Cyber insurance used to be easy to get. Fill out a questionnaire, check some boxes, pay the premium, done. That era ended around 2022, and the underwriting process has gotten dramatically more rigorous every year since. In 2026, carriers are denying applications, imposing exclusions, and raising premiums for organizations that cannot demonstrate specific security controls.
The problem is that most organizations do not know what underwriters are actually looking for until they get denied or receive a quote that is three times what they expected. This guide breaks down exactly what cyber insurance carriers check, how premiums are calculated, what gets claims denied, and how to position your organization for the best possible coverage at the lowest cost.
How Cyber Insurance Underwriting Has Changed
Before 2021, cyber insurance applications were relatively simple. A few pages of yes/no questions, minimal verification, and most applicants were approved. Then ransomware loss ratios exploded. Carriers paid out more in claims than they collected in premiums, and the entire industry recalibrated.
Today, the underwriting process looks more like a security audit than an insurance application. Carriers use a combination of self-reported questionnaires, external attack surface scanning (they scan your infrastructure before you even submit the application), and in some cases, live interviews with your security team. The days of checking a box that says "yes, we have MFA" without anyone verifying it are over.
Several factors are driving this shift:
- Ransomware claims remain the dominant loss driver. Carriers now require specific controls that directly reduce ransomware risk
- Claim denials based on misrepresentation are increasing. If you said you had MFA and you did not, the carrier will deny your claim and may pursue fraud charges
- Premiums are risk-adjusted. Organizations with stronger security postures pay measurably less than those without
- Sub-limits and exclusions are expanding. Even approved policies may exclude certain attack types or cap payouts for incidents involving unpatched systems
The Controls Underwriters Check
While every carrier has its own questionnaire, the core controls they evaluate are remarkably consistent. Here is what they are looking for and what "good" looks like:
Multi-Factor Authentication (MFA)
This is the single most important control for cyber insurance eligibility. Carriers want MFA enforced on all remote access (VPN, RDP, cloud portals), all privileged accounts (admin, root, service accounts with elevated permissions), all email accounts, and all access to backup systems. "We have MFA available" is not the same as "MFA is enforced." Underwriters know the difference.
Endpoint Detection and Response (EDR)
Traditional antivirus is no longer sufficient. Carriers want to see an EDR solution deployed across all endpoints with active monitoring and response capability. They will ask about coverage percentage (what percentage of endpoints have EDR installed), whether it is monitored 24/7 (by your team or an MDR provider), and whether it has automated response capabilities enabled.
Backup Strategy
Backups are the last line of defense against ransomware, and carriers evaluate them closely. They want to see offline or immutable backups that cannot be encrypted by ransomware, regular backup testing with documented restore times, separation of backup credentials from production Active Directory, and defined RPO and RTO with evidence that they are achievable.
Patching and Vulnerability Management
Carriers want evidence of a defined patching cadence, particularly for critical and high-severity vulnerabilities. They will ask about your mean time to patch critical vulnerabilities, whether you have a formal vulnerability management program, and how you handle zero-day disclosures. Regular vulnerability scanning provides the evidence they need.
Incident Response Plan
Having an incident response plan is table stakes. Carriers want to see a documented plan that has been tested through tabletop exercises, defined roles and responsibilities, relationships with external incident response firms (ideally from the carrier's approved panel), and a communication plan that includes legal, PR, and regulatory notification procedures.
Email Security
Phishing remains the primary initial access vector for ransomware. Carriers check for DMARC, SPF, and DKIM configuration, email filtering and anti-phishing controls, security awareness training program, and whether you conduct phishing simulations.
Penetration Testing
This is where our work directly impacts your insurability. Carriers ask whether you conduct regular penetration tests, how often (annually is the minimum expectation), whether findings are remediated in a timely manner, and whether tests cover both external and internal attack surfaces. A recent penetration test report showing identified issues and remediation evidence is one of the strongest signals you can provide to an underwriter.
What Underwriters Check vs. What They Require
| Control | Checked by Carriers | Hard Requirement |
|---|---|---|
| MFA on Remote Access | 100% of carriers | Yes, nearly universal |
| MFA on Email | 95%+ of carriers | Yes, most carriers |
| EDR Deployment | 90%+ of carriers | Yes, increasingly required |
| Immutable Backups | 90%+ of carriers | Yes, for ransomware coverage |
| Patching Cadence | 85%+ of carriers | Varies; critical patches expected within 30 days |
| Incident Response Plan | 85%+ of carriers | Required by most for full coverage |
| Penetration Testing | 80%+ of carriers | Required annually by most carriers |
| Security Awareness Training | 75%+ of carriers | Strongly recommended; required by some |
| Network Segmentation | 70%+ of carriers | Expected for mid-market and above |
| Privileged Access Management | 65%+ of carriers | Emerging requirement for larger organizations |
How Premiums Are Determined
Cyber insurance premiums are calculated based on a combination of factors, and understanding them gives you leverage to negotiate better rates.
Industry and revenue
Your industry determines your baseline risk profile. Healthcare, financial services, and technology companies typically pay higher premiums due to the value of their data and regulatory exposure. Revenue determines the scale of the policy and the potential for business interruption losses.
Security posture
This is where you have the most control. Organizations that can demonstrate strong security controls, regular testing, and mature incident response capabilities receive meaningfully lower premiums. We have seen clients reduce their premiums by 10-20% by providing pentest reports, remediation evidence, and documentation of improved controls.
Claims history
If you have filed a cyber insurance claim in the past, expect higher premiums. The size and nature of the claim matters, as does whether you have implemented improvements since the incident. A post-incident remediation report from a security firm can help mitigate the impact on your renewal.
Coverage scope
The breadth of coverage affects pricing. First-party coverage (your own losses), third-party coverage (liability to others), business interruption, regulatory fines, and ransomware-specific coverage all factor into the premium calculation. Some organizations reduce premiums by accepting higher deductibles or sub-limits on specific coverage types.
Negotiation tip: When renewing your policy, provide your underwriter with your latest penetration test report (executive summary, not the full technical findings), evidence of remediation for identified issues, documentation of any new security controls implemented since the last policy period, and your incident response plan with evidence of recent testing. This package directly addresses underwriter concerns and positions you for the best possible rate.
What Gets Claims Denied
Filing a cyber insurance claim is stressful enough without discovering that your claim is being denied. Here are the most common reasons carriers deny claims, all of which are preventable:
Material misrepresentation on the application
If you stated on your application that MFA was enforced on all remote access, and the forensic investigation reveals it was not, the carrier will deny the claim. This is the most common denial reason and it is entirely avoidable. Be honest on the application. If you have gaps, acknowledge them and document your plan to address them.
Failure to maintain controls
Some policies include a "maintenance of controls" provision that requires you to maintain the security posture described in your application throughout the policy period. If you had EDR deployed when you applied but let the license lapse, and then suffered a breach, the carrier may deny or limit the claim.
Late notification
Most policies require prompt notification of an incident, typically within 24-72 hours. Delaying notification, even if you are still investigating, can give the carrier grounds to deny the claim. Your incident response plan should include immediate carrier notification as a step.
Using unapproved vendors
Many policies require you to use the carrier's approved panel of incident response firms, forensic investigators, and legal counsel. Using your own vendors without prior approval can result in the carrier refusing to cover those costs. Know your policy's requirements before an incident occurs.
Known but unpatched vulnerabilities
An emerging area of claim disputes involves vulnerabilities that were publicly known and had patches available, but the organization failed to apply them in a reasonable timeframe. If a critical CVE has been public for six months and you did not patch it, the carrier may argue the loss was due to negligence.
How Penetration Testing Directly Impacts Your Insurance
Penetration testing sits at the intersection of multiple underwriting factors. It is one of the most cost-effective investments you can make to improve both your security posture and your insurance positioning.
Here is how pentest results directly affect your insurance:
- Application strength. Being able to answer "yes" to "Do you conduct annual penetration testing?" with supporting evidence immediately strengthens your application
- Premium reduction. Regular testing demonstrates proactive risk management. We consistently see clients achieve premium reductions when they provide pentest reports and remediation evidence
- Claim defensibility. If you do experience an incident, having a recent pentest report showing that you identified and remediated vulnerabilities demonstrates due diligence. It is much harder for a carrier to argue negligence when you have documented testing and remediation
- Control validation. A pentest validates that the controls you described on your application actually work. This protects you from misrepresentation disputes
Beyond the insurance benefits, the findings from a penetration test help you close the specific gaps that ransomware operators exploit: weak authentication, excessive permissions, unpatched systems, and network segmentation failures. Closing these gaps reduces the likelihood that you ever need to file a claim in the first place.
Building an Insurance-Ready Security Program
If you are preparing to apply for or renew cyber insurance, here is the practical checklist:
- Enforce MFA everywhere. All remote access, all privileged accounts, all email, all backup systems. No exceptions. This single control is the difference between approval and denial for most carriers
- Deploy and monitor EDR. Ensure coverage across all endpoints with 24/7 monitoring, either in-house or through an MDR provider
- Implement immutable backups. Separate backup credentials from production AD, test restores regularly, and document your RPO and RTO
- Establish a patching cadence. Critical vulnerabilities within 14 days, high within 30, and document everything
- Document and test your incident response plan. Include carrier notification requirements and approved vendor lists
- Conduct annual penetration testing. Retain the reports and remediation evidence. Our security assessment services are designed to produce the documentation carriers want to see
- Be honest on the application. Misrepresentation is worse than acknowledging a gap. Carriers appreciate candor and a documented remediation plan
The bottom line: Cyber insurance is no longer a substitute for security. It is a complement to it. Carriers are rewarding organizations that invest in real security controls and penalizing those that do not. The same investments that lower your premiums also reduce your likelihood of needing to file a claim.
Need security assessments for your insurance application?
We deliver penetration testing reports and security assessments that insurance underwriters want to see. Improve your coverage and lower your premiums with evidence-based security.
