What Your Cyber Insurance Renewal Will Likely Require in 2026

If your cyber insurance renewal is coming up this year, expect a different experience than you had even two or three years ago. Applications have grown longer. Carriers are asking for proof, not promises. And the technical controls they want to see are specific enough that vague answers no longer satisfy underwriters.

For small and midsize businesses, especially law firms and accounting practices handling sensitive client data, a renewal that used to take an afternoon can now stall for weeks if the right documentation is not ready. This guide walks through what underwriters are commonly asking for in 2026, why the bar has moved, and how to prepare without a last-minute scramble.

What underwriters are asking for

Cyber insurance questionnaires vary by carrier, but in 2026 most applications converge on a consistent set of baseline requirements. If your organization cannot demonstrate these controls, expect follow-up questions, coverage exclusions, or higher premiums.

Multi-factor authentication for all users

MFA is no longer optional on any cyber insurance application. Carriers want to see it enforced for every user account, not just administrators. That includes email, remote access (VPN, remote desktop), and cloud platforms. "Available but not required" is not enough. Underwriters want confirmation that MFA is mandatory and that legacy authentication protocols that bypass it have been blocked.

Endpoint detection and response (EDR)

Traditional antivirus is no longer sufficient for most carriers. Applications now ask whether you run endpoint detection and response software on all endpoints, including servers, workstations, and laptops. EDR provides behavioral monitoring and the ability to isolate compromised devices, which is a meaningful step beyond signature-based scanning.

Tested and documented backups

Carriers want to know that your backups exist, that they are stored separately from your production environment (ideally with at least one offline or immutable copy), and that you test restores on a regular schedule. We will cover what "tested" actually means in a section below.

Written incident response plan

Underwriters ask whether you have a documented plan for responding to a security incident. This does not need to be a 50-page binder. It does need to cover who is responsible for what, how you will contain an incident, who you will contact (legal counsel, your insurance carrier, your IT provider), and how you will communicate with affected parties.

Email authentication (DMARC)

Many applications now ask about email security controls, specifically whether you have SPF, DKIM, and DMARC configured for your domain. DMARC at enforcement (quarantine or reject) helps prevent attackers from sending spoofed emails that appear to come from your domain. If you are not sure where your domain stands, our free domain security scan can give you a quick read.

Privileged access controls

Carriers want to know how you manage accounts with elevated permissions. This includes limiting the number of global or domain administrators, using separate admin accounts (not the same account used for daily email), and reviewing privileged access on a regular basis. The principle is simple: the fewer accounts with broad access, the smaller the blast radius if one is compromised.

Employee security awareness training

Most applications ask whether employees receive regular security awareness training, and some ask how frequently and whether it includes phishing simulations. Annual training is the minimum most carriers will accept. Quarterly is becoming the expectation for firms handling regulated data.

Why requirements have tightened

The shift did not happen overnight, but it accelerated sharply between 2021 and 2024. Ransomware claims drove payouts to levels that forced carriers to either raise premiums dramatically, tighten underwriting standards, or exit the market. Business email compromise (BEC) losses added to the problem, with attackers redirecting wire transfers and invoice payments through impersonated email accounts.

Carriers responded by requiring the controls that, based on claims data, most directly reduce the likelihood and severity of incidents. MFA blocks the majority of credential-based attacks. EDR catches threats that signature-based tools miss. Tested backups reduce ransomware leverage. Incident response plans shorten containment time. These are not theoretical best practices. They are the controls that correlate with fewer and smaller claims.

The result is that a cyber insurance application in 2026 functions as a de facto security audit. That can feel burdensome, but it also means that preparing for your renewal naturally improves your actual security posture.

What "tested backups" actually means

This is one of the most misunderstood requirements. Many businesses assume that having an automated backup running is sufficient. It is not. Underwriters are asking whether you have verified that your backups work by actually restoring data from them.

Here is what a credible backup testing practice looks like:

• Perform test restores on a defined schedule (quarterly is a reasonable starting point for most small businesses).
• Restore a meaningful sample of data, not just a single file, to confirm that full system or mailbox recovery works.
• Document the date, scope, and outcome of each test restore, including any failures and how they were resolved.
• Keep those records where you can produce them during the renewal process.
• Confirm that at least one backup copy is stored offline or in an immutable format, so ransomware cannot encrypt it along with everything else.

If your backup vendor dashboard shows green checkmarks every day but you have never tried a restore, you cannot honestly answer "yes" to the tested backups question on your application. More importantly, you do not actually know whether your backups will save you in an incident.

Common gaps that delay renewals

Based on what we see working with small businesses preparing for renewals, these are the issues that most often cause delays, follow-up questions, or unfavorable terms:

• No written incident response plan. Many businesses have an informal understanding of what they would do, but nothing documented. Underwriters want a written plan, even a short one.
• MFA not enforced for all users. It is common for MFA to be enabled for most users but not actually required, or for a few accounts (often shared mailboxes or service accounts) to be exempted. Carriers notice the gap.
• No backup testing evidence. Backups run automatically, but no one has performed or documented a test restore. This is one of the easiest gaps to close, but it requires discipline to maintain.
• DMARC not at enforcement. Many domains have a DMARC record, but it is set to "none" (monitoring only), which does not prevent spoofing. Carriers increasingly ask for quarantine or reject policies.
• Outdated or missing security training records. Training may have happened once, but without records showing ongoing, regular sessions, it is difficult to demonstrate compliance on the application.

How to prepare

The best time to start preparing for a cyber insurance renewal is at least 90 days before your renewal date. That gives you enough runway to identify gaps, implement changes, and gather the documentation you will need.

A practical approach:

• Pull a copy of your current application or your carrier's latest questionnaire. Read every question and note where you are unsure of the answer.
• For each control area (MFA, EDR, backups, incident response, email security, privileged access, training), confirm what is in place and gather evidence: screenshots, configuration reports, training completion records, restore logs.
• Where you have gaps, prioritize based on what carriers weight most heavily: MFA and EDR are typically non-negotiable, followed by backups and incident response.
• Write down your incident response plan if you do not have one. A two-page document that covers roles, escalation contacts, containment steps, and communication procedures is a solid starting point.
• Schedule a backup test restore now, and put recurring restores on the calendar going forward.
• Review your DMARC policy and move toward enforcement if you are still at "none."

For a detailed breakdown of individual controls with checklist items, see our cyber insurance requirements checklist. For help preparing across all of these areas, our cyber insurance readiness services page explains how we work with businesses to close gaps before renewal time.