recovery time objective (RTO).
5. Patch Management
Required by: 90% of insurers
Critical and high-severity vulnerabilities must be patched within 30 days of release. Some insurers require 14 days for actively exploited vulnerabilities (per CISA KEV). You need a documented patch management policy and evidence of compliance. Running end-of-life software (Windows Server 2012, PHP 7.x, etc.) is a red flag that can result in coverage exclusions.
6. Incident Response Plan
Required by: 85% of insurers
A documented, tested incident response plan that covers: identification, containment, eradication, recovery, and post-incident review. The plan must identify key personnel, external resources (forensics firm, legal counsel, PR), and communication procedures. Many insurers require the plan to be tested via tabletop exercise within the last 12 months.
7. Network Segmentation
Required by: 75% of insurers
Critical systems must be segmented from the general network. At minimum: separate IT and OT networks, isolated backup infrastructure, segmented privileged access workstations, and network-level access controls between segments.
8. Privileged Access Management (PAM)
Required by: 80% of insurers
Administrative and root accounts must have additional protections: separate admin accounts from daily-use accounts, just-in-time (JIT) access provisioning, session recording for privileged access, and regular access reviews. Shared admin passwords are a finding that can increase premiums significantly.
9. Encryption
Required by: 85% of insurers
Data must be encrypted both at rest and in transit. Insurers specifically ask about: full-disk encryption on laptops and mobile devices, TLS for all web traffic, encrypted email for sensitive communications, and encrypted file sharing. Using SecureBin's zero-knowledge encryption for credential and sensitive data sharing directly addresses this requirement.
10. Security Awareness Training
Required by: 80% of insurers
Regular security awareness training for all employees, including phishing simulations. Training must be conducted at least annually, with new hire training within 30 days. Insurers may ask for completion rates and phishing simulation click rates.
11. Access Control and Identity Management
Required by: 75% of insurers
Role-based access control (RBAC) with the principle of least privilege. Regular access reviews (quarterly for privileged accounts). Immediate revocation upon termination. Single sign-on (SSO) for critical applications.
12. Logging and Monitoring
Required by: 70% of insurers
Centralized log collection and monitoring with a minimum 90-day retention period. Security event monitoring through a SIEM or managed detection and response (MDR) service. Audit trails for access to sensitive data and systems.
Meet Encryption Requirements With Zero-Knowledge Sharing
SecureBin provides AES-256-GCM encrypted data sharing with audit trails, access controls, and self-destructing links. Demonstrate encryption compliance to your insurer.
Start Encrypted Sharing →What Cyber Insurance Costs in 2026
| Company Size (Revenue) | Coverage Limit | Annual Premium Range |
|---|---|---|
| Under $1M | $500K – $1M | $800 – $3,000 |
| $1M – $5M | $1M | $1,500 – $7,500 |
| $5M – $25M | $1M – $5M | $5,000 – $25,000 |
| $25M – $100M | $5M – $10M | $10,000 – $75,000 |
| $100M+ | $10M+ | $50,000 – $500,000+ |
Premiums vary significantly by industry. Healthcare, financial services, and legal firms pay the highest premiums due to the sensitivity of data they handle and regulatory exposure. Technology companies and retailers with strong security programs can negotiate below-average rates.
How to Reduce Your Cyber Insurance Premium
Insurers use a risk-based pricing model. Every security control you implement reduces your perceived risk and directly impacts your premium. Here are the controls with the largest premium impact:
High-Impact Premium Reducers
- MFA everywhere: 15–25% premium reduction
- EDR with 24/7 monitoring: 10–20% reduction
- Immutable backups: 10–15% reduction
- SOC 2 or ISO 27001 certification: 10–20% reduction
- Incident response plan (tested): 5–10% reduction
- Security awareness training: 5–10% reduction
- Zero-trust architecture: 10–15% reduction
Actions That Increase Premiums
- Prior breach history (can double premiums for 3–5 years)
- End-of-life software in production
- No dedicated security personnel
- Handling PII, PHI, or payment card data without corresponding controls
- RDP exposed to the internet (instant decline from many insurers)
- Shared admin credentials without PAM
What Voids a Cyber Insurance Claim
Getting a policy is only half the battle. Understanding what can void a claim is equally important:
Misrepresentation on the Application
This is the number one reason claims are denied. If you stated on your application that you have MFA on all remote access and a forensic investigation reveals that RDP was accessible without MFA, the insurer can void the entire policy — not just deny the specific claim. Be accurate on your application. If you are unsure whether a control is fully implemented, say so. Underwriters prefer honesty with a remediation plan over false attestations.
Failure to Maintain Attested Controls
Your policy assumes you maintain the security controls you attested to at application time. If you disable your EDR to troubleshoot a performance issue and get breached during that window, the insurer can argue you failed to maintain a material condition of coverage.
Known but Unpatched Vulnerabilities
If a breach exploits a vulnerability that was publicly known and had a patch available for more than 30 days, many policies exclude coverage. This is particularly enforced for CISA KEV (Known Exploited Vulnerabilities) catalog entries. Run our Exposure Checker and SSL Checker regularly to identify and remediate vulnerabilities before they become claim-voiding exclusions.
Late Notification
Most policies require notification to the insurer within 72 hours of discovering a breach or suspected breach. Late notification can reduce coverage or void the claim entirely. Your incident response plan should include the insurer's notification hotline number and the specific notification requirements from your policy.
How SecureBin Helps Meet Cyber Insurance Requirements
Several of the 12 required controls directly relate to how your organization handles credential and sensitive data sharing:
- Encryption (Requirement #9): SecureBin provides AES-256-GCM zero-knowledge encryption for all shared data. Data is encrypted in the browser before reaching our servers.
- Access Control (Requirement #11): Self-destructing links, password protection, view limits, and IP restrictions ensure only authorized recipients access shared data.
- Audit Trails (Requirement #12): Enterprise plans include access logs showing who viewed shared data and when.
- PAM (Requirement #8): Instead of sharing admin credentials via Slack or email (which creates a persistent, searchable record), use encrypted one-time links that leave no trace after viewing.
- Data-in-Transit Encryption: All SecureBin communications use TLS 1.3, meeting the in-transit encryption requirement.
Document Your Encryption Controls for Underwriters
Show your cyber insurer that sensitive data is shared exclusively through zero-knowledge encrypted channels. SecureBin Enterprise provides audit trails and access logs for compliance evidence.
See Enterprise Plans →Cyber Insurance Application Checklist
Before applying for or renewing your cyber insurance policy, verify that you can honestly attest to the following:
- MFA enforced on all remote access, email, and admin accounts
- EDR deployed and actively monitored on all endpoints and servers
- Email filtering with anti-phishing, SPF, DKIM, and DMARC configured
- Encrypted backups stored offline or in immutable storage, tested quarterly
- Critical patches applied within 30 days, no end-of-life software in production
- Documented incident response plan tested via tabletop exercise within 12 months
- Network segmentation between critical systems and general network
- Privileged access management with separate admin accounts and JIT access
- Encryption at rest (full-disk) and in transit (TLS 1.2+) for all sensitive data
- Security awareness training completed annually with phishing simulations
- RBAC with least privilege, regular access reviews, immediate termination revocation
- Centralized logging with 90+ day retention and security event monitoring
- No RDP, SMB, or Telnet exposed to the internet
- Sensitive data shared only through encrypted channels (not email or Slack)
Frequently Asked Questions
How much does cyber insurance cost in 2026?
For small businesses (under $5M revenue), expect $1,500 to $7,500 annually for $1M in coverage. Mid-market companies ($5M–$100M revenue) pay $10,000 to $75,000 annually. Enterprises pay $100,000+ annually. Premiums have stabilized after the increases of 2023–2024, but insurers are now more selective, making security controls the primary factor in both eligibility and pricing.
Can I get cyber insurance without MFA?
Practically no. MFA is now a universal requirement across all major cyber insurers. Without MFA on remote access and privileged accounts, most insurers will decline coverage entirely. Some insurers will accept phased MFA rollout plans, but full deployment is expected within 60–90 days of policy inception.
What can void a cyber insurance claim?
The most common reasons claims are denied: misrepresentation on the application (claiming controls you do not have), failure to maintain attested controls, known but unpatched vulnerabilities, late notification to the insurer (most require 72 hours), and breaches originating from unsanctioned shadow IT. Accurate applications and maintained controls are essential.
Does cyber insurance cover ransomware payments?
Many policies cover ransomware payments, but with increasing restrictions. Some insurers now sub-limit ransomware coverage (e.g., $500K within a $2M policy). Some exclude payments to sanctioned entities (OFAC compliance). And most require that you exhaust recovery options (backups, decryption tools) before approving a payment. The trend is toward covering recovery costs rather than ransom payments.
The Bottom Line
Cyber insurance in 2026 is not a substitute for security — it is a complement to it. Insurers require genuine security controls, verify them through technical assessments, and deny claims when controls are misrepresented. The good news is that the controls insurers require are the same controls that actually prevent breaches. Implementing them reduces both your premium and your actual risk.
Start by assessing your current security posture with our Exposure Checker, ensure your SSL/TLS configuration meets standards, and replace insecure credential sharing with SecureBin's encrypted links. Then use our Breach Cost Calculator to quantify the financial risk you are insuring against.
Related Articles
- How Much Does a Data Breach Cost in 2026?
- Cyber Liability Insurance for Small Business
- Incident Response Plan Template
- Ransomware Prevention Guide
- GDPR Data Sharing Compliance
- Credential Sharing Policy Template
Related tools: Exposure Checker, SSL Checker, Breach Cost Calculator, Password Generator, TOTP / 2FA Generator, and 70+ more free tools.