Cyber Insurance in 2026 — Why Insurers Are Demanding More

The Paradox No One Expected

The cyber insurance market in 2026 defies simple narratives. Premiums have declined for 11 consecutive quarters according to Marsh's Global Insurance Market Index. Howden's 2025 Cyber Insurance Report documents rates 27% below their mid-2022 peak. The NAIC's 2025 Cybersecurity Insurance Report recorded the first-ever decline in US cyber insurance premiums — down 2.3% in 2024 after years of double-digit growth.

By the traditional logic of insurance markets, this should mean coverage is easier to obtain. The opposite is true.

Fitch Ratings reported that over 40% of cyber insurance claims were denied in 2024. Marsh documented a 41% claim denial rate linked specifically to deficiencies in multi-factor authentication and endpoint detection. Insurers are writing more policies at lower rates while simultaneously rejecting more claims from policyholders who fail to meet increasingly granular technical requirements.

The market has not softened. It has bifurcated. Organisations with mature security programmes are enjoying competitive pricing from insurers competing aggressively for their business. Organisations without documented, verifiable controls face coverage denials, restrictive sublimits, and exclusions that render policies substantially less valuable than they appear on paper.

Understanding this dynamic is essential for any organisation renewing or purchasing cyber insurance in 2026.

How the Market Got Here

The Correction Cycle

The current pricing environment follows a period of dramatic market hardening between 2020 and 2022, driven by a surge in ransomware claims. Insurers responded with steep rate increases — some exceeding 100% year-over-year — and tightened underwriting standards. The correction worked. Loss ratios improved, more capacity entered the market, and competition drove prices down.

Munich Re projects the global cyber insurance market will reach approximately $16.4 billion in premiums in 2026, up from an estimated $15.3–16.3 billion in 2025. The longer-term trajectory remains strongly upward — Munich Re expects the market to double to $32.4 billion by 2030, growing at over 10% annually.

But this growth masks a structural shift in how insurers assess and price risk.

From Questionnaires to Evidence

The most consequential change in the market is not pricing — it is underwriting methodology. Three years ago, cyber insurance applications consisted primarily of self-attested questionnaires. Applicants checked boxes confirming they had MFA deployed, backups in place, and incident response plans documented.

That model failed catastrophically. Insurers discovered that self-attestation bore little correlation to actual security posture. Claims flooded in from organisations that had attested to controls they had not actually implemented, had implemented partially, or had implemented but not maintained.

The industry's response has been to shift from trust-based to evidence-based underwriting. Today's applications require screenshots of MFA configurations, audit logs from endpoint detection platforms, backup restoration test reports, and in some cases live demonstrations of security controls. Verbal and written attestations are no longer sufficient.

The Eight Controls Insurers Require

Underwriting requirements vary by insurer and policy type, but a clear baseline has emerged. The following eight controls represent the minimum threshold for obtaining and maintaining cyber insurance coverage in 2026. Deficiencies in any of these areas can result in application denial, policy exclusions, or claims rejection.

1. Multi-Factor Authentication

MFA is the single most important control in underwriting assessments. Missing or incomplete MFA deployment is the primary reason for application denials according to multiple broker reports. Insurers require MFA on all remote access, privileged accounts, email systems, and administrative interfaces. "We have MFA on VPN" is no longer sufficient — insurers expect evidence of comprehensive deployment across all critical access points.

2. Endpoint Detection and Response

24/7 endpoint detection with active response capability is now a baseline requirement. Insurers typically maintain approved vendor lists. Legacy antivirus solutions do not qualify. The requirement extends to servers and cloud workloads, not just endpoints.

3. Immutable or Isolated Backups

The Verizon 2025 Data Breach Investigations Report found that 94% of ransomware victims had their backups targeted. Insurers now require evidence that backups are either immutable (cannot be modified or deleted) or physically isolated from the production network. Annual backup restoration testing must be documented.

4. Incident Response Planning

A documented incident response plan is necessary but not sufficient. Insurers require evidence that the plan has been tested through tabletop exercises within the past 12 months. Organisations must demonstrate defined escalation paths, communication protocols, and relationships with external incident response providers.

5. Email Security

Business email compromise and funds transfer fraud accounted for 60% of all cyber insurance claims in 2024 according to Coalition's 2025 Cyber Claims Report. Insurers require email security solutions capable of detecting BEC, social engineering, and impersonation attacks at the mailbox level — not just spam filtering.

6. Third-Party Risk Management

Coalition's 2025 report found that third-party incidents accounted for 31% of all claims, up from near zero in prior years. Insurers are now asking detailed questions about how organisations assess, monitor, and manage ICT supply chain risk. This aligns directly with the third-party risk management requirements under both NIS2 (Article 21, Measure 4) and DORA (Articles 28–44).

7. Patch Management

Insurers require documented patch management programmes with defined SLAs for critical vulnerabilities. Organisations must provide evidence of regular vulnerability scanning and timely remediation. An inability to demonstrate that critical CVEs are patched within policy-defined windows (typically 14–30 days) can result in claims denial.

8. Privileged Access Management

The separation of standard and privileged access is increasingly a differentiator in underwriting assessments. Organisations with mature PAM programmes — including just-in-time access, session recording, and credential vaulting — consistently receive more favourable terms.

The Claims Reality

The cyber insurance claims landscape in 2024 and early 2025 reveals where the real risk lies — and where insurers are tightening scrutiny.

Volume and Denial Rates

The NAIC reported approximately 50,000 cyber insurance claims in 2024, a 40% year-over-year increase. Claims frequency rose 13% year-over-year. Yet the most striking figure is the denial rate: over 40% of claims were denied according to Fitch Ratings analysis.

Claims are being denied not because the incidents fall outside policy coverage, but because policyholders failed to maintain the security controls they attested to during underwriting. The shift to evidence-based underwriting is, in part, an attempt to reduce this mismatch — but it means organisations that cannot demonstrate continuous control maintenance face material financial exposure despite holding active policies.

What Is Driving Losses

The disproportion between ransomware's claim frequency (under 10%) and its share of total losses (over 90%) explains why insurers focus so heavily on the controls that prevent and mitigate ransomware: backups, EDR, MFA, and incident response capability.

Coalition reported that the average ransomware loss reached $292,000 in 2024. Resilience's 2025 claims data showed average total ransomware costs rising 17% to $1.18 million. Average ransom demands declined 22% year-over-year to $1.1 million — but this reflects more effective negotiation and refusal to pay, not a reduction in attacker ambition.

Munich Re observed that data exfiltration was present in 40% of large claims in the first half of 2025, up from 25% in 2024, reflecting the shift toward double-extortion tactics where attackers both encrypt and steal data.

Exclusions That Reshape Coverage

A cyber insurance policy is only as valuable as what it actually covers. Three categories of exclusions are fundamentally reshaping the effective scope of coverage in 2026.

State-Backed Attack Exclusions

Lloyd's Market Bulletin Y5433, issued in August 2022, required all standalone cyber policies in the Lloyd's market to include exclusions for state-backed cyber attacks effective from March 31, 2023. The most commonly adopted clause, LMA5567A, excludes losses attributable to a cyber attack that is:

• Carried out by or on behalf of a state
• Part of a wider military or intelligence operation
• Attributed to a state by the government of the affected country or an international body

The practical challenge is attribution. The Merck v Ace American Insurance settlement, which concluded in January 2024 at $1.4 billion, demonstrated the legal complexity. The New Jersey court ruled that a traditional war exclusion could not be applied to the NotPetya cyberattack — a ruling that directly catalysed Lloyd's mandate for cyber-specific war exclusion language.

For policyholders, the critical question is which variant of the war exclusion their policy contains. The five Lloyd's Market Association clause options (LMA5564 through LMA5567B) offer materially different levels of coverage. Organisations should review their specific clause with a specialist broker.

Systemic and Infrastructure Risk

The CrowdStrike outage in July 2024 — which caused an estimated $5.4 billion in total losses to Fortune 500 companies according to Parametrix, with insured losses estimated at $540 million to $1.08 billion — validated longstanding concerns about concentration risk in cybersecurity infrastructure.

Insurers are responding with sublimits for systemic events, aggregation clauses that cap total payouts from incidents affecting multiple policyholders simultaneously, and more restrictive definitions of what constitutes a covered "cyber event" versus an operational technology failure.

AI-Related Exclusions

As organisations deploy AI systems, insurers are introducing sublimits and exclusions for AI-specific risks. IBM's 2025 Cost of a Data Breach Report found that 97% of organisations that experienced AI-related breaches lacked proper AI access controls, and that shadow AI added an average of $670,000 to breach costs. Expect underwriting questions about AI governance to expand significantly through 2026 and 2027.

The SMB Insurance Crisis

The cyber insurance coverage gap is most acute among small and mid-sized enterprises — precisely the organisations least able to absorb uninsured losses.

The Numbers

Acrisure's 2024 analysis found that 82% of US businesses with 500 or fewer employees lack a dedicated cyber insurance policy. Swiss Re's data shows global SME cyber insurance adoption at approximately 10%, compared to roughly 80% for large corporates. Munich Re found that 28% of companies have never been offered cyber insurance, and 26% did not know it existed.

The Affordability Trap

The financial mathematics are unforgiving. The average SME cyber claim is $264,000 according to InsuranceNewsNet, up 30% year-over-year. The median cash reserves for a small business are approximately $12,100. An uninsured cyber incident of average severity represents an existential financial event for most small enterprises.

Yet the controls required to qualify for coverage — MFA, EDR, PAM, documented incident response — require investment that many SMBs struggle to justify. The ECSO white paper on NIS2 implementation found that 34% of SMEs report no ability to secure additional budget for cybersecurity compliance. This creates a structural gap: the organisations most vulnerable to catastrophic loss from cyber incidents are the least likely to hold insurance against those losses.

European Context

The coverage gap is even wider in Europe. Howden's 2025 report indicates that cyber insurance penetration in France, Germany, Italy, and Spain remains below 30%, with the vast majority of mid-market and smaller organisations operating without coverage. Swiss Re data shows Europe accounts for 21% of global cyber insurance premiums (approximately $3.3 billion in 2024), growing at a 26% CAGR between 2020 and 2024 — but from a very low base.

The Compliance Connection

One of the most significant developments in the cyber insurance market is the growing alignment between regulatory compliance requirements and insurer underwriting expectations.

Overlapping Control Frameworks

The controls that insurers mandate — MFA, incident response, third-party risk management, access controls, backup management, vulnerability handling — map directly to the requirements of NIS2 Article 21 and DORA's five pillars. This is not coincidental. Both regulators and insurers are converging on the same evidence base for what constitutes minimum viable cybersecurity.

Practical Implications

While no major insurer has published a formal "compliance discount," broker reports consistently indicate that organisations demonstrating compliance with recognised frameworks — ISO 27001, NIS2, DORA — receive more favourable underwriting treatment. The reason is straightforward: compliance with these frameworks requires implementing and maintaining exactly the controls that reduce claims frequency and severity.

Organisations that approach cyber insurance and regulatory compliance as separate workstreams are duplicating effort and missing the opportunity to build a unified evidence base that satisfies both their regulator and their insurer.

How to Qualify for Better Terms

Based on the verified underwriting data, here are the practical steps organisations should take before their next cyber insurance renewal.

Before the Application

1. Conduct a controls gap assessment against the eight baseline requirements. Document your current state with evidence: configuration screenshots, audit logs, test results. Insurers will ask for this documentation — having it ready signals maturity.

2. Deploy MFA comprehensively. Not just on VPN and email — on every system that supports it, particularly administrative interfaces, cloud consoles, and service accounts. This is the single highest-impact action for both insurability and actual security posture.

3. Verify your backup resilience. Test restoration from backups. Document the test results. Ensure at least one backup copy is immutable or air-gapped. If your backups have never been tested under realistic conditions, they are not backups — they are hopes.

4. Document and test your incident response plan. Conduct a tabletop exercise. Ensure you can demonstrate to an underwriter that your organisation can detect, classify, report, and respond to a significant incident within the timelines that both your policy and your regulator require.

During Renewal

5. Engage a specialist broker. Cyber insurance is a specialist product. General commercial brokers may not understand the technical nuances of coverage exclusions, war clauses, or sublimit structures. A specialist broker can identify gaps in proposed coverage and negotiate terms that reflect your actual risk profile.

6. Review exclusions explicitly. Ask which war exclusion clause your policy uses. Understand the systemic risk and aggregation provisions. Clarify whether AI-related incidents are covered or excluded. The coverage you think you have may not be the coverage you actually have.

7. Present your compliance posture. If your organisation has achieved or is working toward ISO 27001 certification, NIS2 compliance, or DORA compliance, present this to underwriters with supporting evidence. Framework compliance demonstrates the sustained control maturity that insurers reward.

What the Market Tells Us

The cyber insurance market is a remarkably efficient signal of where real cybersecurity risk lies. Insurers process tens of thousands of claims annually, analyse loss data across every sector and geography, and price risk based on actuarial evidence rather than theoretical threat models.

When insurers collectively mandate MFA, EDR, immutable backups, and incident response capability, they are telling us — based on billions of dollars in claims experience — that these controls materially reduce the probability and severity of loss. When they exclude state-backed attacks and introduce systemic risk sublimits, they are telling us where the models break down and the risk exceeds what private markets can absorb.

For organisations navigating the intersection of cybersecurity, compliance, and risk management, the insurance market's signals deserve serious attention. The controls that qualify you for better coverage are the same controls that reduce your actual risk exposure and satisfy your regulatory obligations.

The question is not whether you can afford cyber insurance. For most organisations, the question is whether you can afford to operate without it — and whether you have the security posture to qualify for the coverage you need.

Sources

Regulatory and Market Data

• NAIC — 2025 Cybersecurity Insurance Report
• Munich Re — Cyber Insurance: Risks and Trends 2025
• Swiss Re — Cyber Insurance Growth Shift
• Howden — 2025 Cyber Insurance Report

Broker and Insurer Reports

• Marsh — Cyber Insurance Market Update
• Aon — 2025 Global Cyber Risk Report
• WTW — Insurance Marketplace Realities 2026: Cyber Risk
• Coalition — 2025 Cyber Claims Report

Research and Analysis

• IBM — Cost of a Data Breach Report 2025
• Verizon — 2025 Data Breach Investigations Report
• Lloyd's — Market Bulletin Y5433: State-Backed Cyber Attack Exclusions
• NetDiligence — 2025 Cyber Claims Study