Cyber Insurance in 2026: What Every Business Should Know

Cyber insurance in 2026 looks dramatically different than it did even three years ago. The hard market that started in 2020-2021 reset the entire category — premiums up substantially, coverage scope tightened, underwriting requirements that look like compliance frameworks, and a smaller pool of carriers actively writing new business. For SMBs, getting and keeping coverage now requires demonstrating specific security controls. Here's what businesses should know.

What's Required to Get Coverage Now

The baseline security requirements virtually every cyber insurance carrier expects:

• MFA on email, VPN, and admin accounts (non-negotiable)
• EDR or equivalent endpoint protection across all endpoints
• Immutable, off-network backups with tested restoration
• Security awareness training program for employees
• Patching SLAs for critical CVEs
• Privileged access management for admin credentials
• Vendor risk management for critical suppliers
• Incident response plan documented and tested
• Network segmentation between user, server, and sensitive data zones
• Specific controls for high-risk activities (RDP exposure, legacy systems, vendor remote access)

Businesses that can't attest to these controls increasingly find applications declined or premiums punitive.

The Application Process

Cyber insurance applications in 2026 are detailed. A typical application asks for:

• Detailed inventory of what controls are in place, with documentation
• Evidence of MFA coverage with specific scope details
• Backup architecture and testing cadence
• Incident response capability and recent test results
• Vendor and supplier risk management practices
• Information about prior incidents in the past 5 years
• Specific configuration details about email security, endpoint protection, and network architecture

Misrepresenting controls on the application can void coverage when claims arise. The application becomes the contract; honesty matters.

What's Excluded or Sub-Limited

Modern cyber insurance policies often include:

• Ransomware sublimits — separate (lower) coverage limit for ransomware claims, sometimes a fraction of the overall policy limit
• State-sponsored attack exclusions — broader exclusion language that can apply to attacks attributed to state actors
• War exclusions — increasingly broad interpretation of "war" affecting some cybercrime coverage
• Crime coverage limitations — fraud-related coverage often separate from cyber coverage
• Voluntary parting — losses where the employee was deceived into authorizing the loss may be excluded from cyber coverage and require crime coverage
• Failure to maintain required controls — if controls attested on application weren't actually maintained, coverage may be denied

How Premiums and Limits Have Shifted

Approximate ranges in current market (varies significantly by industry and size):

• Small business ($1M-5M revenue): $1,500-5,000 annual premium for $1M coverage
• Mid-market ($25-100M revenue): $15,000-50,000 annual premium for $5M coverage
• Larger mid-market: scales upward with revenue and risk profile

Premiums for businesses with prior claims, weaker controls, or higher-risk industries (healthcare, financial services, professional services) trend higher within these ranges.

The Strategic Implication

Cyber insurance has effectively become a security maturity requirement. To be insurable, businesses need controls that wouldn't have been required for coverage five years ago. This creates a useful forcing function — the insurance pressure drives security investments that improve the business's actual security posture, not just paperwork.

Practical recommendation: treat cyber insurance application as a security maturity benchmark. If you can't honestly answer "yes" to the controls the application asks about, that's a list of priority investments. Building toward those controls produces both insurability and genuine security improvement.

Working with Brokers and Carriers

The insurance brokerage landscape for cyber has specialized over the past few years. Working with a broker who specifically knows cyber insurance — rather than a generalist agent — substantially improves outcomes. The specialized brokers know which carriers are writing new business, what specific controls each carrier prioritizes, how to position the business's controls in the application, and how to negotiate terms.

If you're scoping cyber insurance or trying to improve your insurability posture, a conversation with our team can identify control gaps that affect both security and insurance outcomes.