Cyber Insurance in 2026 — What CISOs Need to Know Before Renewal

The Market Has Changed

The cyber insurance market of 2020 — where organisations could obtain broad coverage with minimal scrutiny — no longer exists. Following the ransomware wave of 2021-2023, which produced catastrophic losses for underwriters, the market underwent a structural reset. Premiums increased dramatically, coverage limits were reduced, sublimits were introduced for ransomware, and exclusions were broadened.

By 2026, the market has stabilised at a higher baseline of rigour. Insurers have built sophisticated security assessment capabilities, policy wording has tightened, and the underwriting process now resembles a security audit as much as a financial transaction. CISOs who approach renewal as an administrative exercise — rather than a strategic engagement — are leaving their organisations exposed.

What Underwriters Are Actually Asking For

Modern cyber insurance applications are detailed questionnaires that map directly to specific controls. Understanding what each question is really assessing allows you to answer accurately and to identify coverage gaps before the insurer does.

Multi-Factor Authentication is the single most scrutinised control. Underwriters now ask about MFA coverage for:

• Remote access (VPN, RDP, Citrix)
• Email (particularly O365/Google Workspace)
• Privileged accounts and administrator access
• Cloud management consoles
• Critical financial and HR systems

Incomplete MFA coverage is not just a coverage concern — some policies now include MFA warranties where material misrepresentation can void a claim.

Endpoint Detection and Response has become a near-universal requirement for coverage above £5m. Underwriters distinguish between basic antivirus and EDR — simply having Defender does not satisfy this requirement in most policies above that threshold.

Backups are examined for the 3-2-1 rule, offline or immutable copies, and tested recovery. Insurers have learned from ransomware claims where backups were encrypted alongside production systems. Backups that cannot survive a full domain compromise have diminishing value to underwriters.

Privileged Access Management — whether PAM tooling is deployed, whether service accounts are managed, and whether privileged session recordings exist — is increasingly a criterion for preferred pricing.

The Exclusions CISOs Miss

Systemic event / widespread attack exclusions: Some policies contain language that excludes losses arising from widespread cyberattacks affecting multiple policyholders. The Lloyd’s market introduced mandatory war and state-sponsored cyber exclusions in 2023. Understanding exactly what “state-sponsored” means under your policy — and how attribution is determined — matters enormously given the prevalence of nation-state and state-adjacent threat actors.

Unencrypted data: Many policies exclude or sublimit claims where stolen data was unencrypted. If your data classification and encryption-at-rest programme has gaps, this exclusion may apply to your most sensitive exposures.

Prior acts and known incidents: Cyber policies typically exclude incidents that began before the policy inception, even if discovered during the policy period. The interaction between this exclusion and the time-to-detect reality (median dwell times remain measured in weeks for sophisticated intrusions) creates a coverage gap that organisations rarely model.

Contractual liability exclusions: If a customer contract requires you to maintain specific security standards, and a breach results from failing to meet those standards, your cyber policy may exclude the resulting contractual liability. This is increasingly relevant as enterprise customers impose explicit security requirements through vendor agreements.

Ransomware Sublimits and Co-Insurance

Ransomware coverage is now almost universally sublimited. A £10m policy may carry only £2m of ransomware coverage. In environments where ransomware is the primary cyber threat model, this sublimit should drive the coverage decision — not the headline policy limit.

Some policies also introduce ransomware co-insurance — the policyholder bears a percentage of every ransom payment or remediation cost. Understand whether your policy contains this provision and model its impact against your realistic loss scenarios.

The Claims Process: What Goes Wrong

Organisations that have experienced claims report consistent failure points:

Incident response panel requirements: Most policies require use of insurer-approved incident response firms. Engaging your existing IR retainer without insurer authorisation can result in those costs being excluded. Know your policy’s notification requirements and IR panel before an incident occurs.

Notification timelines: Policies typically require notification within 24-72 hours of discovering an incident. The definition of “discovery” is frequently contested — and a delay in notification has resulted in coverage disputes. Establish a clear internal trigger for insurer notification as part of your IR playbook.

Proof of loss: Demonstrating the scope of an incident, and the consequential business interruption, requires documentation that many organisations cannot produce after the fact. Pre-incident investments in logging retention, asset inventory, and financial impact modelling pay dividends in claims.

What to Do Before Your Next Renewal

1. Commission a pre-renewal security assessment aligned to your insurer’s questionnaire. Identify gaps six months before renewal, not six weeks.

2. Validate your policy wording against your actual risk profile. Have legal counsel review exclusion language, particularly around systemic events, state-sponsored attacks, and contractual liability.

3. Model ransomware scenarios against your sublimit. If your realistic worst-case ransomware cost exceeds the sublimit, either improve the controls that drive that scenario or increase the sublimit at renewal.

4. Review your IR plan for insurer notification obligations. Ensure your legal, communications, and security teams all know the notification timeline and panel requirements.

5. Document your security programme in language underwriters understand. A mature CISO security roadmap with evidence of control implementation translates directly into premium differentiation.

The best cyber insurance outcome is not the lowest premium — it is coverage that responds when it matters most. The gap between what organisations believe their policy covers and what it actually covers remains the market’s most underappreciated risk.