For years, plenty of businesses treated their cyber insurance policy like a get-out-of-jail-free card. The logic felt simple: ransomware hits, data walks out the door, and the insurer covers recovery costs, fines, and the revenue lost while everything’s down. It was a financial patch slapped over a technical problem. That era is finished, and 2026 is shaping up to be the year a lot of companies find that out the hard way, at the worst possible moment, mid-claim.
Insurance carriers, stung by years of payouts for breaches they now consider avoidable, have rewritten the rulebook. A cyber insurance policy isn’t really a safety net anymore, it’s closer to a reward for proving, in advance, that you did the basic work to avoid needing one. Two of those basics, Multi-Factor Authentication (MFA) and endpoint encryption, have gone from “nice to have” to the baseline. Skip either one, and you’re looking at what’s quickly becoming the single most common reason carriers give for denying a claim.
The New Underwriting Reality: From Questionnaire to Audit
It comes down to simple math: underwriting a company that skips basic security hygiene is a losing bet for the insurer, so they’ve stopped doing it on the honor system. The application and renewal process has moved from a five-minute checklist to something closer to a full security audit, carriers now send detailed technical questionnaires, and some have started requiring third-party assessments, not unlike a SOC 2 review, before they’ll even quote a premium.
These questionnaires don’t just ask whether you have security in place, they ask how it works. What encryption standard protects data at rest? Which systems require MFA, and which ones got missed? How long are backups kept, and are they walled off from the main network? Get those answers wrong, or skip them, and you’ll either be turned down outright or handed a premium so steep it amounts to the same thing. The real exposure, though, shows up later, after you’ve paid for the policy and actually suffered a breach.
The “Misrepresentation” Clause: The Insurer’s Exit Strategy
The moment you file a claim, the carrier’s forensics team starts working backward from one question: how did the attacker get in? They’ll then hold what they find up against the statements on your application, was MFA actually switched on for that admin account? Was the laptop that got stolen actually encrypted? When those two pictures don’t line up, the insurer has a contractual opening to walk away from the claim entirely, and they will use it.
Requirement 1: Multi-Factor Authentication (MFA)
This is the single most important control on the list. MFA adds a checkpoint beyond your password, typically a one-time code from an authenticator app like Google Authenticator or Microsoft Authenticator, or a push notification to your phone, so a stolen password alone isn’t enough to get someone through the door.
Why it’s a deal-breaker
Verizon’s annual Data Breach Investigations Report has, year after year, traced the large majority of breaches back to compromised credentials, stolen, reused, or just weak passwords, with figures in some editions cited above 80%. MFA is the most direct countermeasure to exactly that attack path. Carriers have read the same data we have: if MFA had been switched on for that one compromised account, there’s a good chance the breach never gets off the ground in the first place.
The Denial Scenario
Your insurance application asked a simple yes/no question, “Do you enforce MFA for all remote access and email?”, and you checked “yes.” Twelve months later, an attacker gets into an executive’s email using a password lifted from an old breach, because MFA was never actually switched on for that one account.
The result: a fraudulent wire transfer that drains, say, $120,000 from your operating account before anyone notices. When the forensic investigation digs through the logs, it finds exactly one gap, no MFA on that mailbox. That’s enough. The carrier denies the claim, arguing you misrepresented your security posture on the application and that, had they known the real answer, they’d never have written the policy on those terms.
Requirement 2: Endpoint Encryption
“Endpoints” is just industry shorthand for the devices your people actually use, laptops, desktops, phones, tablets. Full-disk encryption (think Windows BitLocker or Apple’s FileVault, with Android and iOS now encrypting by default) scrambles everything stored on the drive so none of it can be read without the right login credentials.
Why It’s a Deal-Breaker
Lost and stolen devices turn up again and again in breach reports as one of the leading causes of exposure, and it’s usually the mundane kind of incident, a bag grabbed from a car seat, not some elaborate hack. Skip encryption, and whatever’s on that drive, customer records, financial details, health information covered under HIPAA, sits there in plain text for whoever plugs it in next.
Add up the notification letters, the credit-monitoring subscriptions you’ll owe everyone affected, and the regulatory fines under state breach-notification laws or GDPR, and you land in the range IBM’s annual Cost of a Data Breach Report puts at several million dollars per incident. Encrypt the drive, though, and the math changes entirely: a stolen laptop becomes a hardware-replacement order, not a breach disclosure.
The Denial Scenario
An employee’s car gets broken into, and their work laptop disappears with it. That machine held a database of, say, 5,000 customer records, names, account numbers, maybe Social Security numbers, and the drive was never encrypted. Notification costs alone, commonly estimated at somewhere between $150 and $200 per affected record, could run past $750,000 before you even reach the regulatory fines.
So you file a claim to cover it. The investigation turns up one fact: no encryption, full stop, the most basic of basic security measures. The carrier denies the claim outright, stating that you failed to take commercially reasonable steps to protect sensitive data. In their language, that’s negligence, and negligence voids your coverage for the incident.
FAQs
We’re a small business, surely these strict standards are aimed at large corporations, not us?
That’s a comforting thought, and it’s wrong. To an insurer reviewing a claim, and to a cybercriminal scanning for an easy mark, your data looks exactly like a Fortune 500 company’s data, equally valuable, equally exploitable. If anything, smaller companies get hit more often, precisely because attackers assume the defenses are thinner; industry surveys have put the share of cyberattacks aimed at small businesses somewhere around the 40% mark for years now. MFA, device encryption, and verified backups aren’t “enterprise extras” anymore, insurers now treat them as the baseline for any business handling sensitive customer or financial data, regardless of size.
We already have MFA turned on for some accounts, isn’t that enough to satisfy underwriters?
No, and this is exactly where a lot of businesses get tripped up. Carriers such as Coalition, Chubb, and Travelers have rewritten their applications over the past couple of years to ask pointed, specific questions: is MFA enforced on every privileged account, every remote-access path, every cloud service your company touches? “We’ve got it on most of our systems” used to be an acceptable answer; it isn’t now. The expectation is universal enforcement, and underwriters increasingly cross-check what you write against external scans of your network’s attack surface, a step carriers like Coalition have built directly into their underwriting process.
My cyber insurance renewal is coming up and I already know we have gaps, what’s the smartest move right now?
Start before the renewal paperwork lands, not after. Most carriers send that questionnaire 60 to 90 days before your policy expires, which isn’t much runway if you’re starting from scratch on multi-factor authentication, endpoint encryption, or backup configuration. Bring in an IT partner you trust to run a “pre-audit”, essentially a walkthrough of your environment against the baseline controls underwriters now expect, sometimes benchmarked against frameworks like the NIST Cybersecurity Framework or the CIS Controls. Write down exactly where you fall short, set dates for fixing each gap, and close as many as you can before you ever fill out the questionnaire. That prep work is usually the difference between qualifying for a reasonable premium and getting hit with an exclusion, or a denial, down the road.
Security as a Prerequisite, Not an Afterthought
Strong security used to be a nice bonus on an application; now it’s the entry ticket to getting coverage at all. Carriers have spent the last several renewal cycles tightening their underwriting questionnaires, and those questionnaires now function as a checklist, a fairly precise outline of the minimum security posture a business needs to have locked down before an insurer will even quote a policy.
If you’re not confident your current setup would survive an underwriter’s questionnaire, find out before they ask, not after a breach forces the question. Sundance Networks can walk through your environment with that lens: MFA enforcement, endpoint encryption, backup and recovery configuration, incident response planning, and the other items carriers are now scoring against. The point isn’t security for its own sake. It’s building a network that qualifies for coverage today and still qualifies, and pays out, if you need it.
