Cyber Insurance Security Requirements Checklist 2026
Cyber insurance underwriting changed fundamentally after the ransomware surge of 2020 to 2022. Insurers absorbed catastrophic losses and responded by tightening requirements, raising premiums, and adding exclusions that limit coverage for the most common claim types. In 2026, the application process resembles a security assessment: underwriters ask detailed questions about specific controls, request evidence of implementation, and decline coverage or add exclusions when controls are absent. Understanding what underwriters require and how to demonstrate compliance is a practical security program concern, not just a procurement exercise.
Tier 1 Controls: Near-Universal Requirements
These controls appear on virtually every cyber insurance application and will result in coverage denial or dramatic premium increases if absent:
Multi-factor authentication (MFA)
Required for: email and Microsoft 365/Google Workspace, VPN and remote access, privileged accounts and administrator access, cloud infrastructure consoles (AWS, Azure, GCP). Underwriters specifically ask about MFA coverage percentages. 100 percent coverage of email and remote access is the baseline expectation. Partial MFA deployment (some users, some systems) no longer satisfies most underwriters. Documentation needed: screenshot of MFA enforcement policy in your IdP, confirmation that legacy authentication is blocked.
Endpoint Detection and Response (EDR)
A named EDR product (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Carbon Black) deployed on all endpoints including servers. Underwriters distinguish EDR from traditional antivirus: legacy AV does not satisfy this requirement. Coverage percentage matters: EDR on 95 percent of endpoints with documented exceptions for the remaining 5 percent is typically acceptable. Documentation needed: console screenshot showing deployment coverage, agent version currency.
Privileged Access Management (PAM)
Controls over administrative accounts: either a dedicated PAM solution (CyberArk, BeyondTrust, Delinea) or documented controls including just-in-time access, separate privileged accounts from daily-use accounts, and privileged session logging. This requirement has strengthened significantly: underwriters have connected uncontrolled admin credentials to high-severity ransomware claims. Documentation needed: description of privileged access controls, PAM tool name if applicable.
Offline or immutable backups
Backup data that cannot be encrypted by ransomware that has compromised domain admin credentials. Requirements: backups that are air-gapped, immutable (cannot be overwritten or deleted), or otherwise isolated from the production environment. Backup frequency (daily minimum), retention period (30 days minimum), and tested restoration capability are all assessed. Documentation needed: backup solution description, confirmation of isolation from production, most recent restoration test date and outcome.
Tier 2 Controls: Increasingly Standard Requirements
These controls were once differentiators that improved terms; they are now baseline expectations at most insurers:
Email security gateway
A named email security product beyond native email platform defaults: Proofpoint, Mimecast, or Microsoft Defender for Office 365 Plan 2. Anti-phishing, anti-malware sandboxing, and URL rewriting expected. DMARC published at p=quarantine or p=reject for all sending domains.
Vulnerability management program
Regular scanning of all assets, documented remediation SLAs by severity, and evidence of patch compliance tracking. Underwriters ask about scan frequency (weekly for external-facing systems is the expectation), mean time to patch critical vulnerabilities, and whether critical vulnerabilities are tracked to remediation.
Incident response plan
A documented IR plan that has been tested within the past 12 months. Tabletop exercises are the minimum acceptable test; insurers with better terms require more rigorous testing. The plan must include ransomware-specific response procedures. Documentation needed: IR plan document with last review date, tabletop exercise summary.
Security awareness training
Formal security awareness training program with phishing simulations. Frequency: annual training minimum, quarterly phishing simulations preferred. Track completion rates and click rates as evidence of program operation. Documentation: training platform name, completion rate, most recent phishing simulation click rate.
Network segmentation
Documented segmentation between operational environments, particularly: separation of backup systems from production, separation of IT from OT environments, and segmentation of payment card systems if applicable. Underwriters assess whether ransomware can traverse from one network segment to encrypt everything simultaneously.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Tier 3 Controls: Premium and Coverage Differentiators
These controls distinguish favorable premium rates and broader coverage terms from standard market rates:
Zero trust network access
ZTNA replacing VPN demonstrates a mature network access posture. Some underwriters offer explicit premium credits for ZTNA deployment over VPN for remote access.
24/7 SOC or MDR coverage
Continuous monitoring significantly reduces claim frequency and severity. Underwriters recognize that gaps in monitoring coverage (nights, weekends) correlate with successful ransomware deployments. MDR service documentation or internal SOC staffing evidence.
Cyber threat intelligence program
Proactive threat intelligence demonstrates maturity beyond reactive posture. ISAC membership and CTI feed subscriptions are evidence underwriters cite for favorable terms.
Tabletop exercises with senior leadership
Board and C-suite level incident response exercises signal organizational commitment. Some underwriters offer credits for documented executive-level IR exercises.
Third-party security assessments
Annual penetration testing, external vulnerability assessments, or security program maturity assessments by qualified third parties provide independent validation that controls are operational.
Coverage Exclusions to Review Carefully
Controls are not the only insurance consideration. Review these common exclusions that limit coverage for the most likely claim scenarios:
War and nation-state exclusion
Many policies exclude coverage for attacks attributed to nation-state actors. The Merck vs. ACE American case (2023) established that standard cyber policies may cover nation-state attacks absent an explicit war exclusion. Review your policy's specific language and ask your broker how attribution is determined for exclusion purposes.
Known vulnerability exclusion
Some policies exclude claims arising from exploitation of vulnerabilities that were publicly known for more than a defined period (30 to 90 days) before the incident. This creates a direct financial incentive to patch promptly. Review your policy for this exclusion and ensure your vulnerability management SLAs align with the policy timeframe.
Infrastructure failure exclusion
Outages caused by cloud provider failure (AWS outage affecting your hosted applications) may be excluded as infrastructure failure rather than a covered cyber event. Assess your dependency on single cloud providers against this exclusion.
Ransomware payment sub-limit
Many policies cap ransomware payment coverage at a sub-limit below the overall policy limit. Verify your ransomware sub-limit against your estimated maximum ransom exposure.
Documentation for the Application
Assembling documentation before the application reduces renewal delays and demonstrates control maturity. Build this evidence package annually:
MFA coverage report
Screenshot or export from your IdP showing MFA enrollment percentage across all user populations and application categories.
EDR deployment report
Console export showing agent deployment coverage across all endpoints and servers, agent version currency.
Backup test report
Date of most recent backup restoration test, systems tested, recovery time achieved, and attestation that backups are isolated from production.
Vulnerability scan summary
Most recent external and internal scan summary showing open critical and high vulnerabilities, remediation SLA compliance rate.
IR plan and tabletop summary
Current incident response plan document and a one-page summary of the most recent tabletop exercise including date, scenario, participants, and findings.
Security awareness training report
Training completion rate and most recent phishing simulation results by department.
The bottom line
Cyber insurance is no longer a risk transfer mechanism you can rely on without maintaining the controls it requires. Treat underwriter requirements as a useful security control checklist: the controls that reduce your claim frequency are the same controls that reduce your actual security risk. Build the evidence package as a living document, not a scramble at renewal time.
Frequently asked questions
What happens if we have a claim but did not meet all underwriter requirements?
If you misrepresented your security posture on the application (stated that MFA was deployed when it was not), the insurer can deny the claim based on material misrepresentation and potentially rescind the policy entirely. If you accurately disclosed gaps in your application and the insurer issued the policy with that knowledge, coverage denial is less likely. The risk is in the gap between stated controls and actual implementation, not in honestly disclosed control gaps. Work with your broker to accurately represent your actual posture rather than aspirational posture.
How often do cyber insurance requirements change?
Requirements have tightened every renewal cycle since 2021. Controls that were optional in 2020 (EDR, MFA on VPN) are now mandatory. Controls that are currently differentiators (ZTNA, 24/7 MDR) are likely to become standard requirements within 1 to 2 renewal cycles. Review the underwriting questionnaire for each renewal against the prior year to identify newly required controls. Build your security roadmap to stay ahead of anticipated requirement tightening.
Does cyber insurance cover ransomware payments?
Most cyber policies include ransomware coverage subject to conditions: the insurer must be notified before any payment decision, the insurer will typically direct you to a preferred ransomware negotiation firm, and payments to OFAC-sanctioned entities are always excluded. The insurer evaluates whether payment is necessary given backup availability and may decline to cover payment if they assess restoration without payment is feasible. Review your specific policy ransomware coverage language and confirm with your broker whether your backup posture affects coverage.
What is a cyber insurance retainer and how does it work?
Many cyber policies include access to a panel of pre-vetted incident response vendors (forensics firms, legal counsel, ransomware negotiators, public relations firms) at no additional cost within the policy. When you report an incident, the insurer's claims team connects you with panel vendors who begin work immediately billed against your policy. Using panel vendors is often contractually required for coverage to apply. Identify your insurer's panel vendors before an incident and ensure you have their emergency contact information accessible in your IR plan.
How do insurers verify the security controls we claim to have?
Verification methods have expanded beyond self-attestation: many insurers now use external scanning services (similar to EASM tools) to verify internet-facing controls, third-party security ratings (BitSight, SecurityScorecard) as application supplements, and control attestation during the claims process to verify controls were in place at incident time. Some insurers require an independent security assessment as a condition of coverage above certain policy limits. Assume that stated controls will be verified, particularly at claims time.
Should we use a cyber insurance broker or go direct?
Use a broker with dedicated cyber expertise. Cyber insurance policy language is highly technical and varies significantly between carriers. A specialist cyber broker (Marsh, Aon, Willis Towers Watson, or specialized cyber boutiques) understands how policy terms interact with real claim scenarios, can negotiate coverage terms and exclusions, and provides market access to multiple carriers for competitive comparison. Direct carrier applications may offer lower premiums in some cases but at the cost of negotiating expertise and market access that becomes critical at claim time.
Sources & references
- Marsh McLennan Cyber Insurance Market Report 2025
- Coalition Cyber Insurance Application Requirements 2025
- Munich Re Cyber Insurance Underwriting Guidelines
- CISA Cybersecurity Insurance Study 2024
- Woodruff Sawyer Cyber Insurance Survey 2025
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.