Cyber insurance used to be a checkbox and a credit-card number. Today it’s an underwriting process with a security audit attached — and the gap between what businesses say on the application and what they’ve actually implemented is where claims quietly die.

What controls do cyber insurance carriers require in 2026?

At minimum: multi-factor authentication, endpoint detection and response, immutable and tested backups, network segmentation, email security, and security awareness training. After years of heavy ransomware losses, carriers rebuilt their questionnaires around the specific controls that reduce ransomware frequency and severity — the same ones Verizon’s annual DBIR repeatedly ties to breach prevention.

MFA on email, VPN/remote access, and all admin accounts
EDR or managed detection & response (MDR) on endpoints
Immutable, offsite backups with tested restores
Network segmentation separating critical systems
Advanced email filtering and phishing defense
Documented security awareness training with phishing simulations
A written, tested incident response plan

Why do claims actually get denied?

Not usually because a control was missing outright — because the application was inaccurate. The questionnaire you sign is treated as a warranty. If you attest that MFA is enforced on every admin account and a post-breach forensic investigation finds one service account without it that the attacker used, the carrier has grounds to reduce or deny the claim.

Every renewal
carriers tighten controls — many businesses renew into non-compliance without realizing it
Source: Industry underwriting trend

What’s the difference between being insurable and being covered?

Insurable means a carrier will sell you a policy. Covered means the policy actually pays when you file a claim. Those are not the same thing. A business can hold a valid policy and still recover nothing because the controls it attested to weren’t genuinely in place at the time of the incident.

Pro tip

Every renewal, have a technical owner — your IT lead or MSP, not your broker or a salesperson — walk through the controls questionnaire line by line and confirm each answer against reality. This one review is the cheapest claim insurance you’ll ever buy.

How do you get better terms?

Demonstrate the controls. Carriers price risk, and a business that can show enforced MFA, EDR with SOC monitoring, immutable backups, and a tested IR plan is a materially lower risk than one that can’t. The same investments that lower your real-world odds of a ransomware disaster are the ones that lower your premium and raise your limits.

Do your controls match your policy?

The Ransomware Reality Check maps directly to what carriers ask about — MFA, backups, EDR, segmentation, and more.

Free Reality Check

Treat your cyber policy as a living contract, not a filing-cabinet document. The threat landscape moves, carriers move with it, and the businesses that stay genuinely covered are the ones that keep their controls — and their answers — honest.