The era of filling out a two-page form and getting covered is over. Cyber insurers have dramatically tightened underwriting requirements after years of catastrophic ransomware losses. Here's exactly what they're looking for, and how to make sure your organization qualifies.
In 2019, cyber insurance was relatively cheap and relatively easy to get. By 2021, the ransomware wave had caused so many losses that multiple major carriers either exited the market or increased premiums by 100–300%. The market reset forced a fundamental change: insurers stopped accepting self-reported "good security" and started requiring evidence of specific controls.
Today, the top cyber insurers use a combination of security questionnaires, external attack surface scanning, and increasingly, third-party security ratings to assess your posture before binding coverage. Getting covered, and getting covered at a reasonable price, now requires actual security documentation, not just intent.
Based on current underwriting requirements from major carriers (Chubb, Travelers, Coalition, Beazley, AIG, and others), these are the controls that will either make or break your application:
MFA is the single most scrutinized control in cyber insurance underwriting. Carriers want to see it enabled on all of the following, not just some:
Missing MFA on any of these categories, particularly remote access, is a frequent cause of application denial or exclusionary endorsements. Some carriers will cover you without RDP MFA but will exclude ransomware claims, which largely defeats the purpose.
Traditional antivirus is no longer considered adequate. Most carriers require EDR deployed across all endpoints, not just servers. They're looking for solutions that provide behavioral detection, rollback capability, and centralized management. Microsoft Defender for Endpoint, CrowdStrike, SentinelOne, and Huntress all meet this requirement for most carriers.
This is the control that determines whether a ransomware event is a recovery or a ransom payment. Carriers want to see:
The IRP is required by nearly every mid-market carrier. It needs to be documented, not just "we'd figure it out." Carriers look for a plan that defines what constitutes a reportable incident, who is responsible for each response phase, legal and regulatory notification requirements, and how you preserve forensic evidence. An undocumented "we call our IT guy" response is not acceptable.
Business Email Compromise (BEC) is one of the most claimed cyber insurance events. Carriers check for:
p=quarantineSome carriers actually scan your domain's DNS records during the underwriting process. Missing DMARC enforcement is a red flag that may affect pricing.
| Control | Priority | Documentation Needed |
|---|---|---|
| MFA on all remote access and privileged accounts | Critical | Policy + screenshot/evidence |
| EDR on all endpoints | Critical | EDR vendor + coverage scope |
| Offline/immutable backups tested <90 days | Critical | Backup policy + test records |
| Written Incident Response Plan | Critical | Signed, dated IRP document |
| SPF / DKIM / DMARC configured | Critical | DNS records (carriers scan) |
| Security awareness training (annual minimum) | High | Training policy + completion records |
| Privileged access management (PAM) | High | PAM tool or documented procedure |
| Patch management process (<30 days for critical) | High | Patch management policy |
| Vendor/third-party risk management | High | Vendor management policy |
| Data retention and destruction policy | Moderate | Written policy document |
| Network segmentation | Moderate | Network diagram |
| Vulnerability scanning program | Moderate | Scanning tool + frequency |
The fastest way to get denied or have a claim rejected: Check "Yes" on controls you haven't actually implemented. Carriers perform forensic investigations after major claims and compare their findings against your application representations. Material misrepresentation gives them grounds to rescind the policy retroactively.
Beyond misrepresentation, the following are the most common denial triggers in the current market:
p=none (monitoring only, no enforcement)Cyber insurance isn't just about getting the policy, it's about being able to collect on it. Well-documented security controls serve three purposes: they help you qualify at competitive rates, they demonstrate good faith if a claim is ever disputed, and they help your organization actually respond effectively when an incident occurs.
Carriers increasingly request to review policy documents, not just check boxes, at renewal. An organization that can produce a written, signed Backup and Recovery Policy, Incident Response Plan, and Security Awareness Training Policy has a fundamentally different renewal conversation than one that can only describe their controls verbally.
Our Cyber Insurance Readiness Pack includes the five policy documents that underwriters ask for most often, Incident Response, Backup & Recovery, Vendor Management, Data Retention, and Security Awareness, formatted for immediate use.
The most important thing to understand about cyber insurance in 2026 is that it has become a proxy for your overall security posture. Insurers aren't just trying to assess risk, they're inadvertently forcing organizations to build real security programs as a condition of coverage.
That's actually good news if you approach it correctly. The documentation you build to satisfy underwriters, incident response plans, backup policies, vendor management procedures, is the same documentation that helps you respond effectively when something goes wrong. The investment is the same; the value is dual.
No spam. Just practical guidance on CMMC compliance and new resources when we publish them.