7 Controls Your Cyber Insurer Will Require in 2026
Cyber insurance isn't optional anymore — it's becoming a board-level requirement. But getting coverage is harder than it used to be. According to industry data, 41% of first-time cyber insurance applications are denied, most commonly because the applicant is missing baseline security controls that carriers now consider non-negotiable.
Only 17% of small and midsize businesses currently carry cyber insurance. The average cyber claim now costs $100,000. If your business handles customer data, processes payments, or operates in a regulated industry, coverage isn't just smart — your clients and partners may start requiring it.
Here are the seven controls insurers are looking for in 2026 — and what happens if you don't have them.
1. Multi-Factor Authentication (MFA)
MFA adds a second verification step when logging in — usually a code sent to your phone or generated by an app. Insurers require it on all email accounts, VPN connections, and admin consoles.
Without MFA, a single stolen password gives an attacker full access to your systems. This is the number one reason applications get denied. Most carriers won't even begin underwriting without it.
2. Endpoint Detection and Response (EDR)
EDR goes beyond traditional antivirus. It monitors every device in your network for suspicious behavior — not just known malware signatures — and can automatically isolate a compromised machine before the threat spreads.
Traditional antivirus catches known threats. EDR catches the zero-day attacks, fileless malware, and living-off-the-land techniques that modern attackers use. Insurers know the difference, and they require EDR specifically.
3. Immutable Backups
Immutable backups are stored in a format that ransomware cannot encrypt, delete, or modify. This typically means offline backups, air-gapped storage, or cloud backups with immutability locks enabled.
If ransomware hits and your backups are on the same network, the attacker encrypts those too. Without recoverable backups, you're choosing between paying the ransom and starting over. Insurers have seen this scenario too many times to underwrite without it.
4. Incident Response Plan
An incident response plan (IRP) is a written document that describes exactly what your organization does when a security event occurs. Who gets called first? Who makes the decision to shut down systems? How do you notify affected customers?
Without a plan, incident response becomes improvised — and improvised response costs more, takes longer, and creates legal exposure. Insurers want to see a documented, tested plan before they'll issue a policy.
5. Security Awareness Training
Annual security awareness training teaches employees to recognize phishing emails, social engineering, and common attack techniques. The best programs include simulated phishing campaigns to measure effectiveness.
Human error remains the top entry point for cyberattacks. Insurers require training because it measurably reduces the likelihood of a successful phishing attack — the most common cause of claims.
6. Patch Management
Patch management means applying software updates and security fixes within a defined window — typically 30 days of release for critical patches. This applies to operating systems, applications, firmware, and network devices.
Unpatched software is an open door. Many of the most damaging breaches in recent years exploited vulnerabilities for which patches had been available for months. Insurers ask about patching cadence because it directly correlates with breach risk.
7. Access Controls
Access controls mean that employees only have access to the systems and data they need for their specific job — nothing more. This includes documented policies for granting, reviewing, and revoking access.
Without access controls, a single compromised account can reach everything. Least-privilege policies limit the blast radius of any breach and demonstrate to insurers that you take data protection seriously.
What This Means for Your Business
These seven controls aren't aspirational best practices — they are the minimum bar insurers expect in 2026. Missing even one can result in a denied application, higher premiums, or coverage exclusions that leave you exposed when you need the policy most.
The good news: these controls are implementable. Most environments can be deployment-ready within 30 days with the right partner. A managed security service like Net.Protect implements these controls as part of the standard platform, so you get both the protection and the documentation insurers want to see.
Sources: TransUnion/Aviva (2025), Coalition Cyber Claims Report (2024), industry surveys.