Cyber Insurance Requirements in 2026: What Carriers Actually Require
Cyber insurers denied 40% of claims in 2024. Here's what carriers like Coalition and Travelers require in 2026, and where organizations get tripped up on applications.
More than 40% of cyber insurance claims were denied or disputed in 2024. Not because the incidents weren’t real (ransomware, business email compromise, and data breaches are happening at scale), but because the organizations filing claims didn’t actually have the controls they said they had. If you’re buying or renewing a cyber policy in 2026, the standards have shifted enough that what passed underwriting two years ago may not pass today. And failing an audit after a breach is a particularly bad time to find out.
This article breaks down what carriers actually require in 2026, where organizations consistently get tripped up on applications, and what the penetration testing expectations look like for policies above a certain coverage threshold.
What Carriers Require in 2026: The Actual Checklist
The days of vague “we have security controls” attestations are over. Carriers, particularly Coalition, Travelers, Beazley, and Chubb, have tightened their underwriting criteria substantially since 2022. Here’s what the application process looks like today for most mid-market policies.
Phishing-Resistant MFA (Not Just Any MFA)
This is the single most common point of failure we see in insurance audits. Organizations believe they have MFA because they deployed Microsoft Authenticator or Duo; but carriers are asking a more specific question: is MFA applied everywhere, and is it phishing-resistant?
Coalition’s 2024 Cyber Claims Report found that 82% of denied claims involved organizations that lacked properly implemented MFA across their environment. The “across their environment” part is what catches people. Implementing MFA on the corporate email system but not on the VPN, or on employee accounts but not service accounts, creates the exact gap that attackers exploit, and that carriers cite when denying claims.
In 2026, higher-tier policies are specifying phishing-resistant MFA: hardware security keys (FIDO2/WebAuthn) or biometric authentication. App-based TOTP may still satisfy lower limits, but for $5M+ policies, expect scrutiny.
24/7 EDR With Active Response
Endpoint detection and response is table stakes now, but the requirement has a meaningful qualifier: active response, not just alerting. A tool that logs events and sends emails doesn’t meet what carriers are looking for. They want evidence that threats are automatically contained (isolated endpoints, blocked processes, automatic remediation of known indicators), with human analysts backing up the automation.
MDR (managed detection and response) services satisfy this if they include defined response SLAs and 24/7 coverage. If your EDR is a self-managed deployment with business-hours alerting, you’ll want to document how after-hours incidents are handled. Some carriers are starting to ask for that answer explicitly.
Documented and Tested Incident Response
Having an incident response plan is no longer enough. Carriers want proof that you’ve exercised it. This means documented tabletop exercises (ideally within the past 12 months), with records of what scenarios were run, who participated, and what gaps were identified and addressed.
This requirement makes practical sense. An IR plan that’s never been tested is a theoretical document. Carriers have seen enough post-breach chaos to know that untested plans tend to fall apart when it matters. If you can show a tabletop exercise report, an after-action review, and evidence that you addressed the gaps, that’s a materially different risk profile.
Third-Party Risk Oversight
Supply chain attacks have moved this from a nice-to-have into a required underwriting category. Carriers want to know whether you inventory your critical vendors, whether those vendors have their own security requirements (contracts, questionnaires, or certifications), and whether you have a process for responding when a vendor is compromised.
This doesn’t require a formal third-party risk management platform (smaller organizations can satisfy this with documented processes and vendor questionnaires), but you need to be able to describe and demonstrate it.
Mailbox-Level Email Security
Business email compromise accounts for the largest single category of cyber insurance claims. Coalition’s 2024 figures put BEC and funds transfer fraud at 60% of filed claims, and they recovered $31 million for policyholders through their active response work that year. The implication is clear: carriers know email is the primary attack vector, and they’re requiring controls that reflect that.
In 2026, “mailbox-level email security” typically means:
- DMARC enforced to at least
p=quarantine(ideallyp=reject) - DKIM and SPF properly configured
- Anti-phishing filtering at the mailbox level, not just at the gateway
- URL rewriting and link analysis for inbound links
Some carriers are starting to include email security posture in automated scanning they run on applicants, similar to how they scan for exposed RDP or open ports. DMARC policy is often visible externally and is worth verifying before you apply.
The Application Trap: Where Organizations Get Burned
The 40% claim denial rate isn’t entirely explained by organizations trying to defraud their carriers. A significant portion comes from honest misrepresentation: organizations that believed they had controls in place, answered “yes” on the application, and then found out after a breach that their implementation didn’t match their attestation.
Two court cases illustrate this well.
International Control Services v. Travelers: Travelers denied coverage after a breach when the investigation revealed that MFA was implemented on the firewall, but not on the remote access system the attackers used. The organization had attested to having MFA for remote access. The claim was denied. The lesson isn’t that you need perfect security; it’s that your application answers need to reflect what you actually have, not what you intend to have or what you have in some parts of your environment.
Cottage Health v. Columbia Casualty: Coverage was denied when the insurer demonstrated that security controls attested to on the application weren’t maintained post-binding. The organization had controls in place when they applied, let them lapse, and then suffered a breach. Courts have upheld the insurer’s position that ongoing maintenance of attested controls is an implicit condition of coverage.
Marsh McLennan’s 2024 research found that 25% of businesses were denied coverage specifically because they couldn’t show verifiable evidence of security testing. Not because they lacked testing, but because they couldn’t prove they’d done it. Documentation matters as much as implementation.
Penetration Testing Requirements: What Carriers Actually Expect
Penetration testing is where the gap between “what organizations think they need” and “what carriers require” is widest. If you’re renewing a mid-to-large policy or applying for coverage above $1M, here’s what carriers are actually asking for today.
The Coverage Threshold Where Pentesting Becomes Required
Most carriers have an informal threshold (often around $1M in coverage) where penetration testing shifts from recommended to required. Above $5M, it’s nearly universal, and some carriers are mandating it for policies as low as $500K in high-risk sectors like healthcare, financial services, and critical infrastructure.
The requirement is almost always: at minimum one internal and one external penetration test per year. “Internal” means an assessment conducted from inside the network perimeter, simulating a compromised insider or a threat actor who’s already past the firewall. “External” means testing the attack surface visible from the internet: web applications, exposed services, perimeter defenses.
High-risk industries are increasingly seeing semi-annual requirements for external assessments, particularly where they process significant volumes of personal health information or payment card data.
What the Reports Need to Show
Carriers aren’t just asking whether you did a pentest. They’re asking to see the reports, and they’re getting more specific about what those reports need to contain. Underwriters reviewing applications at larger coverage tiers often request:
- The full methodology used (black-box, gray-box, white-box, scope)
- A list of findings with severity ratings
- Evidence of remediation for critical and high findings
- A retest report confirming that critical findings were addressed
A report from three years ago, or a report showing critical findings with no remediation evidence, is not going to satisfy underwriting. We’ve seen organizations produce clean pentest reports that were done against a sanitized or limited scope (testing five servers when the environment has 200), and carriers are getting better at identifying this.
The practical guidance here: scope your penetration test to match your actual environment, address the findings before you renew your policy, and keep the documentation. If you did a test in September and your policy renews in November, you want to be able to show that the September findings were remediated, not just that the test happened.
Vulnerability Assessments Aren’t a Substitute
A vulnerability assessment and a penetration test are different things, and carriers know the difference. A vulnerability assessment identifies weaknesses using automated scanning tools and manual review: it tells you what’s exposed. A penetration test goes further: it attempts to exploit those weaknesses, chain vulnerabilities together, and demonstrate real-world impact.
For insurance purposes, a vulnerability assessment may satisfy requirements at lower coverage levels. For policies above $1M, and almost universally above $5M, carriers want the penetration test, not the scan. If your security vendor is using the terms interchangeably, that’s a red flag worth addressing before your application.
Framework Alignment as a Premium Strategy
Documented alignment with NIST CSF or CIS Controls doesn’t just make your organization more secure; it directly influences what you pay for coverage.
Carriers use these frameworks as proxies for security maturity. An organization that can demonstrate CIS Controls implementation at Implementation Group 2 or 3 is a categorically different risk than one with ad-hoc controls and no documentation. The difference shows up in premiums, deductibles, and coverage terms.
The Munich Re projection puts the global cyber insurance market at $16.3 billion for 2025. That’s not an abstract number: it reflects the scale of claims being paid out and the actuarial reality that carriers are pricing risk based on security posture. Organizations that invest in documented, verifiable controls get better rates because they represent lower expected loss.
A gap assessment before renewal does two things: it identifies where your controls fall short of carrier requirements, and it maps your posture against NIST CSF or CIS Controls in a way that produces documentation you can use in underwriting conversations. That documentation is worth having independent of the insurance process; it’s also what you hand to auditors, regulators, and prospective enterprise clients.
How Breach Craft Approaches This
We work with organizations across the mid-market that are closing the gap between their current security posture and what their insurance carrier is actually asking for. The pattern we see most often: organizations that implemented controls two or three years ago haven’t kept up with the tightening requirements, and they find out at renewal, or worse, after a claim.
A few ways we support this:
Pre-renewal gap assessments: Before you submit your application, we map your actual controls against what your carrier requires. This surfaces misrepresentations before they become claim denials and identifies what needs to be addressed to qualify for the coverage you want.
Penetration testing with insurer-ready documentation: Our penetration testing engagements produce the methodology, findings, severity ratings, and remediation evidence that underwriters at major carriers expect to see. We scope assessments to match your actual environment, not a representative subset.
Tabletop exercises with documentation: We run tabletop exercises and produce the after-action reports and gap closure documentation that demonstrate to carriers that your IR plan has been tested. For organizations that haven’t exercised their plan in the past 12 months, this is often the fastest path to satisfying an underwriting requirement.
Virtual CISO support for ongoing compliance: If your organization doesn’t have a dedicated security leader managing the ongoing requirements (patch cycles, control evidence, third-party risk, vendor questionnaires), a virtual CISO relationship provides that function at a fraction of the cost of a full-time hire.
Where to Start
If you’re renewing a cyber policy in the next six months, the most impactful thing you can do right now is pull your most recent application and compare what you attested to against your current implementation. Not what you intended to implement. What’s actually running, with evidence.
If there are gaps between your attestations and your reality, address them before you renew. If you’re not sure whether your documentation is sufficient, bring in a third party to evaluate it before the underwriter does.
The 40% denial rate is high enough that it’s not just affecting organizations with poor security. It’s affecting organizations with decent security and poor documentation, and in an insurance claim context, those are functionally the same thing. Carriers need proof, not confidence. Make sure you can provide it.
Contact Breach Craft if you want a pre-renewal assessment or a scoped penetration test before your next application cycle.
