Cyber Insurance Requirements in 2026: What Your Carrier Actually Wants

Cyber insurance premiums have stabilized after three years of increases, but carriers have not loosened their requirements. If anything, the questionnaires are longer, the technical controls are more specific, and denials for gaps are faster.

If you are renewing a cyber liability policy or applying for the first time, here is what underwriters actually look for in 2026.

The baseline checklist

Every major carrier — Coalition, Corvus, Cowbell, Hartford, Chubb, Travelers — converges on roughly the same set of controls. Miss one and you risk denial or a premium surcharge.

1. Multi-factor authentication (MFA)

Required on: email (Microsoft 365, Google Workspace), VPN, RDP, all admin/privileged accounts, cloud management consoles.

What gets you denied: “We use MFA on email but not on our firewall admin panel.” Carriers want MFA on every external-facing login and every privileged account, period.

How to pass: Enforce conditional access policies in Azure AD / Google Admin. Disable legacy authentication protocols. Document it.

2. Endpoint detection and response (EDR)

Required on: every workstation and server, including Macs.

What carriers reject: basic antivirus (Defender free tier, Norton, McAfee consumer). They want a product with behavioral detection, automated response, and a managed SOC or MDR component.

Examples that pass: SentinelOne, CrowdStrike, Huntress + Defender for Business, Sophos MDR.

3. Immutable / air-gapped backup

Required: at least one backup copy that cannot be encrypted or deleted by ransomware. Carriers specifically ask whether backups are immutable or air-gapped.

What gets you denied: “We back up to a NAS in the server closet.” That NAS is on the same network as the endpoints — ransomware will encrypt it.

How to pass: Cloud backup with immutable retention (Axcient, Datto, Veeam with immutability enabled). Test restores quarterly. Document recovery time objectives.

4. Security awareness training (SAT)

Required: ongoing, not one-and-done. Carriers ask whether employees receive phishing simulations and training at least quarterly.

Products that pass: KnowBe4, Proofpoint Security Awareness, Huntress SAT, Curricula.

5. Patch management

Required: a documented patching cadence. Carriers ask: “How quickly are critical patches applied?” The right answer is 14 days or less for critical, 30 days for high.

What raises flags: “We patch when we get to it” or “our IT guy updates things manually.”

6. Email security

Required: advanced email filtering beyond native Exchange Online Protection. Carriers want to see a dedicated secure email gateway or advanced threat protection add-on.

Products that pass: Proofpoint, Mimecast, Microsoft Defender for Office 365 Plan 2, Abnormal Security.

7. Incident response plan

Required: a written plan, reviewed annually, that names roles, communication steps, and contains provider contact information.

What gets you denied: “We would figure it out.” Carriers want a document they can review. Our ransomware recovery checklist can serve as a starting template.

Controls that are becoming standard

These are not universal requirements yet, but a growing number of carriers ask about them:

• Privileged access management (PAM) — separate admin accounts, just-in-time access, no shared credentials
• Network segmentation — critical systems isolated from general user traffic, especially for PCI environments
• DNS filtering — block known malicious domains at the network level
• Vulnerability scanning — regular automated scans, not just annual penetration tests
• Cyber hygiene scores — some carriers pull your public-facing posture from BitSight or SecurityScorecard. A low score can increase premiums even if your internal controls are strong

The questionnaire

Most carriers use a version of the Coalition or NetDiligence questionnaire. It typically runs 40-80 questions. The format varies, but the themes are consistent:

1. Access controls — MFA, password policy, privileged access
2. Endpoint protection — EDR, patching, mobile device management
3. Data protection — backup, encryption at rest and in transit
4. Email security — filtering, DMARC/DKIM/SPF, phishing training
5. Network security — firewalls, segmentation, VPN
6. Incident response — written plan, tested, roles assigned
7. Third-party risk — vendor management, supply chain controls
8. Business continuity — RTO/RPO defined, DR tested

How to not get denied

Three things trip up small businesses most often:

1. Legacy systems. A Windows Server 2012 R2 box in the closet, unpatched, running a line-of-business app. Carriers specifically ask about end-of-life operating systems. Migrate or isolate.

2. MFA gaps. You have MFA on email but not on the firewall admin panel, the RMM console, or the backup dashboard. One missed system is enough for a denial.

3. No documentation. You have the controls but cannot prove it. Carriers want to see policies, not promises. A managed IT provider should be able to produce attestation letters and configuration evidence on demand.

What Sage does for cyber insurance renewals

Our Secure tier ($159/workstation) defaults to a stack that meets or exceeds the standard underwriter checklist: EDR, immutable backup, MFA enforcement, email filtering, SAT, patch management, and documented incident response.

When renewal time comes, we fill out the questionnaire with you and provide attestation letters where the carrier asks for them. If your current stack has gaps, we identify them during the free assessment and give you a written remediation plan before the renewal deadline.

Related resources

• Ransomware Recovery Checklist — 32-step incident response framework
• How to Pick an MSP — 10 questions to ask, including about security stack
• Cybersecurity Risk Quiz — 5-minute self-assessment
• HIPAA IT Requirements — if you are in healthcare, compliance requirements stack