Cyber Insurance Requirements in 2026: What Insurers Actually Want
Cyber insurance used to be straightforward: fill in a short form, pay a modest premium, get covered. That era is over. In 2026, underwriters are demanding detailed evidence of your security controls — and rejecting applications that don't meet their baseline.
Here's what insurers are actually looking for, what will get your application declined, and how to document everything correctly.
Why Cyber Insurance Has Changed
Ransomware losses exceeded $1 billion in reported claims in 2024. Insurers responded by tightening underwriting standards, increasing premiums, and adding exclusions. The market has bifurcated: organisations with strong security controls can still get affordable coverage; those without are either rejected or face premiums that make coverage impractical.
Controls Insurers Now Require (Non-Negotiable)
These are the controls that will get your application declined if you cannot demonstrate them:
Multi-Factor Authentication
MFA on all email, remote access (VPN/RDP), admin accounts, and privileged systems. Single-factor access to email is a near-automatic decline.
Endpoint Detection & Response (EDR)
Traditional antivirus is no longer sufficient. Insurers want EDR deployed on 100% of endpoints with centralised monitoring.
Privileged Access Management
Admin accounts must be separate from daily-use accounts. Shared admin passwords are a significant red flag.
Immutable, Offline Backups
Backups must be isolated from your primary network. Cloud-only backups that are connected to your main environment don't count — ransomware encrypts those too.
Patch Management
Critical patches applied within 30 days. Internet-facing systems patched within 72 hours of release. You need evidence of this, not just a policy.
Security Awareness Training
Annual training at minimum. Phishing simulation results are increasingly expected.
Incident Response Plan
A documented, tested plan. Insurers want to know you've run a tabletop exercise in the past 12 months.
What Will Get You Declined
What Documentation Do You Need?
Insurers are moving beyond questionnaires. Many now request — or will soon require — evidence rather than just assertions. Here's what to prepare:
| Control | Evidence Required |
|---|---|
| MFA | Screenshot of MFA enforcement policy in Azure AD / Okta / Google Workspace |
| EDR | Dashboard showing 100% coverage with recent activity |
| Backups | Backup schedule + last successful restore test with date |
| Patching | Vulnerability scan report showing patch compliance rate |
| Training | Training completion rates by department, phishing simulation results |
| IR Plan | Dated, signed incident response plan + last tabletop exercise report |
How to Reduce Your Premium
Beyond meeting baseline requirements, these controls can reduce your premium by 15-40%:
- ISO 27001 certification or SOC 2 Type II report — demonstrates third-party validated controls
- Cyber Essentials Plus — UK standard that many insurers reward with premium discounts
- Zero Trust network architecture implementation
- Cyber risk quantification (showing you understand your financial exposure)
- Board-level cybersecurity governance (documented CISO reporting line)
- 24/7 Security Operations Centre or MDR provider
Typical 2026 Cyber Insurance Costs (UK)
| Company Size | Coverage | Annual Premium |
|---|---|---|
| < 50 employees | £1M | £2,500 – £8,000 |
| 50-200 employees | £2M | £8,000 – £25,000 |
| 200-500 employees | £5M | £20,000 – £60,000 |
| 500+ employees | £10M+ | £50,000 – £200,000+ |
Premiums vary significantly based on industry, claims history, and security posture. Healthcare, financial services, and legal firms pay 2-3x the above rates.
The Bottom Line
Cyber insurance is no longer a checkbox exercise. Insurers are asking harder questions, demanding evidence, and declining poorly-secured organisations. The good news: if you implement the controls above, document them properly, and can demonstrate an active security programme, you'll get covered at a reasonable rate.
The organisations paying the highest premiums — or getting declined — are those that can't demonstrate basic security hygiene with documented evidence. That evidence gap is exactly what a GRC platform solves.
Get your cyber insurance evidence pack ready
Cyber Horizon automatically collects the evidence insurers ask for — MFA reports, patch compliance, training records, and more — in one audit-ready export.
Book a Demo