Cyber Insurance 2026: What Insurers Now Require
Key Takeaways
- Cyber insurers no longer accept self-declarations without technical verification — external audit reports and technical assessments are increasingly required
- MFA must cover all externally accessible services and all administrative access, not just VPN and email — insurers specifically ask about exceptions
- Backups with offline copies (air gap) and demonstrated restorability are a hard requirement; backups on the same network as production systems are considered insufficient
- Many organisations fail not on the measures themselves but on demonstrability — documentation is as important as technical implementation
- Insurance requirements and actual security best practices largely overlap: every measure implemented for the insurer directly improves real security posture
The cyber insurance market has changed. While a completed questionnaire was sufficient for policy issuance a few years ago, insurers in 2026 demand concrete technical evidence. Companies that cannot meet these requirements receive either limited coverage, higher premiums, or are declined altogether.
What insurers require in 2026
Requirements vary by insurer, but a core set of measures has become standard.
Multi-factor authentication for all access points. Not just for VPN and email, but for all externally accessible services and all administrative access. Insurers specifically inquire which MFA methods are in use and whether exceptions exist.
Endpoint Detection and Response (EDR). Traditional antivirus solutions are no longer considered sufficient. Insurers expect an EDR solution that detects threats on endpoints in real time and enables response actions.
Backup strategy with offline copies. Backups must not only exist but also be protected from ransomware. This means at least one copy stored disconnected from the network (air gap) and regularly tested for restorability.
Incident response plan. Insurers ask for a documented plan that specifies who does what in an emergency. The plan must define escalation paths, communication responsibilities, and immediate technical measures.
Patch management evidence. Critical security updates must be applied promptly. Insurers expect a demonstrable process, ideally with defined timeframes: critical patches within 72 hours, others within 30 days.
Where companies fail
In practice, many companies do not fail on individual measures but on demonstrability. MFA is enabled but exceptions exist for certain accounts. Backups are created but never tested. An incident response plan exists as a document but is unknown to stakeholders.
Insurers are increasingly conducting technical assessments or requiring external audit reports. The era when self-declarations were accepted without verification is over.
The pragmatic approach
The requirements of cyber insurers and the measures that actually improve security largely overlap. MFA, EDR, tested backups, and an incident response plan are not bureaucratic exercises but the foundation of a solid security concept.
The most efficient path is to use the insurance requirements as a checklist for structured improvement of your security posture. Every measure you implement for insurance purposes directly contributes to your actual security.
Recommendation
Review your insurer’s specific requirements and compare them with your current status. Often, the biggest gaps are not in the measures themselves but in documentation and demonstrability. Targeted preparation ahead of your next policy renewal can save considerable costs.
Frequently Asked Questions
Which EDR solutions do cyber insurers typically accept?
Insurers require an Endpoint Detection and Response solution that detects threats in real time and enables response actions. Traditional antivirus no longer qualifies. Microsoft Defender for Endpoint is generally accepted; what matters most is that the solution is actively operated and monitored, not just installed.
What does “demonstrated patch management” mean to a cyber insurer?
Insurers expect a documented process with defined timeframes: critical security patches applied within 72 hours, others within 30 days. The process must be demonstrable — patch management tool reports, SIEM data, or vulnerability scanner outputs are typical evidence. The documented process matters as much as the actual patching speed.
Can I still obtain cyber insurance if my organisation has security gaps?
Yes, but at significantly worse terms. Incomplete MFA coverage, missing EDR, or untested backups typically result in higher premiums, increased deductibles, or exclusions for specific loss scenarios. Targeted remediation before renewal often pays back its investment many times over in premium savings.
Do insurers conduct their own technical assessments?
Yes, increasingly. Larger policies are frequently accompanied by a technical assessment in which the insurer or a commissioned firm directly evaluates the security posture. The era when completed questionnaires were accepted without independent verification is over for most market segments.