The cyber insurance market underwent a structural transformation between 2020 and 2023 that permanently changed the relationship between underwriters and insureds. Escalating ransomware claims drove the standalone cyber insurance direct loss ratio to roughly 72% in 2020 — up from a 2015-2019 average near 42% — and pushed the segment combined ratio above 100% for the first time (Fitch Ratings; Aon US Cyber Market Update); steep premium increases through 2021 then brought the loss ratio back down to about 65%. In response, insurers stopped treating cybersecurity questionnaires as administrative formalities. Today, cyber insurance underwriters conduct substantive security assessments, require specific technical controls as conditions of coverage, and impose significant sublimits and exclusions on coverage categories they consider high-risk.
For organizations renewing or purchasing cyber insurance in 2026, understanding what underwriters actually demand — and what they will decline to cover — is as important as understanding the policy terms themselves.
How Underwriting Changed After the 2021 Ransomware Surge
Before 2020, cyber insurance applications were often 5-10 page questionnaires asking general questions about security practices. Premiums were relatively stable, and coverage was broad. The ransomware surge of 2020-2021 — which included Colonial Pipeline, the Kaseya VSA attack, JBS Foods, and dozens of healthcare and municipal targets — generated industry losses that forced a fundamental reassessment.
Insurers responded by: dramatically increasing premiums (average cyber premium rate increases peaked at 34.3% in Q4 2021, per the Council of Insurance Agents & Brokers, with US buyers at the December 2021 peak paying roughly 133% more year over year, per Marsh US Cyber Purchasing Trends); requiring specific technical controls as prerequisites for coverage; introducing sublimits that cap ransomware and business email compromise (BEC) payments well below the policy limit; and adding exclusions for nation-state attacks, critical infrastructure, and war.
By 2026, the market has stabilized at higher premium levels with more rigorous underwriting, but organizations that have implemented the required controls are again finding competitive pricing. The underwriting environment rewards demonstrably mature security programs.
Specific Controls Underwriters Now Require
The following controls appear consistently across major cyber insurance applications as either mandatory requirements (without which coverage will be declined) or strong preferences that materially affect premium and terms:
Multi-Factor Authentication (MFA)
MFA is now universally required by all major cyber insurers for: remote access (VPN, RDP, remote desktop), email and productivity suite access (Microsoft 365, Google Workspace), administrative access to all cloud platforms, privileged access to servers and critical infrastructure, and access to financial systems and cyber insurance portals. Coverage for ransomware events often includes a clause voiding coverage if MFA was not deployed on the affected access vector.
Endpoint Detection and Response (EDR)
Next-generation EDR (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, or equivalent) must be deployed on all endpoints — laptops, desktops, and servers. Legacy AV is no longer acceptable. Most underwriters require EDR to be actively managed (not just installed), meaning alert triage and response workflows must be in place. A managed EDR service from an MSSP typically satisfies this requirement more cleanly than an unmanaged enterprise deployment.
Offline and Tested Backups
Backup requirements have become highly specific: backups must be maintained in an offline or air-gapped state not directly accessible from the primary network; backups must be tested (with documented restoration tests) at minimum quarterly; backup coverage must include all critical systems; and retention policies must support recovery from ransomware that has been present in the environment for 30+ days. Cloud-to-cloud backup alone is insufficient — insurers have seen ransomware operators compromise cloud backup solutions.
Privileged Access Management (PAM)
Privileged access management — vaulting of administrative credentials, just-in-time access provisioning, session recording for privileged sessions — is now table stakes for regulated firms — New York's DFS Cybersecurity Regulation (23 NYCRR § 500.7) explicitly requires a PAM solution for "Class A" companies (at least $20M in gross annual revenue from NY operations and either over 2,000 employees or over $1B in global revenue), and cyber insurers increasingly demand it for coverage. CyberArk, BeyondTrust, and Delinea — the three Leaders in Gartner's Magic Quadrant for PAM — are the commonly referenced solutions. The principle is to eliminate standing privileged access that ransomware operators can exploit through lateral movement.
Network Segmentation
Underwriters require evidence that the network is segmented such that a compromise in one segment (e.g., a workstation on the corporate network) cannot directly access operational technology (OT) systems, backup infrastructure, or financial systems. VLAN segmentation with enforced firewall policy between segments is the standard expectation. Flat networks — where any device can reach any other device — are a material risk factor that will affect terms.
Coverage Exclusions to Understand
The exclusions in modern cyber policies have expanded significantly. Key exclusions to understand before binding coverage include:
- Nation-state / war exclusion: Lloyd's Market Bulletin Y5381 (Aug. 2022) required syndicates to add state-backed cyber-attack exclusions to standalone cyber-attack policies from 31 March 2023, typically excluding war and state-backed attacks that significantly impair a state's ability to function or its security capabilities. Adoption of war/state-backed exclusion language across the broader market remains inconsistent and is often negotiated deal-by-deal, and because attribution is contested these clauses have generated significant litigation.
- Critical infrastructure exclusion: Losses affecting power grids, water systems, financial market infrastructure, or healthcare systems may be excluded or sublimited in some policies.
- Known vulnerability exclusion: A small but growing number of cyber policies reduce or withhold payouts for losses from exploited vulnerabilities that were left unpatched after a fix was published — for example, Chubb's Neglected Software Exploit Endorsement allows a 45-day grace period to patch a published CVE, then shifts an increasing share of the loss to the policyholder at the 45-, 90-, 180-, and 365-day marks. Such CVE-based exclusions remain uncommon today but are appearing with increasing frequency.
- Prior acts exclusion: Incidents that began (even unknown to the insured) before the policy inception date may not be covered.
Ransomware and BEC Sublimits
Even when ransomware and business email compromise events are covered, most policies impose sublimits that are meaningfully lower than the total policy limit. A $5 million cyber policy may carry a $2 million ransomware sublimit and a $500,000 BEC sublimit. Understanding your actual exposure relative to sublimits — not just total policy limits — is essential for evaluating whether your coverage is adequate.
Incident Response Retainer
Many underwriters now require or strongly prefer that insureds maintain an incident response retainer with a qualified IR firm. Pre-establishing the IR relationship (rather than cold-calling a firm mid-incident) reduces response time and claim costs. Some insurers offer premium discounts for pre-approved IR retainer relationships.
If your organization is preparing for a cyber insurance renewal or application and needs to address control gaps before underwriting, a penetration test and security gap assessment from Fortress MSSP will identify and document the issues underwriters care most about. Contact us to discuss your security posture ahead of your next renewal.