Cyber Insurance Requirements 2026: What Mid-Market Businesses Must Have to Get Covered.
- 18 hours ago
- 7 min read
Most business leaders buy cyber insurance and assume they're covered. They're not always right.
The policy sitting in your legal files may have more conditions buried in it than anyone on your team has read closely. Insurers are enforcing those conditions now in ways they weren't two years ago. If your organization hasn't actively worked to meet the requirements your insurer outlined at renewal, there's a real chance a claim gets denied when you need it most.
That's not a scare tactic. It's what's happening across the industry right now, and it's not just small startups getting caught out. Mid-sized companies with established IT environments are discovering gaps at the worst possible time: after an incident.
The rules changed. Did you?
Cyber insurance used to be relatively easy to get. Answer a short questionnaire, pay a modest premium, and you have coverage. For a long time, insurers treated it like standard business liability. They collected premiums and rarely saw major claims.
Then ransomware hit critical mass. Healthcare systems, law firms, manufacturers, and financial firms. Billions in claims came flooding in. Insurers paid out, raised premiums, and got serious about underwriting.
The market in 2026 looks nothing like it did in 2020. Insurers are now requiring documented proof that specific security controls are in place, not just a checkbox on a form. If those controls aren't there when you file a claim, coverage can be reduced or denied entirely. And the larger your organization, the more closely your policy is scrutinized.
What cyber insurers are actually looking for
The bar varies by insurer and by the size of your organization, but several controls have become standard requirements across the industry. Here's what most carriers are checking for companies with 100 or more employees.
⛨ Multi-factor authentication (MFA)
Start here. Insurers have made MFA on email, cloud platforms, and remote access essentially a precondition for coverage, not a nice-to-have. What often gets missed at scale is enforcement on privileged accounts. Admin credentials without MFA are the single most common starting point for full network takeovers, and underwriters are well aware of that.
⌨ Endpoint detection & response (EDR)
Antivirus hasn't been enough for years, and insurers have caught up to that reality.
What they want to see now is behavioral monitoring: tools that watch what's happening on a device in real time, not just scan for known malware. When an attacker is quietly moving through your systems at 2am on a Saturday, EDR is what surfaces it before the situation becomes catastrophic.
⛭ Immutable, tested backups
"We have backups" isn't the answer insurers are looking for anymore. They want to know those backups can't be touched by an attacker who's already in your environment, and that someone has actually run a restore recently enough to trust it.
Recovery time matters too. An insurer looking at a business interruption claim wants to understand not just whether you can recover, but how long it realistically takes.
🗐 Documented incident response plan
When something goes wrong, the first 24 hours are where claims either get managed well or fall apart.
Insurers want to see a written plan that answers the obvious questions before the panic sets in: who's calling the insurer, who's handling communications to customers and regulators, who makes decisions about legal counsel, who owns the forensic investigation. Organizations that wing this tend to make expensive mistakes.
➜] Access controls and least privilege
Access sprawl is one of the quieter risks in a growing organization. People change roles, new systems get connected, permissions accumulate over time and rarely get cleaned up. Insurers are looking for evidence that someone actually owns this: that access gets reviewed, that departing employees are fully offboarded, and that a compromised mid-level account can't walk straight into your most sensitive systems.
⚠︎ Security awareness training
The technical controls matter, but people remain the most reliable entry point for attackers. Phishing, fake invoices, impersonation calls from someone claiming to be the CEO. These work because employees haven't been trained to spot them recently. Insurers want documented, recurring training. Not a module someone completed during onboarding three years ago.
🛠 Network segmentation
Once an organization reaches a certain size, flat networks become a real liability. Insurers want to see that a breach in one corner of your environment, whether a compromised laptop in a remote office or a vendor connection that gets abused, doesn't hand an attacker access to everything else. This is especially relevant for businesses running operational technology, managing multiple sites, or handling sensitive data across different departments.
Not sure how many of these you can check off today? Talk to Stepfar about a security controls review.
The gap growing organizations don't see coming
Here's the pattern that catches mid-market companies off guard: they have a capable internal IT team, some of these controls are in place, and leadership assumes they're covered. But "some controls" isn't the same as "documented, consistently maintained controls."
When a claim is filed, insurers send in their own forensic team. That team isn't just investigating the breach. They're auditing whether your security posture matched what you represented when you bought the policy. If there's a discrepancy, the claim gets complicated fast. The more significant the claim, the harder they look.
Organizations with 100 to 500 employees often sit in a difficult middle ground: too large to rely on manual, ad hoc security management, but not yet large enough to have a fully staffed internal security team. That gap is exactly where coverage risk lives.
The companies that get full payouts are almost always the ones treating cybersecurity as an ongoing operational discipline, not a project that got finished two years ago.
If that description doesn't fit your organization right now, let's change that → Explore Stepfar’s Cybersecurity Solutions today.
How managed IT and cybersecurity services fill the gap
A cybersecurity and managed IT advisor like Stepfar helps organizations translate cyber insurance requirements into continuous, enforceable security operations.
This includes maintaining and validating insurer-required controls across identity, endpoints, backups, access management, and incident response readiness. It also includes ongoing documentation, monitoring, and audit-ready reporting, enabling organizations to demonstrate compliance when it matters most.
More importantly, this is not a one-time implementation. Cyber insurance is not based on what is configured at the time of purchase. It is based on whether controls are actively maintained and enforced throughout the policy period.
Most internal IT teams are focused on support tickets, infrastructure, and projects. Security requirements tied to insurance coverage often fall outside their day-to-day priority. This is where a dedicated cybersecurity and managed IT partner becomes critical.
What to do right now
If your organization hasn't done a formal review of your cyber insurance requirements since renewal, start there. Pull out the policy, read the conditions section carefully, and compare what your insurer requires against what you actually have documented and in place.
Then have an honest conversation with your IT leadership or provider. Ask directly: If our insurer audited our security controls today, would we pass?
If there's any hesitation in that answer, that's the gap to fix before you ever need to file a claim.
At Stepfar Technology Group, we help you move beyond the basics to prove you are running a secure, responsible operation. To help you get started, schedule a quick chat with a Cybersecurity expert today to discover your business’s hidden vulnerabilities.
Frequently Asked Questions
What cyber insurance requirements apply to organizations with 100+ employees?
At that scale, insurers typically require MFA across all systems and admin accounts, EDR on all endpoints, immutable and tested backups, a documented incident response plan, active access controls and least privilege policies, network segmentation, and documented recurring security awareness training.
Can a cyber insurance claim be denied even if we have some controls in place?
Yes. Partial compliance is still a risk. If a forensic audit after a breach reveals that required controls were missing, inconsistently applied, or not maintained, your insurer can reduce or deny your claim, even if other controls were in place.
How has cyber insurance changed for mid-market businesses?
Insurers have significantly tightened underwriting requirements following years of large ransomware claims. Premiums are higher, coverage conditions are more detailed, and many carriers now conduct more rigorous security questionnaires and sometimes third-party assessments during the application and renewal process.
What is an immutable backup?
An immutable backup is a copy of your data that cannot be modified, deleted, or encrypted, even by a ransomware attacker with admin-level access. For larger organizations, insurers also want to understand your recovery time objective and whether restoration has been tested under realistic conditions.
Does managed IT help with cyber insurance compliance?
Yes. A managed IT provider implements and maintains the controls your insurer requires, provides documentation for audits, conducts access reviews, and keeps your security posture consistent year-round, which is what matters when a claim is filed.
What's the difference between a basic IT provider and a security-focused managed IT provider?
A basic IT provider handles reactive support and break-fix issues. A security-focused managed IT provider proactively monitors your environment, manages security controls at scale, maintains audit-ready documentation, and ensures your posture aligns with both insurance and compliance requirements.
How often should we test our backups?
Most insurer requirements and industry best practice call for quarterly restoration testing, not just verifying the backup job completed, but actually restoring data and measuring recovery time.
What should be in an incident response plan for a 100+ person organization?
At minimum: defined roles and responsibilities, procedures for isolating affected systems, notification requirements for insurers, legal counsel, regulators, and customers, communication protocols for leadership and staff, and a process for forensic investigation. It should be reviewed and updated at least annually and tested through a tabletop exercise.
This article is for informational purposes only and does not constitute legal or insurance advice.
