Three years ago, you could get cyber insurance by filling out a questionnaire and checking some boxes. That era is over. Carriers have been burned by massive claim payouts, and their underwriting has gotten dramatically more sophisticated. In 2026, most carriers now require proof of specific security controls before they’ll write or renew your policy — and they’re verifying your answers.
Here are the seven controls that have become essentially non-negotiable for cyber insurance eligibility.
1. Multi-Factor Authentication (MFA) — Everywhere
MFA on email only isn’t enough anymore. Carriers now require MFA on remote access (VPN), cloud applications, privileged accounts (admin access), and often all user accounts. If a carrier asks “do you have MFA?” and you’ve only enabled it for email, you’ll get denied or quoted at a steep premium.
The implementation doesn’t need to be complicated. Microsoft Authenticator or similar app-based MFA is acceptable. SMS-based MFA is increasingly frowned upon but still accepted by most carriers. Hardware keys are the gold standard if you want the best rates.
2. Endpoint Detection and Response (EDR)
Traditional antivirus is no longer sufficient. Carriers want to see a modern EDR solution — think SentinelOne, CrowdStrike, or Microsoft Defender for Endpoint — deployed on every endpoint. EDR goes beyond signature-based detection to monitor behavior, detect anomalies, and enable rapid response to threats.
The key distinction carriers care about: EDR provides response capabilities (isolation, remediation, rollback), not just detection. If your “antivirus” can only alert you, it’s not EDR.
3. Verified Backup and Recovery
Carriers don’t just want to know that you have backups — they want to know your backups are offline or air-gapped (not accessible from your network if ransomware hits), tested regularly (when was the last time you actually restored from backup?), and sufficient to restore business operations within your acceptable downtime window.
The question that trips up most businesses: “When was your last successful backup restore test?” If you can’t answer that with a specific date and documented results, you have a problem.
4. Email Security and Phishing Protection
Phishing remains the number-one initial attack vector. Carriers expect to see advanced email filtering beyond basic spam protection, DMARC, DKIM, and SPF properly configured on your domain, and regular security awareness training for all employees (most carriers want to see quarterly phishing simulations).
If you’re running Microsoft 365, the built-in Exchange Online Protection is a starting point, but most carriers want to see an additional layer like Proofpoint, Mimecast, or similar.
5. Patch Management
Unpatched systems are one of the most common entry points for attackers. Carriers want evidence of a documented patch management process with specific timelines — critical patches applied within 14 days is the most common benchmark. They’ll often ask about your patching cadence during the application process, and increasingly, they’re running external vulnerability scans on your public-facing systems to verify.
6. Privileged Access Management
Who has admin access to your systems? Carriers want to see the principle of least privilege enforced — meaning users only have the access they need to do their jobs, separate admin accounts for IT staff (not using admin credentials for daily email), and regular access reviews to remove former employees and unnecessary permissions.
This is an area where many small businesses fail the underwriting process. If your entire team is running as local administrators on their laptops, that’s a red flag carriers have learned to spot.
7. Incident Response Plan
A written, tested incident response plan is now standard across most carriers. The plan should cover roles and responsibilities (who does what when an incident occurs), communication procedures (internal and external), containment and eradication steps, notification requirements for your specific regulatory obligations, and contact information for your IT provider, legal counsel, and the carrier itself.
Bonus points if you’ve conducted a tabletop exercise — a simulated incident walkthrough with your team. Some carriers specifically ask about this.
What This Means for Your Renewal
If you’re approaching a cyber insurance renewal without these controls in place, expect one of three outcomes: denial of coverage, a significant premium increase, or reduced coverage limits with expanded exclusions. None of these are good for your business.
The silver lining: implementing these controls doesn’t just satisfy your insurance carrier. They genuinely reduce your risk of a breach. The businesses that invest in these fundamentals spend less on insurance, experience fewer incidents, and recover faster when something does happen.
If you need help getting these controls in place before your next renewal, Iron Core specializes in building security programs that satisfy both carriers and regulators. We can assess your current posture and close the gaps before underwriting becomes a crisis.