What Your Cyber Insurance Company Is About to Require - And How to Be Ready
If you renewed your cyber insurance policy in the last year, you probably noticed the application got a lot longer. If you have not renewed yet, you are in for a surprise. Underwriters have completely overhauled what they expect from policyholders in 2025 and 2026, and businesses that do not meet the new requirements are getting denied coverage - or finding out the hard way that their claims will not be paid.
This is not a scare tactic. It is what is actually happening in the market right now. Let me walk you through what insurers are requiring, why it matters, and how to get your business compliant before your next renewal.
Why Insurers Tightened the Rules
Cyber insurance was relatively easy to get a few years ago. Fill out a short application, pay a reasonable premium, and you were covered. Then ransomware payments exploded, claims skyrocketed, and insurers started losing money. The response was predictable: higher premiums, stricter underwriting, and a much longer list of security controls you must have in place before they will write you a policy.
The shift is not slowing down. If anything, each renewal cycle brings new requirements. Insurers have learned that businesses without specific controls are dramatically more likely to file claims, so they are simply refusing to cover those businesses.
The Seven Requirements You Will See on Your Next Application
Every carrier is slightly different, but these seven items appear on nearly every cyber insurance application and renewal questionnaire in 2026.
1. Multi-Factor Authentication on All Accounts
This is non-negotiable for every insurer. MFA must be enabled for all users - not just admins, not just remote workers, everyone. That includes email, VPN, remote desktop, cloud applications, and any system accessible from the internet. If you answer "no" to the MFA question on your application, most carriers will decline your policy outright.
2. Endpoint Detection and Response (EDR)
Basic antivirus is no longer sufficient. Insurers now specifically ask whether you have EDR deployed on all endpoints. EDR goes beyond signature-based detection to monitor device behavior, detect suspicious activity in real time, and automatically respond to threats. Underwriters want to see that every device accessing company data - Windows, Mac, and mobile - is covered.
3. Email Filtering and Anti-Phishing Protection
Since phishing remains the primary entry point for most attacks, insurers want evidence that you have advanced email filtering in place. This means more than the default spam filter. They are looking for link scanning, attachment sandboxing, impersonation protection, and the ability to block emails that spoof your own domain or known contacts.
4. Regular Backups with Tested Recovery
Having backups is not enough. Insurers now ask whether your backups are stored separately from your production environment (so ransomware cannot encrypt them too), whether they run on a regular schedule, and - critically - whether you have tested restoring from those backups. An untested backup is not a backup. If you cannot prove you can recover your data, the insurer considers that box unchecked.
5. Security Awareness Training Documentation
Carriers want to see that your employees receive regular security awareness training, and they want documentation to prove it. This typically means a formal training program with completion records, not a one-time presentation from three years ago. Many insurers also ask whether you conduct simulated phishing tests to measure how your team responds to real-world scenarios.
6. Incident Response Plan
You need a written plan that documents exactly what your business will do when - not if - a security incident occurs. Who gets notified? Who has authority to take systems offline? What are the steps for containment, investigation, and recovery? How do you handle communication with customers and regulators? Insurers ask for this because businesses without a plan take longer to respond, suffer more damage, and file larger claims.
7. Privileged Access Management
This one catches many small businesses off guard. Insurers want to know that administrative accounts - the accounts with the highest level of access to your systems - are managed separately from day-to-day user accounts. That means your IT admin should not be reading email and browsing the web with the same account that has full control over your entire environment. Privileged accounts need separate credentials, additional authentication requirements, and limited use.
What Happens If You Do Not Comply
There are two scenarios, and both are bad. First, if you answer the application honestly and indicate you do not have these controls, many carriers will simply decline to write or renew your policy. You will be uninsured.
Second - and this is worse - if you answer "yes" on the application but do not actually have the controls in place, and then you file a claim, the insurer will investigate. If they find that you misrepresented your security posture on the application, they can deny your claim entirely. You paid premiums for years, suffered a breach, and get nothing. This is happening to real businesses right now.
How Microsoft 365 Business Premium Covers Most of the List
Here is the practical part. If you are running Microsoft 365 Business Premium with proper configuration, you already have the tools to meet most of these requirements.
- MFA: Built into Microsoft Entra ID. Can be enforced for every user through Conditional Access policies, with options for authenticator apps, phone verification, and hardware security keys.
- EDR: Microsoft Defender for Business is included in Business Premium. It provides full endpoint detection and response across Windows and macOS devices, with automated investigation and remediation.
- Email filtering and anti-phishing: Defender for Office 365 (also included) provides advanced threat protection for email, including safe links, safe attachments, and anti-impersonation policies.
- Backups: While Microsoft 365 retention policies provide some protection, a dedicated backup solution for your cloud data is still recommended. This is the one area where you will likely need an additional tool.
- Security awareness training: Microsoft Defender includes attack simulation training with built-in phishing simulations, training modules, and reporting - all of which generate the documentation insurers want to see.
- Privileged access management: Microsoft Entra ID supports separate admin accounts, Conditional Access policies specific to privileged roles, and Privileged Identity Management (PIM) for just-in-time administrative access.
The catch is that having the licenses is not the same as having the configuration done correctly. Every one of these features needs to be set up, tested, and maintained. Default settings are not sufficient. Conditional Access policies need to be written for your specific environment. Defender needs to be deployed to every device. Training simulations need to be scheduled and tracked.
The Incident Response Plan Gap
The one item that technology alone does not solve is your incident response plan. That requires sitting down, documenting your procedures, assigning roles, and making sure your team knows the plan exists. It does not need to be a hundred-page document. A clear, practical plan that covers notification procedures, containment steps, recovery priorities, and communication protocols is what insurers - and your business - actually need.
Get Ahead of Your Renewal
Do not wait until your renewal date to find out you have gaps. The time to assess your security posture and close gaps is now - before the insurer asks the questions.
GridLogic IT offers a free security assessment that maps your current environment against these insurance requirements. We will show you exactly where you stand, what needs to change, and how to get there. No commitment, no sales pitch - just a clear picture of your readiness. Get in touch at gridlogicit.com.