In 2026, cyber insurers require a baseline set of verified controls before they will bind or renew coverage: phishing-resistant multi-factor authentication on email, remote access, and privileged accounts; endpoint detection and response (EDR/MDR) with continuous monitoring; tested, immutable or offline backups (3-2-1); a dated, exercised incident response plan; timely patching with no unsupported end-of-life systems; privileged access management; email security and security awareness training; and network segmentation. Underwriting is now evidence-based: most carriers run external attack-surface scans and want proof (screenshots, deployment reports, restore-test logs), not just a checked box. Overstating controls can void a policy.
Cyber insurance has shifted from a checkbox formality to an evidence-based security review. Carriers now treat your security posture as the underwriting decision itself, and they verify it independently. This page lays out the controls insurers require in 2026, how to answer the questionnaire without putting your policy at risk, what ransomware coverage specifically demands, how stronger controls move you toward better terms, and a 30-day plan to get ready before a renewal or binding deadline. It is vendor-neutral guidance first. Where Cyvatar genuinely covers a required control, the mapping section makes that explicit, and where it does not, the same control is presented as general best practice.
The controls cyber insurers require
Underwriting in 2026 is built around a recognizable set of controls. The list below is the core of nearly every modern cyber-insurance questionnaire. Each entry pairs the control with the reason carriers ask for it, because understanding the why is what helps you answer accurately and prioritize correctly.
-
Phishing-resistant MFA on email, remote/VPN access, and privileged or admin accounts (and the backup console)
Why insurers want itStolen or reused credentials are the most common entry point for ransomware and business email compromise. MFA is the single most universally required control and is often a condition of binding coverage at all. FIDO2 or hardware-key methods are increasingly preferred over SMS.
-
Endpoint detection and response (EDR) or managed detection and response (MDR) with continuous monitoring across every workstation, laptop, and server
Why insurers want itEDR/MDR catches and contains intrusions before they spread to full network encryption. Carriers now expect coverage on every endpoint plus monitoring hours (ideally around the clock), because partial deployment leaves blind spots attackers exploit.
-
Tested, immutable or offline backups following 3-2-1 (3 copies, 2 media types, 1 offsite), with documented restore tests
Why insurers want itAttackers deliberately target backups in a large share of ransomware incidents. Backups that are immutable, segregated, and proven recoverable let a victim restore without paying, which directly reduces the insurer's ransomware loss. Untested backups are treated as no backups.
-
Documented, dated, and exercised incident response (IR) plan
Why insurers want itA practiced IR plan shortens dwell time and breach cost. Carriers ask for the plan and evidence it was tabletop-tested in the last 12 months, because faster, organized response lowers claim severity.
-
Timely patch management and no unsupported end-of-life (EOL) hardware, OS, or software
Why insurers want itUnpatched and EOL systems are a leading exploited weakness. Insurers may exclude losses tied to known-unpatched or unsupported systems, so a current patch cadence and a clean legacy-system inventory protect both eligibility and claim payment.
-
Privileged access management (PAM) and least-privilege admin controls
Why insurers want itCompromised admin accounts let attackers disable defenses and deploy ransomware enterprise-wide. Separating, vaulting, and monitoring privileged credentials limits the blast radius of any single compromise.
-
Email security / secure email gateway plus user security awareness training
Why insurers want itPhishing remains the top initial-access vector. Mailbox-level filtering and recurring trained-user testing reduce the click-through that starts most incidents; carriers often ask for 12 months of training completion records.
-
Network segmentation
Why insurers want itFlat networks let one foothold become a full encryption event. Segmenting critical systems and backups contains lateral movement and is increasingly a named ransomware-coverage precondition.
-
External attack-surface and vulnerability management
Why insurers want itRoughly three in four carriers now run their own external scans during underwriting. Exposed services, open ports, and known vulnerabilities visible from the internet directly affect eligibility and pricing, so managing the external surface before applying matters.
-
Logging, monitoring, and security event visibility (SOC or 24/7 monitoring coverage)
Why insurers want itInsurers ask what is monitored and during what hours. Continuous detection and retained logs enable faster containment and support post-incident forensics, both of which reduce loss.
Every control above maps to a known ransomware or breach entry point: stolen credentials, unmanaged endpoints, deleted backups, slow response, unpatched and EOL systems, over-privileged admins, phishing, flat networks, and exposed external surface. If you close those, you are closing the same gaps an attacker would use. That is the connection between continuous remediation and insurance readiness.
How to pass the security questionnaire
Treat the questionnaire as a security audit, not a marketing form. In 2026 applications run 12 to 20 pages with line-by-line control questions, and carriers verify answers independently (most run external scans). The single most important rule: answer honestly and precisely.
Every major carrier has a misrepresentation clause. Overstating your posture can lead to rescission, where the policy is voided from inception, the claim is denied, and prior payouts can be clawed back. An impressive answer you cannot prove is worse than an accurate one with a remediation note.
Before you answer, inventory the truth: which exact systems have MFA (email, VPN, admin, backup console), what percent of endpoints run EDR and who monitors it and during what hours, your patch cadence and any EOL systems, your backup type (immutable/offline) and last successful restore test date, and your IR plan date and last tabletop. Then assemble a proof packet to back each answer:
- MFA enforcement screenshots showing the policy applied across email, remote access, admin accounts, and the backup console.
- EDR coverage reports showing the percent of endpoints and servers covered and who monitors them.
- Backup and restore-test logs with the date of the last successful restore.
- Training completion records, ideally 12 months of them.
- The dated IR plan and evidence of the most recent tabletop.
If a control is partial, say so accurately and note your remediation timeline rather than rounding up. Have the same person who can produce evidence answer the questions, and keep the completed questionnaire and proof on file for the policy term.
Ransomware coverage requirements
Ransomware is the loss carriers most actively manage, so coverage carries the strictest conditions. Common 2026 terms:
- MFA attestation. Multi-factor authentication is required on all remote access, email, and privileged accounts as a precondition of ransomware coverage.
- Proof of tested backups. Backups must be immutable or offline and segregated, with documented restore tests, because attackers target backups in a large share of incidents and insurers want recovery without payment.
- EOL and unpatched-system exclusions. Coverage may not apply if the loss is linked to unsupported or known-unpatched systems.
- Ransomware sub-limits. A policy may cap ransomware specifically well below the overall aggregate (for example a smaller ransomware sub-limit inside a larger policy).
- Co-insurance. The policyholder shares a percentage of the ransom or recovery cost rather than the carrier covering it in full.
- Often-required supporting controls. Privileged access management, network segmentation, EDR/MDR, and continuous monitoring are commonly named.
Some carriers also require pre-approval before any ransom payment and engagement of the insurer's incident response panel. Read the sub-limit, co-insurance, retention, and exclusion language carefully, since these determine how much of an actual ransomware loss is truly covered. For the prevention side of this equation, the ransomware continuous remediation program explains how closing those same gaps stops the incident before it triggers the policy at all.
How to lower your premium
Security maturity affects both whether you can get coverage and the terms you get. Carriers price on demonstrated risk, so organizations that can prove the core controls (MFA, EDR/MDR, tested immutable backups, patching with no EOL systems, IR plan, PAM, segmentation, training) are more likely to be quoted, to receive broader terms, and to avoid the restrictive sub-limits, higher retentions, and co-insurance that get applied to weaker applicants.
Better controls also reduce the chance of mid-term non-renewal and of a denied claim after an incident. Because underwriting is now evidence-based, reducing your externally visible attack surface before you apply (closing exposed services, remediating known vulnerabilities, retiring EOL systems) can directly improve how a carrier scores you, since most run their own external scans. Insurers and brokers will often share findings and recommendations; acting on them before renewal strengthens your next quote.
No control set guarantees a specific price, and pricing varies by carrier, industry, revenue, and claims history. But the consistent pattern is that provable controls move you toward better eligibility and terms, while gaps move you toward exclusions, sub-limits, and surcharges.
Get insurance-ready before your renewal
If a renewal or binding deadline is close, prioritize the controls carriers verify first and the proof they ask for, in order.
Lock the basics
Enforce MFA on email, remote/VPN access, all admin/privileged accounts, and the backup console, then capture enforcement screenshots. Confirm EDR/MDR is deployed on every endpoint and server and pull a coverage report. Run a backup restore test and document the date and result.
Close the gaps
Close or remediate anything exposed on your external attack surface (open ports, known vulnerabilities, exposed admin interfaces), since most carriers scan it. Inventory and isolate or retire EOL systems and confirm patch cadence. Stand up or update a dated incident response plan and run a short tabletop.
Assemble the proof
Assemble the proof packet (MFA screenshots, EDR coverage, backup/restore logs, training completion records, dated IR plan) and complete the questionnaire honestly with evidence behind each answer.
For any control you cannot fully close before the deadline, document an accurate current state plus a remediation timeline rather than overstating, and loop in your broker early so the carrier sees a credible, improving posture. A managed security program can stand these controls up and produce the deployment and monitoring reports underwriters typically ask for quickly when internal bandwidth is short. Cyvatar delivers full lock down in 30 days or less. The companion playbook for the recovery side of this timeline lives at how to recover from ransomware in 30 days.
How Cyvatar maps to what insurers require
Cyvatar is a managed cybersecurity program that deploys and operates security controls for you, then produces the deployment and monitoring reports underwriters typically ask for (acceptance is always the carrier's decision). The table below maps each insurer requirement to the Cyvatar solution that covers it. Where a requirement is marked General guidance, Cyvatar does not deliver it as a managed product, so it is listed as a best practice to handle separately rather than a Cyvatar claim.
| Insurer requirement | Coverage | Solution and how it maps |
|---|---|---|
| MFA on email and remote access | Cyvatar covers | Multi-Factor Authentication (MFA). Enforced on email, critical apps, and admin accounts (Okta when fully managed), supporting the email and remote-access intent insurers verify. |
| Endpoint detection / EDR or MDR | Cyvatar covers | Secure Endpoint Management (SEM). Next-generation endpoint protection (SentinelOne) plus 24/7 SOC endpoint monitoring (Red Canary), bundled, with built-in ransomware prevention and active threat hunting. |
| Immutable and tested backups | General guidance | Not a Cyvatar managed product. As a best practice, run immutable or offline backups on a 3-2-1 pattern and test restores on a documented cadence. Handle through a dedicated backup and disaster-recovery provider. |
| Incident response plan / IR retainer | Cyvatar covers | Incident Response Program. Program design and best practices plus IR partner coordination (Booz Allen Hamilton and other referrals) so a retainer is in place. Cyvatar runs the IR program and governance layer; it does not replace the IR firm. |
| Email filtering / anti-phishing | Cyvatar covers | Email Security Management (ESM). Anti-phishing inbound blocking and impersonation protection (AI email gateway, gap analysis, and guidance). |
| Vulnerability management and patching | Cyvatar covers | Threat & Vulnerability Management (TVM). Internal, external, web-application, and host scanning (Tenable-powered), patching cadence aligned to today's threat landscape, and non-patch remediation. |
| Privileged / admin access control | Cyvatar covers | Multi-Factor Authentication (MFA) with identity and access management. Least-privilege enforcement, conditional access policies, and MFA on admin accounts (Okta when fully managed). Covers privileged access via enforcement and policy; not sold as a standalone PAM product. |
| Security awareness training | Cyvatar covers | Security Awareness Training / Human Risk Protection (SAT-HRP). Security awareness training (Curricula) plus phishing simulations. |
| Removal of end-of-life software | General guidance | Not a Cyvatar managed product. As a best practice, inventory and retire unsupported end-of-life hardware, OS, and software so insurers cannot tie a loss to a known-EOL system. TVM scanning surfaces deprecated protocols for visibility, but Cyvatar does not inventory or remove end-of-life systems. |
| Network segmentation | General guidance | Not a Cyvatar deliverable. As a best practice, segment critical systems and backups to contain lateral movement, typically handled by your IT or infrastructure provider. Cyvatar's 24/7 network monitoring detects lateral movement after the fact but does not design or implement segmentation. |
Cyvatar's cyber-insurance offering is a partnership with Sophos MDR and Spektrum Labs. The preferred terms are surfaced through that program and its continuous control validation, not set or guaranteed by Cyvatar.
Through that program, Spektrum's network includes carriers such as Tokio Marine HCC, Elpha Secure, and HSB (Hartford Steam Boiler) and brokers such as Acrisure and Limit. Specific perks (such as reduced incident-response retentions or premium discounts) depend on carrier underwriting and eligibility, and program terms can change. (Sophos's 2025 study reported that MDR customers claimed 97.5% less on average.) This partner framing and the existing quote tool are reused here rather than reinvented.
Frequently asked questions
What security controls do cyber insurers require to get coverage in 2026?
At minimum: phishing-resistant MFA on email, remote access, and privileged accounts; EDR or MDR with continuous monitoring across all endpoints and servers; tested, immutable or offline backups (3-2-1); a dated and exercised incident response plan; timely patching with no unsupported end-of-life systems; privileged access management; email security plus security awareness training; and network segmentation. Underwriting is now evidence-based, so most carriers also run external attack-surface scans and want proof (screenshots, deployment reports, restore-test logs) rather than just a checked box.
How do I pass a cyber insurance security questionnaire?
Answer honestly and precisely, and back every answer with evidence. The 2026 application reads like a security audit (12 to 20 pages of line-by-line control questions), and carriers verify answers independently. Before answering, confirm exactly which systems have MFA, your EDR coverage and monitoring hours, your patch cadence and any EOL systems, your backup type and last restore-test date, and your IR plan date. Assemble a proof packet (MFA screenshots, EDR coverage reports, backup and restore logs, training records, the dated IR plan). Never overstate: misrepresentation can void the policy from inception and get a claim denied, with prior payouts clawed back. If a control is partial, state it accurately and note your remediation timeline.
What are the ransomware coverage requirements for cyber insurance?
Ransomware carries the strictest conditions. Expect an MFA attestation across remote access, email, and privileged accounts; proof of tested, immutable or offline backups with documented restore tests; and exclusions for losses tied to unpatched or end-of-life systems. Many policies also apply a ransomware sub-limit (a cap on ransomware lower than the overall policy) and co-insurance (you share a percentage of the loss). Supporting controls such as privileged access management, network segmentation, and 24/7 monitoring are commonly required, and some carriers require pre-approval before any ransom payment. Read the sub-limit, co-insurance, retention, and exclusion language closely, since those determine how much of a real loss is covered.
How can a small business lower its cyber insurance premium with better security?
Carriers price on demonstrated risk, so provable controls improve eligibility and terms and help you avoid the sub-limits, higher retentions, and co-insurance applied to weaker applicants. Focus on the controls insurers verify: MFA everywhere it matters, EDR/MDR on all endpoints, tested immutable backups, patching with no EOL systems, an IR plan, PAM, segmentation, and training. Because most carriers run external scans, reducing your internet-facing attack surface (closing exposed services, fixing known vulnerabilities, retiring EOL systems) before you apply can directly improve how they score you. No control guarantees a specific price, since rates vary by carrier, industry, revenue, and claims history, but stronger provable controls consistently move you toward better terms.
Does MFA and endpoint detection help me qualify for cyber insurance?
Yes. MFA is the most universally required control and is frequently a condition of binding coverage at all, especially on email, remote/VPN access, and privileged or admin accounts. EDR (or MDR) with monitoring across all endpoints and servers is the other near-universal expectation. Together they address the two most common ransomware and breach entry points (stolen credentials and unmanaged endpoints), so having both deployed and being able to prove coverage materially improves your eligibility and terms. Carriers increasingly want phishing-resistant MFA methods and evidence of full endpoint coverage, not partial deployment.
My cyber insurance renewal requires a managed security program. Who provides one?
A managed security program means having the required controls operated and monitored continuously, with the coverage and monitoring reports you can submit with your application, rather than tools sitting unmanaged. Managed detection and response (MDR) providers, managed security service providers (MSSPs), and outcome-based managed cybersecurity services deliver this: they stand up and run MFA, EDR/MDR, monitoring, vulnerability management, backups oversight, and reporting, and produce the deployment and monitoring reports carriers typically ask for. When evaluating providers, confirm they cover the specific controls your questionnaire lists, monitor across all endpoints, and can generate the coverage and monitoring reports (deployment reports, monitoring logs, attestations) you can submit with your application on your timeline. Acceptance is always the carrier's decision.
What is the fastest way to become cyber insurance ready before a renewal deadline?
Work in priority order. First (days 1 to 7): enforce MFA on email, remote access, admin accounts, and the backup console, confirm EDR/MDR on every endpoint and server, and run and document a backup restore test. Next (days 7 to 20): remediate your external attack surface (carriers scan it), inventory and isolate or retire EOL systems, confirm patch cadence, and update and tabletop a dated incident response plan. Finally (days 20 to 30): assemble the proof packet and complete the questionnaire honestly with evidence behind each answer. For any control you cannot fully close in time, document the accurate current state and a remediation timeline instead of overstating, and engage your broker early. A managed security program can stand these controls up and produce the evidence quickly when internal bandwidth is short. Cyvatar delivers full lock down in 30 days or less.
Check Your External Attack Surface First
Cyvatar's free Am I Exposed? scan reviews your internet-facing attack surface, the same kind of external view many carriers assess during underwriting. Run it first, fix what it finds, then apply.
Run the Business Scorecard → Get My Cyber Insurance Quote