Account Contact Build your IT department

Learn / practitioner

What cyber insurance actually requires (and how to read your renewal)

Cyber-insurance underwriting has moved from attestation to evidence. Most SMB stacks were built before that shift. This is what underwriters actually look for in 2026, in priority order — and how to read your renewal.

If you got a cyber-insurance renewal in the last six months that came back with a doubled premium, a halved limit, or a flat-out non-renewal, you are not alone. The market has been hardening since 2021 and the bottom of that cycle has not yet arrived. Underwriters are not being unreasonable — they are responding to loss ratios that, for several years running, were higher than the premiums they collected could absorb. They are now writing tighter terms, asking better questions, and demanding evidence rather than attestation.

This piece walks through what cyber-insurance underwriters actually ask for in 2026, why each item is on the list, and what the underlying control looks like when it is done well versus when it is done badly enough that the questionnaire-answer is technically true but operationally a fiction.

We will not pretend to be insurance brokers — we are not. But our customers carry cyber policies, and we sit on the operations side of the controls that drive those policies’ renewal terms. When a customer’s broker calls us asking “is this control actually deployed?” we answer with telemetry, not opinion. The shift to evidence-based underwriting is the most important thing that happened to SMB cyber-insurance in the last five years, and it is the thing most buyers still do not realize.

How underwriting changed, and why

Through about 2020, cyber-insurance underwriting at the SMB band looked like a property-insurance application. Five to ten yes/no questions: do you have antivirus, do you have backups, do you require strong passwords, do you have a written security policy. The applicant filled it in, the underwriter priced the risk against actuarial tables that were mostly extrapolated from larger commercial cohorts, and policies got bound at premiums in the low thousands per million of coverage.

Then ransomware industrialized. Loss ratios — the share of premiums paid back out as claims — went from healthy single digits in 2018 to over 70% across the industry in 2021. The major reinsurers tightened their treaties, the primary carriers tightened their underwriting, and the questionnaires expanded. The 2026 version of a typical SMB cyber-insurance application is fifty to eighty questions long, asks about specific technical configurations rather than yes/no controls, and increasingly attaches “evidence required” footnotes to the most critical items.

The questionnaire change is the visible part. The invisible part is what underwriters do with the answers — they cross-reference them against attack-pattern data from their own claims book, against vendor security-rating services (BitSight, SecurityScorecard, BlackKite), and against external scanning of your perimeter. If your application says you require MFA but your external surface shows OWA at outlook.office.com still accepting NTLM auth, that gets flagged. The era of taking the application at face value is over.

Tier 1 — table-stakes controls

Three controls dominate the underwriting decision in 2026. Without all three, most SMB cyber-insurance markets will not write the risk at any price; with all three deployed and verifiable, you have access to the broader market and competitive pricing.

MFA on every privileged account

The single most-asked-about control. The question on the application reads something like “Do you require multi-factor authentication for all email access, all remote access, and all privileged administrative accounts?” and the carriers want all three to be yes.

What “deployed correctly” looks like:

  • Email MFA: every Microsoft 365 or Google Workspace account that can receive mail. Not the executive-team accounts; not the privileged accounts; every account, including the ones you forgot you had. Stale accounts without MFA are the most common path into an SMB.
  • Remote access MFA: every VPN, every remote-desktop product, every administrative console. The high-profile breaches of 2021-2024 (Colonial Pipeline, MGM Resorts, Change Healthcare, the Snowflake-customer chain) all involved either no MFA or MFA bypassed via legacy authentication paths that were technically still allowed.
  • Privileged admin MFA: anyone with administrative rights in any system — IT admins, finance leads with full QuickBooks rights, anyone who can execute money transfers or change directory permissions.

The version that fails the underwriter’s external scan: MFA “required” through Conditional Access policies that exempt “trusted” IP ranges, or that allow legacy authentication for anyone with a sufficiently old Outlook client. If the underwriter’s scanning service can authenticate to your tenant via Basic Auth, your MFA control is failed regardless of what you wrote on the application.

MDR, not just EDR

We wrote a whole separate piece on this distinction but the insurance angle deserves its own paragraph. The typical 2024 questionnaire asked “Do you have endpoint detection and response (EDR) deployed?” The 2026 questionnaire asks “Do you have managed detection and response (MDR) with 24/7 SOC analyst coverage?” The change is deliberate.

EDR is the tool. MDR is the tool plus the humans watching it. An SMB that buys a CrowdStrike or SentinelOne or Bitdefender EDR subscription and points it at their fleet has bought a stream of behavioral alerts that, in most SMBs, sits untriaged at 3 AM on a holiday weekend. The underwriter knows this. The same insurance carrier that paid a $4M ransomware claim against a customer who “had EDR deployed” but had been absent from the EDR console for nine months is the carrier writing this year’s policy. They updated the question.

What underwriters want: a named MDR provider (Bitdefender MDR, CrowdStrike Falcon Complete, SentinelOne Vigilance, Arctic Wolf, Red Canary, etc.), 24/7 SOC analyst coverage, defined response playbooks, and the ability to produce — for the underwriter — a sample alert-to-resolution timeline showing the SOC actually responded.

Backup with an offline / immutable copy and tested restore

Ransomware recovery without backups is not really recovery — it is paying the ransom and hoping the decryption key works. Every cyber-insurance underwriter has seen the claim where the customer “had backups” but the backups were on a network share that the ransomware encrypted alongside everything else, or on a NAS the attackers reached after pivoting from the first compromised host.

The 2026 standard:

  • Backups exist for files, servers, M365 data, and (where applicable) on-premise databases.
  • At least one copy is offline-or-immutable: either physically disconnected (rare for cloud-first SMBs), or stored in a backup vault that the production environment cannot encrypt or delete (the typical approach: an immutable cloud backup with a chain that even the customer cannot rewind).
  • A restore test has happened in the last 12 months. Most carriers want documentation of the test — what was restored, how long it took, who certified it.

The version that fails: “backup running successfully” reports that nobody has verified, restoring nothing. Insurance fraud cases routinely turn up customers who had a backup product running for years that was producing valid jobs but encrypting them with credentials the customer no longer possessed.

Tier 2 — controls that modify premium and limits

The second tier of controls shifts your premium up or down by 15 to 50% in either direction. They are not hard requirements at the point of binding the policy, but they are the difference between a cheap policy and an expensive one.

Email security beyond Microsoft’s defaults

Microsoft 365’s standard plans include some email security; underwriters increasingly want to see one or both of:

  • DMARC enforcement — DMARC, SPF, and DKIM aligned, with the DMARC policy at quarantine or reject (not just monitor). The DMARC question on the application is yes/no, but underwriters validate it externally — your domain’s DMARC record is a public DNS record; they will read it.
  • Advanced Threat Protection (ATP) or equivalent — link rewriting, attachment sandboxing, impersonation protection. Either Microsoft Defender for Office 365 (the Microsoft-native ATP) or an equivalent third-party gateway (Mimecast, Proofpoint, Avanan).

The pattern that creates surcharges: SPF and DKIM but no DMARC, or DMARC at p=none indefinitely. From the underwriter’s perspective, that means your domain is impersonable, and impersonation-driven business-email-compromise (BEC) is a top-three claim category.

Patch cadence with evidence

The question reads something like “What is your patch deployment SLA for critical vulnerabilities?” — and the answer the underwriter wants is critical patches deployed within 14 days, high-severity within 30, organization-wide. The version that gets penalized: “we patch monthly” without further detail, because every audit of “we patch monthly” the underwriter has seen turned up a long tail of devices that had been untouched for a year.

What good looks like: an RMM platform doing automated patch deployment with a documented exception process for specific applications that need delayed updates, monthly compliance reporting showing actual deployment percentage by severity tier, and a documented person responsible.

Incident response plan, exercised

Carriers want a written IR plan with named people, and they increasingly want to see that the plan has been exercised at least once. A tabletop exercise — an hour with the IR team walking through a simulated breach scenario, debriefing what worked and what did not — qualifies for most carriers.

The exercise is more important than the document. Plans that have never been exercised tend to assume the IR team can call vendors who have not been pre-contracted, or that the company’s CISO will be reachable on a Saturday morning when the actual breach lands at 3 AM Sunday.

Tier 3 — controls that modify sub-limits

Cyber policies are not single-limit products — they are bundles of coverages each with its own limit. Privileged access controls, network segmentation, and data classification influence which sub-limits get the headline limit and which get chopped to a fraction.

  • Privileged access management (PAM): Carriers writing larger sub-limits for theft-of-funds and wire-fraud coverage want to see that privileged accounts are vaulted (CyberArk, BeyondTrust, or a more SMB-appropriate solution like 1Password Business with admin-account isolation), that admin sessions are recorded, and that just-in-time elevation is the default rather than always-on admin rights.
  • Network segmentation: For ransomware and business-interruption sub-limits, carriers reward designs that prevent a single compromised endpoint from reaching crown-jewel assets. Flat networks attract penalties; segmented networks with at least logical separation between user, server, and management planes attract premium credit.
  • Data classification + DLP: For data-breach and regulatory-action sub-limits, carriers reward the ability to identify what data is actually sensitive (and where it lives) versus the company that has 2 TB of mixed-classification data on a SharePoint site somebody set up in 2019.

How to read your renewal questionnaire

When the questionnaire arrives, treat it as a checklist of controls you are claiming, rather than a form to fill in. Before you sign:

  1. Read each yes answer and think about what evidence you would produce if asked. If you cannot produce evidence, change the answer to no — material misstatements on the application can void the policy at claim time.
  2. Check the external view. Run BitSight, SecurityScorecard, or a free alternative on your domain. The underwriter is going to. Surprises in their report cost more than surprises in yours.
  3. Watch for the embedded definitions. Some carriers define “MFA” as phishing-resistant MFA (FIDO2, hardware tokens) while others accept any second factor. The application footnotes matter; read them.
  4. Negotiate the sub-limits. A standard cyber policy comes with default sub-limits that may not match your risk. If you process payment cards, the PCI-incident sub-limit matters a lot. If you handle PHI, the regulatory-action sub-limit matters. Brokers will optimize the headline limit; you have to push them on sub-limits explicitly.
  5. Read the war exclusion. Post-NotPetya, every policy has one. The 2024 Lloyd’s Market Association language is the relevant standard; if your policy uses older language, ask why.

What gets you declined or non-renewed in 2026

Specific patterns that result in declination, non-renewal, or steep surcharges this cycle:

  • No MFA, anywhere. Effectively uninsurable at the SMB band.
  • EDR-only, no SOC. Will get a quote in many markets, with surcharges and chopped sub-limits.
  • Backup running but never tested. Most markets will accept a quote with a 12-month deadline to produce a tested restore; some will not bind without it.
  • An open RDP port on the public internet. Reliably surfaced by the carrier’s external scan; very hard to insure around.
  • A history of claims. Two claims in the last five years — particularly ransomware claims — closes most of the market.
  • Industry exclusions. Some carriers have stopped writing certain industries (managed service providers themselves, public sector, healthcare with PHI volume above a threshold). If your industry is on a carrier’s exclusion list, no amount of control quality will get a quote there.

How goCloudOffice maps to underwriter requirements

We wrote this piece because almost every customer renewal we sit through ends up with the broker asking us, “can you produce evidence the customer has X deployed?” So here is the direct mapping, for transparency.

Tier 1:

  • MFA: deployed and enforced through 360SmartIT Department as part of every onboarding; we do not allow customers to bypass MFA for “convenience” because the broker will find it.
  • MDR: 360CyberProtect MDR with Bitdefender’s 24/7 SOC. We are not the SOC; Bitdefender is. We resell their service at modest markup and operate the surrounding telemetry. Underwriters know Bitdefender MDR by name and treat it as named-MDR-provider.
  • Backup: 360CloudBackupPro for endpoints and 360M365Backup for M365 data, both with immutable storage and automated quarterly recovery drills with documentation.

Tier 2:

  • Email security: 360DMARC for DMARC enforcement plus the M365 ATP layer for advanced threat protection.
  • Patch cadence: 360PatchGuard on a tested cadence with monthly compliance reporting; critical patches inside 14 days, high inside 30, with documented exceptions.
  • IR plan: documented as part of standard onboarding; tabletop exercises offered annually as part of the quarterly business review cycle.

Tier 3 + 4: PAM, segmentation, and DLP are typically delivered through Pro2 / Pro3 consulting engagements rather than as part of the per-computer subscription, scoped to the customer’s regulatory and contractual obligations.

The reason we built the stack this way is because we sit through the underwriter conversations and we know what gets asked. The 360SmartIT Department subscription is, among other things, an insurance-renewal-shaped product. Customers carrying cyber policies often see their renewal terms improve materially after a year of clean operating telemetry under the subscription.

If you would like a second opinion on your current renewal — what is costing you, what would change the price, what an underwriter would say about your stack — the build flow walks through the controls we would configure for a firm your size and industry. It is a useful benchmark even if you opt to stay where you are.

Technically reviewed by Tobias Wexler.

Want this turned into a real plan?

The build flow uses the same logic this article describes — three minutes to a configured IT department.

Build your IT department Talk to us