Compliance
What dental cyber insurance actually covers in 2026, the underwriting questionnaire controls carriers review, and how to pass the application without overspending.
Dental practices have become a routine target for ransomware operators and business email compromise crews. The reasons are mundane: practices hold a high concentration of PHI and payment data, they tend to be small enough that defenses are inconsistent, and downtime hurts revenue immediately because chairs sit empty.
Cyber insurance is now a normal line item, sitting next to malpractice and general liability on the renewal checklist. What has changed in 2026 is not whether a practice needs it, but what carriers are actually willing to underwrite — and at what price.
This article is written for practice owners, office managers, and DSO operations leads who are filling out a renewal application this year. It is not an insurance broker's view. Obsidian Ridge does not sell insurance. We help practices pass the underwriting questionnaire honestly and operate the controls behind the answers.
Many practice owners assume their existing policies cover cyber events. They do not.
Dental malpractice insurance responds to clinical liability — bodily injury, negligence in treatment, or alleged failure to meet a standard of care. General liability covers slip-and-fall, property damage, and similar bodily-injury claims arising from operations. Neither responds to a data breach, ransomware lockout, OCR investigation, or a wire transfer fraud.
A cyber liability policy is a separate contract. In 2026, the coverage parts on a typical dental policy include:
Some carriers bundle these. Some sell them as endorsements. Read the policy declarations and the schedule of endorsements, not the marketing brochure.
Do not size a dental cyber policy from a blog post — but walk into the broker conversation with the right anchors. Most single-location practices carry $1 million in aggregate cover; multi-location groups and DSOs often carry $2 million to $5 million. A $1 million policy with documented controls typically prices around $1,000 to $3,000 per year. Use revenue, location count, patient-record volume, payer contracts, business-associate exposure, and prior-incident history to refine it.
The aggregate limit is only half the conversation. Sublimits decide what you actually collect. Pay attention to:
A policy with a reduced ransom sublimit and a small crime sublimit is a different product than the same aggregate limit with broader sublimits. The cheaper one usually has tighter restrictions.
If you have filled out an application in the last two renewals, you already know the questionnaire has grown. The controls below appear repeatedly across current carrier forms and are the controls most likely to affect eligibility, sublimits, exclusions, and price.
This is not a wish list. It is the control stack current applications keep asking practices to prove.
A control that catches practice owners off guard at claim time: ransomware endorsements commonly carry coinsurance — typically a 10 to 25 percent insured share, though some policies use 50 percent — plus sublimits below the aggregate and controls-warranty language if named controls were not in place at the time of the event.
A clause may say that if the insured cannot demonstrate that MFA, EDR or MDR, immutable backups, and a tested incident response plan were operating at the time of loss, coverage is reduced or conditioned.
Translated: the headline limit is not the whole payout story. Read the ransomware endorsement, not just the declaration page. If the policy includes a controls warranty, every answer on the application is now also a coverage condition.
After the 2023 Lloyd's of London war exclusion guidance, most cyber policies now exclude nation-state attacks and large-scale state-backed cyber operations. The wording varies. Some carriers will still pay if attribution is unclear, others have moved to harder exclusions.
For dental practices specifically, watch the supply-chain language. If the breach traveled through your practice management vendor, imaging vendor, billing clearinghouse, or RMM tool, some policies treat that as a widespread event and exclude it. Others cover it. This is a question to ask your broker in plain language — does the policy respond if a PMS or imaging vendor breach affects this practice, and is there a separate sublimit for systemic events.
The single most common cyber loss in dental is not ransomware. It is business email compromise. An attacker compromises a vendor's email, sends a routine invoice to the office manager with new banking instructions, and the practice wires funds to an account controlled by the attacker.
This is not covered under most base cyber policies. It falls under the cyber-crime or social engineering rider. Two things to verify:
A rider that covers only direct funds transfer fraud is nearly useless for the dental BEC pattern, because the practice voluntarily initiated the wire. Insist on social engineering language.
The single biggest mistake practice owners make is layering extra products and writing checks for tools the carrier does not actually score. The sequence that works in practical order:
Enable MFA on Microsoft 365 or Google Workspace, on the PMS admin accounts, and on every remote-access path the IT vendor uses. This is usually one of the cheapest control moves and one of the most important underwriting answers. It also closes the most common attack path.
A managed detection and response service with a real 24/7 SOC checks the EDR box and the 24/7 monitoring box at the same time. Adding identity threat detection on top covers the cloud productivity suite controls and the MFA-bypass detection that carriers increasingly ask about. Our Managed Detection and Response and Managed ITDR services are designed against this control set.
The immutable backup checkbox is meaningless without the restore test log. Pick a backup product that supports immutability natively, schedule a monthly restore of a representative dataset, and keep the log. Carriers ask for the log at claim time.
A 60-minute tabletop with the lead doctor, the office manager, and the IT vendor satisfies the tabletop requirement. The deliverable is a one-page plan that names who calls the carrier hotline, who declares an incident, who talks to staff, and who decides about closing the office. Keep it short enough that someone will actually read it during a crisis.
A current risk analysis on file is a near-universal questionnaire item. Pair it with a workforce security awareness program that includes phishing simulations. Our Managed Security Awareness Training service handles the recurring cadence.
That is five operational moves that cover the main underwriting control categories on a 2026 questionnaire.
Practice owners often spend in the wrong places. Things that look like security but do not move underwriting in 2026:
Carriers score operating controls and evidence, not invoices.
Underwriters now ask more detailed post-incident questions in the dental vertical. A practice that suffers a covered loss and then cannot show program improvement should expect a harder renewal conversation.
If a claim was paid in a prior policy period, expect the next renewal application to ask specifically what changed since the incident. Answers like "we are more careful now" do not pass. Answers like "we moved to a 24/7 MDR provider, added MFA on the PMS admin accounts, and ran a tabletop in March" do.
The other 2026 reality: misrepresentation on the application is a coverage defense. If the questionnaire said MFA was enabled on all email accounts and a forensic investigation shows it was not, the carrier may rescind the policy or deny the claim. Answer honestly. If a control is partially in place, say so.
We are not an insurance broker. We do not sell policies and we do not collect commissions. We help practices operate the controls underwriters score and produce the evidence package that the application asks for.
The control set that appears most often on 2026 applications — 24/7 MDR, identity threat detection on the cloud productivity suite, MFA enforcement, and a workforce training program — lines up with our Foundation and Protected service tiers. Foundation covers the endpoint and MDR layer. Protected adds ITDR and security awareness training, which together address the core control categories on many carrier questionnaires.
For practices renewing in the next 90 days, we run a two-week Cyber Insurance Readiness sprint that maps each questionnaire control to evidence the carrier will accept, identifies the gaps that will most likely block underwriting, and produces a clean evidence package the practice can submit with the application. If you are not sure where you stand, the Assessment Tool is a faster way to scope the gap before committing to the sprint.
Cyber insurance is not a substitute for controls. It is a backstop for the residual risk that remains after the controls are doing their job. Practices that treat the policy as the plan tend to learn the expensive way that the controls warranty in the fine print is doing more work than the declarations page.
If you are filling out a renewal application this year and the questionnaire is making you nervous, that is the right instinct. The fix is operational, not paperwork. Start with MFA, MDR, and a tested backup, and the rest of the application gets easier.
Ready to map your controls to the carrier questionnaire? Start the Cyber Insurance Readiness sprint, or see the full dental cybersecurity program.
Last updated
May 14, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Yes. Malpractice covers clinical liability, and general liability covers bodily injury and property damage. Neither covers data breach response, ransomware, regulatory defense under HIPAA, or wire fraud. Cyber events almost always fall outside both policies, which is why standalone cyber liability is now standard for dental practices.
Most single-location practices carry $1 million in aggregate cover; multi-location groups and DSOs often carry $2 million to $5 million or move to excess layers. A $1 million policy with documented controls typically runs about $1,000 to $3,000 per year. Sublimits matter as much as the headline limit — the ransomware sublimit can sit below the aggregate, and the social-engineering and crime sublimit commonly lands at $50,000 to $100,000. As a healthcare vertical, dental also tends to price roughly 50 percent above the broad market average.
Sometimes, but with significant restrictions. Payment must be legal under OFAC sanctions rules, the carrier usually requires pre-approval through their incident response panel, and ransomware endorsements commonly carry coinsurance — typically a 10 to 25 percent insured share, though some policies use 50 percent — plus sublimits below the aggregate and controls-warranty language if the practice cannot demonstrate named controls such as MFA, EDR or MDR, immutable backups, and incident response planning.
Policies generally define a covered event broadly: unauthorized access to systems containing PHI or PII, a ransomware or extortion event, a business email compromise, or an event that triggers a regulatory notification obligation. The practice's duty is to notify the carrier as soon as the event is reasonably suspected — not after it is confirmed.
Yes, on multiple surfaces. Carriers ask about MFA on email accounts, MFA on remote access including VPN and RDP and RMM tools, and MFA on privileged accounts in the practice management system. Misrepresenting MFA on the application is one of the most common causes of denied claims.
Yes. Most 2026 questionnaires ask whether immutable offsite backups exist and whether a documented restore test has been completed within the last 90 days. After a claim, carriers commonly request the test log as evidence. Backups that exist on paper but were never restored fail this control in practice.
It covers your liability and notification obligations when a business associate causes a breach involving your PHI, but it does not pay the business associate's losses. A signed business associate agreement is generally a prerequisite for coverage, and many carriers also ask whether you maintain a current vendor inventory.
Most policies require notice as soon as reasonably practicable, and many specify a hard window — commonly 30 to 60 days — for written notice. Failure to notify within the policy period or the extended reporting period is one of the most common reasons coverage is denied, even when the underlying event is otherwise covered.
Related reading
What the HIPAA Security Rule actually requires of dental practices in 2026 — risk analysis, administrative safeguards, MFA, encryption, breach response, and where most practices get it wrong.
Read articleWhy DSO and multi-location dental groups inherit the worst cybersecurity posture of their weakest practice — and the 4-quarter program that fixes it without slowing down acquisitions.
Read articleWhy ransomware operators target dental practices, how attacks land on Dentrix and Eaglesoft, what a real incident week looks like, and the controls that actually break the chain.
Read article