If you've tried renewing your cyber insurance recently, you've probably noticed something: it's got a lot harder. Gone are the days when insurers would rubber-stamp your application with a few basic questions about antivirus software.
In 2026, cyber insurance renewals feel more like full-blown security audits. Insurers have been burned by ransomware payouts and weak recovery practices, and they're not taking chances anymore. If your security controls aren't up to scratch, or worse, if you can't prove they are, you might find yourself facing sky-high premiums, reduced coverage, or outright rejection.
The good news? If you know what insurers are looking for, you can get ahead of the game. Here's our rundown of the 10 essentials you need to tick off for cyber insurance compliance in 2026.
1. Multi-Factor Authentication (MFA) Everywhere
This one's non-negotiable. Insurers expect MFA to be enabled across all your critical access points, email, cloud platforms, VPNs, remote desktop connections, and especially any administrative accounts.
If you're still relying on passwords alone for anything sensitive, that's a red flag underwriters will spot immediately. And no, SMS-based MFA isn't going to cut it for high-risk systems anymore. Phishing-resistant methods like authenticator apps or hardware keys are what insurers want to see.
2. Individual Privileged Accounts (No More Shared Logins)
Remember that shared admin account everyone in the office knows the password to? It needs to go.
Insurers want every privileged user to have their own individual credentials. Why? Because when something goes wrong, you need to be able to trace exactly who did what and when. Shared accounts make that impossible, and they're a massive liability during incident investigations.
Make sure you're also conducting regular access reviews: especially when someone changes role or leaves the company. Document everything.
3. Endpoint Detection and Response (EDR)
Traditional antivirus just doesn't cut it anymore. Insurers now expect modern Endpoint Detection and Response (EDR) solutions deployed across all devices that touch your systems: laptops, desktops, servers, and cloud-based virtual machines.
But it's not enough to just have EDR installed. You need to demonstrate that it's actively monitored, kept updated, and that you have a clear process for responding to alerts. Insurers will ask who's watching the dashboard and what happens when something gets flagged.
4. Tested and Verified Backups
Having backups is great. Having backups that actually work when you need them? That's what insurers care about.
You need to show that your backups are:
- Regularly tested (not just set and forgotten)
- Isolated from your main network (so ransomware can't encrypt them too)
- Documented with clear recovery procedures
If you can't demonstrate a tested recovery process, insurers will assume the worst: that you'd be dead in the water after an attack.
5. Patch and Vulnerability Management
Unpatched systems are low-hanging fruit for attackers, and insurers know it. They'll want to know how often you run vulnerability scans, how you prioritise what gets fixed first, and whether you can show improvement over time.
A single clean scan isn't enough. What matters is demonstrating a consistent, documented process for identifying vulnerabilities and addressing them before they become problems.
6. Email Security and Anti-Phishing Controls
Email remains the number one attack vector for businesses. Phishing, business email compromise, and malicious attachments are behind a huge percentage of cyber insurance claims.
Insurers expect robust email security controls including:
- Spam and malware filtering
- Link scanning and sandboxing
- DMARC, DKIM, and SPF records configured properly
- Clear policies for handling suspicious emails
If your email security is weak, everything else becomes harder to protect.
7. A Documented Incident Response Plan
When (not if) something goes wrong, do you know exactly what to do? More importantly, can you prove it?
Insurers want to see a well-documented incident response plan that covers:
- How you'll identify and contain an attack
- Who's responsible for what
- How you'll communicate with stakeholders
- Your relationship with approved breach response teams
Your plan should also account for supply chain compromises: attacks that come through your vendors or partners rather than directly at you.
8. Security Awareness Training
Your people are your first line of defence, but they're also your biggest vulnerability if they're not trained properly. Social engineering and phishing attacks rely on human error, and insurers know this.
Regular security awareness training should cover:
- Recognising phishing attempts
- Safe handling of sensitive data
- Password hygiene
- Reporting suspicious activity
One annual training session isn't enough. Ongoing education and simulated phishing tests show insurers you're taking this seriously.
9. Vendor and Third-Party Risk Management
Your security is only as strong as your weakest supplier. Insurers are increasingly focused on how you manage third-party access to your systems.
You need to demonstrate that you:
- Know which vendors have access to your data and systems
- Review their security practices before granting access
- Limit access to what's strictly necessary and time-bound
- Maintain audit trails of third-party activity
This applies across industries too. Whether you're in IT, finance, or even property services: any business handling client data faces these requirements. We've seen this firsthand working with companies across sectors, including property professionals like propertyinventoryclerks.co.uk who handle sensitive tenant and landlord information daily.
10. Governance, Compliance, and Documentation
Finally, insurers want to see that you've got your house in order from a governance perspective. This means:
- Clear data inventories – knowing what data you hold and where
- Documented compliance with relevant regulations (GDPR, industry-specific requirements)
- Understanding of your policy – including exclusions and coverage triggers
- Evidence, evidence, evidence – vague answers won't fly anymore
If you can't substantiate your security controls with documentation, underwriters will push back. The days of "trust us, we've got it covered" are well and truly over.
The Bottom Line: Evidence Is Everything
The common thread running through all these requirements? Proof.
Insurers aren't just asking whether you have security controls in place: they want evidence that those controls actually work, are consistently applied, and can be demonstrated on demand.
This might feel like a lot to get your head around, especially if IT isn't your core business. But getting these fundamentals right doesn't just help with insurance: it genuinely protects your business from the threats that are only getting more sophisticated.
If you're not sure where you stand or want help getting your security posture ready for renewal season, we're always happy to chat. Book a free discovery call with our team, and we'll help you figure out what needs attention and where to start.
Cyber insurance is getting tougher to secure, but with the right preparation, you'll be in a much stronger position: both with your insurer and against the threats themselves.
Leave a Reply