Cyber Insurance Requirements: What Insurers Expect in 2026

Cyber insurers are tightening how they evaluate risk. The questions are more numerous, the scrutiny more pointed, and the consequences of getting it wrong are real: voided policies, denied claims, and coverage gaps that only surface after an incident. Understanding what insurers want, not what a generic checklist suggests, is a business decision now, not an IT task.

From Self-Attestation to Security Audit: How Cyber Insurance Underwriting Has Changed

The industry built its first cyber policies on self-attestation. An organization filled out a form, checked yes or no, and received a policy based largely on the honor system.

That model is breaking down. Insurers have paid out enough claims to understand that what organizations say they have and what they actually have are often different things. Sometimes that gap is intentional misrepresentation. More often it's honest confusion: people answering questions they don't fully understand about systems they only partially control.

One of the largest cyber insurers in the market has acknowledged directly that questionnaires ask the wrong questions, get the wrong answers, and are out of date before they're even completed. Insurers keep using them anyway, because they haven't had a better option at scale.

The industry's response has been to push toward verification. Insurers now run outside-in scans of organizational environments, looking for exposed systems, unpatched software, and misconfigured access points. They're requesting third-party validation, treating renewals more like audits than administrative paperwork, and moving toward continuous monitoring of security posture rather than annual checkboxes.

This shift from self-attestation to verified evidence is the defining change in cyber insurance underwriting criteria today. Organizations that understand it will navigate the market far more effectively than those still preparing for the old process.

What Cyber Insurers Look for Today: The Baseline Requirements

The baseline has shifted, and it continues to shift. Below is where cyber insurance underwriting criteria stand now, and what each requirement actually means in practice.

MFA Requirements for Cyber Insurance

Multi-factor authentication (MFA) is still table stakes, but "we have MFA" is no longer enough. Insurers want to know whether MFA is enforced across all user accounts, not just some of them. VPN access without MFA has become a specific underwriting flag. Accounts with weak or absent MFA are a documented path to claim denial.

The nuance matters. A business owner recently answered "no" to the MFA question on an insurance application because he didn't recognize the term for what he was already running. The controls were there. The evidence wasn't. His broker nearly turned him away before someone caught it.

That kind of gap is exactly what insurers are trying to close. A "yes" answer without documentation is now treated with skepticism. Organizations need to show that MFA is deployed, enforced, and applied consistently across privileged accounts, email, remote access, and administrative systems.

What insurers want to see: MFA enforced on all user accounts, with particular scrutiny on VPN, remote desktop, and administrator access. Evidence of deployment, not just attestation.

EDR and MDR: The New Cyber Insurance Standard

Endpoint security has evolved from a product to a program. Insurers moved past antivirus, then past basic endpoint detection and response (EDR). The current expectation in most markets is managed detection and response (MDR) with 24/7 coverage. A tool that alerts someone when they're available is no longer sufficient.

The shift reflects a change in how attacks unfold. A few years ago, an organization might have had two weeks to respond to an intrusion before significant damage was done. Now it's hours, sometimes minutes. Insurers have watched claims multiply from attackers who moved fast while defenders moved slowly, and their underwriting requirements have followed.

EDR and MDR requirements for cyber insurance now typically mean an organization must demonstrate not just that endpoint tools are installed, but that someone with expertise is actively monitoring alerts around the clock and has a defined process for responding when something is detected.

What insurers want to see: Managed detection and response with 24/7 coverage, documented response procedures, and evidence that alerts are acted on, not just logged.

Backup Requirements for Cyber Insurance Coverage

This is one of the most misrepresented areas in cyber insurance applications, and one of the most consequential when something goes wrong.

One insurer described the worst manufacturing claim of his career: a company that reported having backups, didn't have working ones, and took 48 days to recover from an incident that should have taken 48 hours. A separate study across more than 10,000 policies found that the backups question was answered incorrectly or incompletely 90% of the time. The disconnect is so persistent that some carriers have stopped asking about backups on applications entirely, because the answers are too unreliable to be useful.

The gap usually isn't dishonesty. It's that "we back things up" and "our backups work" are not the same statement. Organizations assume they have functional backups because a backup process runs nightly. Insurers have learned to ask harder questions: Are backups isolated from the primary environment? Are they tested? How often? Who monitors them? What's the recovery time objective, and has it ever been validated against a real restore?

What insurers want to see: Backups that exist, are tested regularly, are isolated from the primary environment, and are monitored. Organizations should be able to document their backup testing cadence and provide evidence of a successful restore.

Why Incident Response Plans Are Now an Insurance Requirement

The ability to respond to an incident, not just prevent one, is increasingly part of the cyber insurance underwriting conversation. Insurers know breaches happen. What they're evaluating is whether an organization can contain damage and recover quickly, or whether a single event becomes a prolonged, expensive crisis.

Organizations that can show a documented incident response plan, with evidence it has been tested, present a meaningfully different risk profile than those that cannot. Some carriers now require tabletop exercises as part of the renewal process. Others will offer premium discounts for organizations that can demonstrate a tested plan.

An incident response plan for cyber insurance purposes should define roles and responsibilities, establish communication protocols, identify the forensic and legal resources the organization would engage, and document how it has been tested. A plan that exists in a shared drive but has never been rehearsed does not carry the same weight as one that can be traced through a documented exercise.

What insurers want to see: A documented incident response plan with clear ownership, evidence of testing (tabletop exercise documentation is acceptable), and a defined escalation path for engaging external resources.

Zero Trust and Cyber Insurance: What Carriers Are Now Asking

The progression of cyber insurance requirements over the past five years tells a clear story. First it was backups. Then MFA. Then EDR, then MDR, after insurers concluded that a tool monitored only during business hours wasn't enough. Each year, the bar moved.

The current frontier is Zero Trust. Carriers including Marsh and Chubb have begun incorporating Zero Trust principles into their underwriting conversations. The distinction worth understanding: they're not asking whether an organization has purchased a Zero Trust product. They're asking whether the organization operates on Zero Trust principles, including least-privilege access, continuous verification, network segmentation, and conditional access policies that restrict what users and devices can reach based on identity and context.

For most businesses, that's a significant shift. It moves the conversation from "what tools do you have" to "how is your environment actually structured and governed." An organization can have an EDR solution, an MFA policy, and a backup process, and still fail Zero Trust evaluation because its internal network allows unrestricted lateral movement.

Least-privilege access and Zero Trust principles are now appearing in underwriting questionnaires, renewal audits, and carrier guidance documents. Organizations that have built their security program around a Zero Trust operating model, rather than assembled it from a list of point tools, are increasingly better positioned in the underwriting process.

What insurers want to see: Evidence of Zero Trust implementation, including least-privilege access policies, network segmentation, identity-based access controls, and conditional access configurations that limit what authenticated users can reach.

Security Logging and Visibility: What Insurers Expect

Insurers and the forensic teams they engage after a claim need data. They need to understand what happened, when, and how. Organizations that can pull logs quickly and show what their environment looked like at the time of an incident give insurers what they need to process a claim. Organizations that cannot create friction for themselves and, in some cases, real liability exposure.

Continuous security monitoring is now an expectation in most underwriting conversations. The question isn't just whether logs exist; it's whether they cover the right systems, whether they're retained long enough to be useful in a forensic investigation, and whether someone is reviewing them.

This is also where the shift from self-attestation to evidence becomes most practical. Showing an insurer you have continuous visibility into your environment is fundamentally different from telling them you do. Log data is concrete. Assertions are not.

What insurers want to see: Centralized log collection across endpoints, network, and identity systems; documented retention periods; and evidence of active monitoring, whether through an internal team or a managed service provider.

Cyber Insurers Are Becoming De Facto Security Regulators

One way to understand where the cyber insurance market is heading is to look at where it's gone in other industries. In professional liability, the insurance industry effectively established the standards of practice that lawyers and other professionals must follow to maintain coverage. Cyber insurance is following the same trajectory.

Carriers are treating renewals like audits. Some are beginning to prescribe specific technologies or vendors as conditions of coverage. Others are partnering directly with security providers to bundle protection with policies. The market is consolidating around a simple premise: insurers need to trust that the controls they're being told about exist and work.

The conversation with your insurer has changed. It's no longer about filling out a form accurately. It's about being able to prove your security posture, answer questions with evidence rather than assertions, and demonstrate that your program is operating as described.

Businesses that treat cyber insurance requirements as a compliance exercise, something to satisfy at renewal and then set aside, will find that posture increasingly difficult to sustain. The carriers driving this market are building continuous monitoring relationships, not annual snapshot reviews.

How to Meet Cyber Insurance Requirements and Protect Your Coverage

The organizations that navigate the cyber insurance market well over the next few years will treat insurance readiness as part of their security program, not a separate administrative exercise.

That means keeping a current, accurate picture of which controls are deployed and how they're configured. It means being able to produce documentation and evidence on short notice, not just at renewal time. And it means understanding that Zero Trust is no longer a future concern. It's already entering the underwriting conversation at the largest carriers in the market.

The question has shifted from "do we have the right tools?" to "can we prove the tools are working, and can we show how our environment is built?" Businesses that can answer yes will find coverage more accessible and often less expensive. Those that cannot will find the market increasingly difficult to navigate.

A security program built around a unified platform, one that covers endpoints, network access, identity, logging, and compliance in a way that can be documented and reported, is no longer a nice-to-have for insurance purposes. It's the baseline insurers are moving toward.

See how Todyl helps you build and demonstrate a security program that meets insurer expectations.

Frequently Asked Questions About Cyber Insurance Requirements

What happens if you lie on a cyber insurance application?

Providing false or inaccurate information on a cyber insurance application can result in claim denial, policy rescission, or both. If an insurer determines during a claims investigation that the application contained material misrepresentation, it has grounds to void the policy as if it never existed. This means the organization would receive no payout for a covered incident, even if the premiums had been paid in full. In some jurisdictions and policy structures, insurers may also pursue recovery of any funds already paid. The risk is compounded by the industry's shift toward verification: outside-in scans and third-party audits mean discrepancies between application answers and actual security posture are more likely to be discovered.

Does cyber insurance require a security assessment?

Increasingly, yes. While most policies still begin with an application questionnaire, many carriers now supplement self-reported information with outside-in technical scans of an organization's internet-facing environment. Some require third-party security assessments for higher coverage limits or higher-risk industries. At renewal, organizations with prior claims or significant coverage amounts may face more rigorous validation of their stated controls. The trend is toward continuous monitoring relationships rather than point-in-time assessments, with some carriers offering premium incentives for organizations that allow ongoing visibility into their security posture.

Can a cyber insurance claim be denied because of missing MFA?

Yes. Missing or incomplete MFA deployment is one of the most documented grounds for cyber insurance claim denial. If an organization states on its application that MFA is enforced across all accounts and an investigation reveals it wasn't enforced on the account or system that was compromised, the insurer may deny the claim based on material misrepresentation. This applies even when the gap was unintentional. Insurers have made MFA a condition of coverage in many policies, meaning a breach traced to an account without MFA may fall outside covered losses entirely, depending on policy language.

What is the difference between EDR and MDR for insurance purposes?

EDR refers to the technology installed on endpoints that detects and records suspicious activity. MDR refers to the managed service that operates on top of that technology, providing 24/7 human monitoring, alert investigation, and response guidance. For cyber insurance purposes, having EDR installed is no longer sufficient in most markets. Carriers want to see that alerts are being acted on around the clock, which is what MDR provides. An EDR tool that sends alerts to a security team during business hours does not satisfy the MDR requirement.

How do I qualify for cyber insurance with better rates?

The organizations that consistently qualify for cyber insurance at better rates share several characteristics: MFA enforced across all accounts, a managed detection and response service with 24/7 coverage, tested and isolated backups with documented recovery procedures, a documented and tested incident response plan, centralized logging with defined retention periods, and a security architecture that reflects Zero Trust principles. Beyond the specific controls, the factor that increasingly differentiates organizations in underwriting is the ability to produce evidence quickly. Insurers are more confident in organizations that can show their controls working, not just describe them.