Cyber insurance carriers now require documented proof of specific security controls before they will issue or renew a policy. For Central Illinois businesses, meeting these requirements means having multi-factor authentication, endpoint detection and response, tested backups, email security, and an incident response plan in place, and being able to prove it. The days of checking boxes on a questionnaire and moving on are over. Here is what carriers are asking for in 2026, what happens if you fall short, and how to get your business into a position where insurance works for you instead of against you.

At a glance: Cyber insurance renewals in 2026 require documented proof of security controls, not just yes/no answers on a questionnaire. The eight controls carriers most commonly require are MFA, EDR, email security, tested backups, an incident response plan, employee training, privileged access management, and patch management. According to Marsh McLennan’s 2025 Cyber Insurance Market Report, 99% of cyber insurance applications now include specific questions about MFA implementation. Small business cyber insurance premiums typically range from $1,000 to $7,500 annually for $1 million in coverage, depending on industry and security posture. Facet Technologies helps Central Illinois businesses meet cyber insurance requirements through managed security services that include the controls carriers demand.

Why Have Cyber Insurance Requirements Gotten Stricter?

The short answer is money. Carriers lost billions on preventable claims over the past several years, and they responded by raising their standards.

Ransomware claim costs alone are projected to reach $265 billion annually by 2031. The average cost of a data breach hit $4.88 million globally in 2024, according to IBM’s Cost of a Data Breach Report. Carriers looked at the claims data and found a pattern: the vast majority of successful attacks exploited gaps that should have been addressed, missing MFA, untested backups, outdated antivirus, and employees who had never received security training.

So insurers did what any business would do when it keeps paying for the same preventable problem. They started requiring their customers to fix it. Policies that were once treated like routine paperwork have become structured assessments of cybersecurity maturity. Renewals are more rigorous, questionnaires are longer, and carriers increasingly want documentation, not just answers.

What Security Controls Do Cyber Insurance Carriers Require in 2026?

While every carrier’s questionnaire is slightly different, the industry has converged on a core set of controls that are now expected across the board. Missing any of these can result in higher premiums, reduced coverage, or denial.

• Multi-factor authentication (MFA). MFA is a login method that requires a second form of verification beyond a password. Carriers expect MFA enforced on email, VPN connections, remote access, cloud platforms, and all administrative accounts. Having MFA “available” is not enough. It must be enforced and documented. According to Marsh McLennan’s 2025 report, 99% of applications now include specific MFA questions, and Coalition’s 2024 data shows 82% of denied claims involved organizations without MFA.
• Endpoint detection and response (EDR). Traditional antivirus is no longer sufficient. Carriers require EDR, which monitors devices for suspicious behavior and can respond to threats automatically. They will ask who monitors alerts, how quickly your team responds, and whether you can document your response process. Facet Technologies deploys autonomous endpoint protection across all managed client devices.
• Email security. Phishing remains the top attack vector for insurance claims. Carriers expect dedicated email filtering that scans for spoofed senders, malicious links, weaponized attachments, and business email compromise attempts. A basic spam filter does not meet this requirement.
• Tested, isolated backups. Carriers have learned that untested backups fail when they are needed most. They now ask whether your backups are tested regularly, whether backup copies are stored offline or isolated from your production network, and how quickly you can recover critical systems. Backup isolation prevents ransomware from encrypting your recovery data along with everything else.
• Incident response plan. Insurers want a written plan that defines roles, escalation procedures, communication protocols, and recovery steps. They want evidence that the plan has been reviewed and tested, not just that a document exists somewhere on a shared drive.
• Employee security training. Regular training and phishing simulations are now standard requirements. Carriers want to see a documented program with measurable results, such as phishing simulation click rates tracked over time.
• Privileged access management. Shared administrative accounts are a red flag for underwriters. Carriers want individual credentials for every privileged user, with the ability to track and audit access. Automatic password rotation for administrative accounts adds another layer of documentation.
• Patch management. Vulnerability exploits account for over 30% of ransomware attacks, according to the Sophos State of Ransomware 2025 report. Carriers expect documented evidence that operating systems and applications are patched on a regular schedule.

What Happens If You Cannot Meet These Requirements?

The consequences are real and immediate. Carriers are not bluffing.

If you cannot demonstrate the required controls, your insurer may increase your premiums significantly, sometimes 30% to 50% over the previous year. They may exclude ransomware coverage entirely, which removes the single most common and most expensive type of claim. In some cases, they will deny renewal altogether, leaving your business uninsured until you can demonstrate compliance.

There is also the claim denial risk. If you experience a breach and your insurer finds that your actual security posture did not match what you represented on your application, they can deny the claim. A January 2026 case involved a mid-size accounting firm whose ransomware claim was denied because the controls they reported on their application were not actually in place when the attack occurred. The firm faced over $300,000 in recovery costs with no insurance payout.

Honest reporting matters. Carriers would rather see a business that is transparent about its current gaps and actively working to close them than one that overstates its readiness and gets caught in a claim investigation.

How Can Your IT Provider Help You Meet Cyber Insurance Requirements?

This is where the relationship between your IT provider and your insurance coverage becomes direct. The controls carriers require are the same protections a good managed IT provider should already have in place for you.

If your IT provider is not proactively discussing your cyber insurance requirements, that is a gap worth addressing. Your provider should be able to help you in several concrete ways:

• Review your carrier’s questionnaire with you and provide accurate answers based on your actual environment
• Produce documentation that proves your controls are in place (MFA enforcement logs, backup test records, EDR deployment reports, training completion records)
• Identify gaps between your current security posture and what your carrier requires
• Build a remediation timeline for any controls that are missing
• Participate in conversations with your insurance broker when technical details need clarification

Facet Technologies works with clients across Central Illinois to prepare for cyber insurance renewals. Because the security controls carriers require, MFA, EDR, email filtering, tested backups, employee training, and managed detection and response, are already included in our managed services agreements, most of our clients are in a strong position before renewal conversations begin.

For businesses that are not yet fully meeting carrier requirements, we conduct a cybersecurity risk assessment to identify exactly where the gaps are and build a prioritized plan to close them.

How Does Cyber Insurance Fit Into a Broader Cybersecurity Strategy?

Cyber insurance is not a replacement for cybersecurity. It is one layer in a broader risk management strategy. The businesses that get the most value from their coverage treat the insurance requirements as a baseline, not a ceiling.

Think of it this way: meeting the carrier’s requirements gets you insured. Going beyond them, with 24/7 SOC monitoring, regular penetration testing, compliance consulting, and structured quarterly reviews, reduces the likelihood that you will ever need to file a claim.

The best outcome is not a successful insurance claim. It is never needing one.

For Central Illinois businesses navigating HIPAA, PCI DSS, CMMC, or other compliance frameworks, there is significant overlap between compliance requirements and insurance requirements. Meeting one often satisfies much of the other. A managed IT partner who understands both can help you avoid duplicating effort and spending.

Frequently Asked Questions