Cyber Insurance 2026: 7 Criteria Insurers Check Before Covering You

The cyber insurance market has hardened dramatically. Premiums tripled between 2021 and 2024, terms tightened, and exclusions multiplied. In 2026, obtaining or renewing a cyber policy is no longer an administrative formality — it's an audit of your security posture.

Here's what your insurers now check, and how to pass the audit on the first try.

Why insurers have become so demanding

Three shocks reshaped the market: • The 2020-2024 ransomware explosion: claims exceeded premiums collected for 3 consecutive years. • The supply chain effect (SolarWinds, Kaseya, Change Healthcare): a single compromised vendor = thousands of policies triggered simultaneously. • Legal arbitration (Merck vs Zurich case): "act of war" exclusions were challenged in court → insurers got stricter on covered scope. Consequence: insurers no longer cover risk — they buy a security posture they validate themselves.

The 7 criteria systematically checked

1. Universal MFA. On all accounts, especially admin, VPN, email, critical SaaS. No exceptions. A single account without MFA = refusal or premium increase. 2. Modern EDR deployed everywhere. Not a signature antivirus. An EDR with behavioral detection (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint…). 3. Immutable and tested backups. Not just "we do backups". Immutable backups (3-2-1-1-0 rule), tested by documented quarterly restoration. 4. Written AND tested incident response plan. Dated document, annual tabletop exercise minimum, identified team, pre-negotiated IR retainer. 5. Privileged access management (PAM). Separate admin accounts, rotating passwords, recorded sessions for sensitive accounts. 6. Documented patch management. Patching policy, SLA by criticality, ability to patch a critical CVE in less than 7 days. 7. Third-party risk management program (TPRM). Vendor inventory, criticality classification, continuous monitoring — not just an annual questionnaire.

The 3 criteria that increase the premium by 30 to 50%

• No OT/IT network segmentation (manufacturing especially) • Presence of end-of-life systems (Windows 7, old SQL Server…) • No active phishing training with metrics (campaigns, monitored click rate)

The 3 criteria that decrease the premium

• Valid ISO 27001 or SOC 2 Type 2 certification • Annual external pentests with remediation evidence • Cyber Threat Intelligence (CTI) applied to your sector, demonstrable

Conclusion

Preparing the insurer audit in 2026 = preparing a complete cybersecurity audit. The good news: it's also exactly what you need to reduce your real exposure, not just to pass the audit. The bad news: if you wait for the renewal request to start, you'll be in reactive mode. Organizations that get the best conditions are those that prepare 6 months in advance, with living evidence — not last year's PDFs.

→ FortaRisks automatically consolidates audit-ready evidence on all these criteria. Discover the platform: https://www.fortarisks.com/en/decouvrir