Why Renewals Got Harder
Cyber insurance premiums stabilized in 2024 and 2025 after years of hardening, but underwriting rigor did not ease — it deepened. In 2026, applications are longer, evidence is verified (not just attested), and sub-limits are tighter for social engineering and ransomware. SMBs that invested in controls are seeing premiums hold or drop; those that attested without evidence are seeing non-renewals. This post walks through what underwriters actually want to see.
The Twelve Controls Underwriters Verify in 2026
1. MFA Everywhere — Including Email, VPN, and Privileged Access
Not just user email. Underwriters ask about MFA on domain admins, VPN, RMM tools, and any system exposed to the internet. Attested "all users" is no longer enough — they want a policy and sample screenshots.
2. Endpoint Detection and Response (EDR/MDR)
Legacy antivirus typically disqualifies you at top carriers. Expect to name your EDR or MDR vendor and confirm 100 percent coverage. See EDR vs MDR vs XDR.
3. Tested, Segregated Backups
Backups must be immutable or offline-capable, with documented restore tests. Expect questions about recovery point and recovery time objectives.
4. Privileged Access Management
Separate admin accounts, limited scope, and rotation of local admin passwords (LAPS or equivalent).
5. Email Security: DMARC Enforced, Phishing Defenses
DMARC at quarantine or reject, sandboxing, and user reporting flow. See our email authentication guide.
6. Security Awareness Training With Phishing Simulations
Annual training and regular phishing simulations with metrics. Carriers sometimes request click rates.
7. Patch Management Cadence
A written cadence (for example, critical in 7 days, high in 30), with evidence you meet it for at least 95 percent of assets.
8. Vulnerability Management and External Attack Surface
Authenticated scans and external exposure monitoring. Internet-exposed RDP is a near-automatic decline.
9. Written Incident Response Plan and Tabletop
Plan in writing, tested in the last 12 months, with named roles and external partners.
10. Vendor Risk Management
Inventory, tiered risk, contractual security requirements, and breach notification clauses.
11. Logging and Retention
Central logging with at least 6–12 months of retention, covering identity, endpoint, and firewall.
12. Microsoft 365 Hardening Specifically
Disabled legacy auth, conditional access, mailbox auditing, and admin consent workflows. Expect targeted M365 questions.
Sub-Limits That Changed in 2026
Expect explicit sub-limits on social engineering (BEC), cryptojacking, systems failure, and waiting periods for business interruption. Ransom payment coverage is increasingly subject to OFAC compliance attestations and negotiation panels. Read your policy — or have counsel read it — before renewal.
Evidence to Prepare for Your Renewal
A one-page control summary mapped to the carrier's questionnaire
Screenshots of MFA policy, EDR coverage report, backup restore test log
DMARC report showing policy at quarantine or reject
Patch report with SLA attainment by severity
Tabletop after-action memo
Training completion report
California Nuance
California underwriters frequently ask about CCPA notice history and wildfire risk to primary data center locations (even if cloud-hosted). Orange County applicants are commonly asked about wildfire contingency and PSPS (public safety power shutoff) effects — see our post on wildfire and DR.
Frequently Asked Questions
Our broker says we are fine — is that enough?
Brokers can only speak to what you told them. Evidence packs protect you at renewal, mid-term audits, and claims.
Does cyber insurance replace security investments?
No. It is a financial backstop, not a substitute for controls. Many claims are denied or reduced for failure to maintain attested controls.
How long does the application take?
Budget 10–20 hours of internal time for a mid-sized SMB, more if evidence is not already centralized.
Will our premium go down if we add MDR?
Often yes, especially when paired with improvements in MFA and backups. Ask your broker for rematerialization at mid-term.
We Can Help You Prepare
BitBlockIT helps Orange County SMBs build renewal-ready evidence packs and close the exact gaps underwriters flag. Contact us or explore managed cybersecurity. Related: compliance posts and ransomware prevention.
BitBlockIT provides managed IT services, cybersecurity, cloud solutions, and IT consulting for Orange County and Southern California businesses. This page may describe our services, areas we serve, resources, blog, or contact information.
Loading…
