Three years ago, getting cyber insurance meant filling out a questionnaire, paying a premium, and you were done. Maybe someone checked you had antivirus installed. Now? I’m seeing insurance applications that run 40 pages, require third-party security assessments, and actually verify your controls before underwriting.

Welcome to the new normal. Insurers are done paying out for preventable breaches. If you’re renewing a cyber policy in 2026 or getting one for the first time, the requirements have changed substantially. Here’s what actually matters.

MFA Everywhere Or No Coverage

Multi-factor authentication used to be a nice-to-have. Now it’s table stakes. Every insurer I’ve dealt with this year requires MFA on:

• All admin accounts (obviously)
• Email systems (Microsoft 365, Google Workspace, whatever you use)
• VPN access
• Critical business applications

“But we have MFA on admin accounts” doesn’t cut it anymore. They want it organisation-wide. And they’ll verify it during the application process, not just take your word for it.

One client got their renewal denied because they had MFA enabled but not enforced—users could skip it. The insurer’s exact words: “Configuration doesn’t match claim.” Brutal, but fair.

Backup Testing Gets Audited

Everyone has backups. Not everyone can actually restore from them. Insurers have figured this out, which is why they’re now asking:

• When did you last test a full restore?
• Who performed it?
• What was the result?
• Where are the backups stored?
• Are they immutable or air-gapped?

Saying “we do backups” isn’t enough. They want documentation of successful restore tests within the past 90 days. And if your backups are on the same network as your production systems, they’ll either charge you double or decline coverage entirely.

Ransomware payouts are expensive. Insurers would rather not cover organisations that can’t recover without paying the ransom. Makes sense from their perspective, even if it’s annoying from yours.

Patch Management Actually Matters

This one’s painful because patch management is genuinely hard in complex environments. But insurers don’t care about your technical debt or legacy systems that can’t be updated.

They want to see:

• Critical patches applied within 30 days of release
• A documented patch management process
• Vulnerability scanning results

Some insurers are using external scanning tools to verify your external attack surface before issuing a policy. If they find unpatched Exchange servers or exposed RDP, your application gets flagged. I’ve seen premiums jump 40% based on scan results alone.

EDR, Not Just Antivirus

Old-school antivirus doesn’t count anymore. Insurers want endpoint detection and response tools that can:

• Detect anomalous behaviour, not just known malware
• Provide forensic data after an incident
• Integrate with a SOC or MDR service

The specific vendors don’t usually matter—CrowdStrike, SentinelOne, Microsoft Defender for Endpoint all qualify. What doesn’t qualify: whatever free antivirus came with your PCs, or anything that hasn’t been updated since 2019.

And they’re checking. Some insurers require screenshots of your EDR console showing deployment rates and alert configurations. The verification process is getting thorough.

Email Security Controls

Business email compromise is the number one claim type for most cyber insurers. Which means email security is now heavily scrutinised during underwriting.

Requirements I’m seeing consistently:

• DMARC configured to enforcement (p=reject or p=quarantine)
• Advanced email filtering beyond basic spam detection
• Link protection and attachment sandboxing
• User awareness training with simulated phishing

The awareness training requirement is interesting. Insurers want proof you’re running regular phishing simulations and tracking results. Just having a training platform isn’t enough—they want to see declining click rates over time.

The Incident Response Plan Question

Every application asks if you have an incident response plan. Everyone says yes. Now insurers are asking to see it.

They’re looking for:

• Defined roles and responsibilities
• Communication procedures
• Contact details for forensics firms and legal counsel
• Evidence you’ve actually tested the plan

Tabletop exercises count. If you did one in the past year and documented it, that helps. If your incident response plan is a Word document someone wrote in 2018 that’s never been used or updated, that’s a problem.

Premium Increases Are Real

Even if you meet all the requirements, premiums are up. I’m seeing 25-40% increases on renewals, sometimes more. Coverage limits are being reduced too—where you might have had $10 million in coverage two years ago, insurers are offering $5 million for the same premium.

This isn’t price gouging. Claim frequency and severity have both increased. The insurers that didn’t tighten requirements went bankrupt or exited the market. The ones left are being careful.

What To Do If You Don’t Meet Requirements

If your renewal is coming up and you can’t meet these requirements, you have a few options:

Buy time. Most insurers will give you 90 days to implement specific controls if you commit to a remediation plan. You’ll pay a higher premium during that period, but it keeps coverage in place.

Accept exclusions. Some policies will exclude certain scenarios—ransomware coverage might be removed if your backup testing isn’t current, for example. Not ideal, but better than no coverage.

Prioritise brutally. You probably can’t fix everything in 90 days. Focus on what insurers weight most heavily: MFA, backups, patching. Get those right first.

The Bigger Picture

This shift isn’t temporary. Cyber insurance is moving from a product that paid out when things went wrong to one that requires you to prevent things from going wrong in the first place. It’s becoming more like workers’ compensation—insurers want to see safety controls, not just collect premiums.

For IT leaders, this creates an interesting dynamic. Security investments that were hard to justify financially now have a direct line to insurance costs. “We need to implement MFA” is an easier conversation when “and it’ll save us $50,000 on our insurance renewal” comes right after it.

The organisations struggling most are the ones that treated cyber insurance as a substitute for actual security. That was never the right approach, but it worked for a while. Not anymore. Insurers are demanding real controls, verifying them, and pricing risk accordingly.

If you’re up for renewal in the next six months, start the security review now. Don’t wait until two weeks before renewal to discover you don’t meet the requirements. That conversation with the CFO won’t go well.

Useful Resources

• Australian Cyber Security Centre’s Essential Eight aligns well with most insurer requirements
• OAIC’s data breach preparation guide for incident response planning