Compliance
What dental cyber insurance actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Dental practices have become a routine target for ransomware operators and business email compromise crews. The reasons are mundane: practices hold a high concentration of PHI and payment data, they tend to be small enough that defenses are inconsistent, and downtime hurts revenue immediately because chairs sit empty.
Cyber insurance is now a normal line item, sitting next to malpractice and general liability on the renewal checklist. What has changed in 2026 is not whether a practice needs it, but what carriers are actually willing to underwrite — and at what price.
This article is written for practice owners, office managers, and DSO operations leads who are filling out a renewal application this year. It is not an insurance broker's view. Obsidian Ridge does not sell insurance. We help practices pass the underwriting questionnaire honestly and operate the controls behind the answers.
Many practice owners assume their existing policies cover cyber events. They do not.
Dental malpractice insurance responds to clinical liability — bodily injury, negligence in treatment, or alleged failure to meet a standard of care. General liability covers slip-and-fall, property damage, and similar bodily-injury claims arising from operations. Neither responds to a data breach, ransomware lockout, OCR investigation, or a wire transfer fraud.
A cyber liability policy is a separate contract. In 2026, the coverage parts on a typical dental policy include:
Some carriers bundle these. Some sell them as endorsements. Read the policy declarations and the schedule of endorsements, not the marketing brochure.
Limits in this segment have stabilized after the hard market of 2022 and 2023. Rough current ranges:
The aggregate limit is only half the conversation. Sublimits decide what you actually collect. Pay attention to:
A $1,000,000 policy with a $500,000 ransom sublimit and a $25,000 crime sublimit is a different product than the same policy with full limits. The cheaper one usually has tighter sublimits.
If you have filled out an application in the last two renewals, you already know the questionnaire has grown. The controls below appear on virtually every dental carrier's 2026 application. They are also the controls that move premium up or down by roughly 20 to 40 percent and decide whether the carrier will offer terms at all.
This is not a wish list. It is the actual scoring rubric most carriers apply.
A control that catches practice owners off guard at claim time: many 2026 policies now apply co-insurance to ransomware claims if the named controls were not in place at the time of the event.
A typical clause reads roughly like this: if the insured cannot demonstrate that MFA, EDR or MDR, immutable backups, and a tested incident response plan were operating at the time of loss, the insured shall bear 50 percent of the ransomware loss including the ransom, restoration, and business interruption sublimits.
Translated: a $500,000 ransom sublimit becomes a $250,000 payout, with the practice on the hook for the other $250,000. Read the ransomware endorsement, not just the declaration page. If the policy includes a controls warranty, every answer on the application is now also a coverage condition.
After the 2023 Lloyd's of London war exclusion guidance, most cyber policies now exclude nation-state attacks and large-scale state-backed cyber operations. The wording varies. Some carriers will still pay if attribution is unclear, others have moved to harder exclusions.
For dental practices specifically, watch the supply-chain language. If the breach traveled through your practice management vendor, imaging vendor, billing clearinghouse, or RMM tool, some policies treat that as a widespread event and exclude it. Others cover it. This is a question to ask your broker in plain language — does the policy respond if a PMS or imaging vendor breach affects this practice, and is there a separate sublimit for systemic events.
The single most common cyber loss in dental is not ransomware. It is business email compromise. An attacker compromises a vendor's email, sends a routine invoice to the office manager with new banking instructions, and the practice wires funds to an account controlled by the attacker.
This is not covered under most base cyber policies. It falls under the cyber-crime or social engineering rider. Two things to verify:
A rider that covers only direct funds transfer fraud is nearly useless for the dental BEC pattern, because the practice voluntarily initiated the wire. Insist on social engineering language.
The single biggest mistake practice owners make is layering extra products and writing checks for tools the carrier does not actually score. The sequence that works, in order of premium impact and cost-effectiveness:
Enable MFA on Microsoft 365 or Google Workspace, on the PMS admin accounts, and on every remote-access path the IT vendor uses. This is the cheapest move and it materially lowers premium. It also closes the most common attack path.
A managed detection and response service with a real 24/7 SOC checks the EDR box and the 24/7 monitoring box at the same time. Adding identity threat detection on top covers the cloud productivity suite controls and the MFA-bypass detection that carriers increasingly ask about. Our Managed Detection and Response and Managed ITDR services are designed against this control set.
The immutable backup checkbox is meaningless without the restore test log. Pick a backup product that supports immutability natively, schedule a monthly restore of a representative dataset, and keep the log. Carriers ask for the log at claim time.
A 60-minute tabletop with the lead doctor, the office manager, and the IT vendor satisfies the tabletop requirement. The deliverable is a one-page plan that names who calls the carrier hotline, who declares an incident, who talks to staff, and who decides about closing the office. Keep it short enough that someone will actually read it during a crisis.
A current risk analysis on file is a near-universal questionnaire item. Pair it with a workforce security awareness program that includes phishing simulations. Our Managed Security Awareness Training service handles the recurring cadence.
That is five operational moves that cover roughly 80 percent of the premium-moving controls on a 2026 questionnaire.
Practice owners often spend in the wrong places. Things that look like security but do not move underwriting in 2026:
Carriers score operating controls and evidence, not invoices.
Underwriters now share loss intelligence on the dental vertical. Several carriers have either raised premiums or non-renewed practices that suffered a covered loss and then failed to implement the controls they had attested to on the application.
If a claim was paid in a prior policy period, expect the next renewal application to ask specifically what changed since the incident. Answers like "we are more careful now" do not pass. Answers like "we moved to a 24/7 MDR provider, added MFA on the PMS admin accounts, and ran a tabletop in March" do.
The other 2026 reality: misrepresentation on the application is a coverage defense. If the questionnaire said MFA was enabled on all email accounts and a forensic investigation shows it was not, the carrier may rescind the policy or deny the claim. Answer honestly. If a control is partially in place, say so.
We are not an insurance broker. We do not sell policies and we do not collect commissions. We help practices operate the controls underwriters score and produce the evidence package that the application asks for.
The control set that moves the most premium in 2026 — 24/7 MDR, identity threat detection on the cloud productivity suite, MFA enforcement, and a workforce training program — lines up with our Foundation and Protected service tiers. Foundation covers the endpoint and MDR layer. Protected adds ITDR and security awareness training, which together address the four heaviest premium-moving controls on most carrier questionnaires.
For practices renewing in the next 90 days, we run a two-week Cyber Insurance Readiness sprint that maps each questionnaire control to evidence the carrier will accept, identifies the gaps that will most likely block underwriting, and produces a clean evidence package the practice can submit with the application. If you are not sure where you stand, the Assessment Tool is a faster way to scope the gap before committing to the sprint.
Cyber insurance is not a substitute for controls. It is a backstop for the residual risk that remains after the controls are doing their job. Practices that treat the policy as the plan tend to learn the expensive way that the controls warranty in the fine print is doing more work than the declarations page.
If you are filling out a renewal application this year and the questionnaire is making you nervous, that is the right instinct. The fix is operational, not paperwork. Start with MFA, MDR, and a tested backup, and the rest of the application gets easier.
Ready to map your controls to the carrier questionnaire? Start the Cyber Insurance Readiness sprint.
Last updated
May 14, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Yes. Malpractice covers clinical liability, and general liability covers bodily injury and property damage. Neither covers data breach response, ransomware, regulatory defense under HIPAA, or wire fraud. Cyber events almost always fall outside both policies, which is why standalone cyber liability is now standard for dental practices.
A single-location practice typically carries $250,000 to $1 million in aggregate limits. Multi-location groups and DSO branches commonly carry $1 million to $3 million. Sublimits matter as much as the headline limit, because the ransomware sublimit is often half of the policy aggregate and may be lower if required controls are not in place.
Sometimes, but with significant restrictions. Payment must be legal under OFAC sanctions rules, the carrier usually requires pre-approval through their incident response panel, and many 2026 policies impose co-insurance of 50 percent on the ransom payment if the practice cannot demonstrate the named controls on the application — MFA, EDR, immutable backups, and incident response planning.
Policies generally define a covered event broadly: unauthorized access to systems containing PHI or PII, a ransomware or extortion event, a business email compromise, or an event that triggers a regulatory notification obligation. The practice's duty is to notify the carrier as soon as the event is reasonably suspected — not after it is confirmed.
Yes, on multiple surfaces. Carriers ask about MFA on email accounts, MFA on remote access including VPN and RDP and RMM tools, and MFA on privileged accounts in the practice management system. Misrepresenting MFA on the application is one of the most common causes of denied claims.
Yes. Most 2026 questionnaires ask whether immutable offsite backups exist and whether a documented restore test has been completed within the last 90 days. After a claim, carriers commonly request the test log as evidence. Backups that exist on paper but were never restored fail this control in practice.
It covers your liability and notification obligations when a business associate causes a breach involving your PHI, but it does not pay the business associate's losses. A signed business associate agreement is generally a prerequisite for coverage, and many carriers also ask whether you maintain a current vendor inventory.
Most policies require notice as soon as reasonably practicable, and many specify a hard window — commonly 30 to 60 days — for written notice. Failure to notify within the policy period or the extended reporting period is one of the most common reasons coverage is denied, even when the underlying event is otherwise covered.
Related reading
What the HIPAA Security Rule actually requires of dental practices in 2026 — risk analysis, administrative safeguards, MFA, encryption, breach response, and where most practices get it wrong.
Read articleWhy DSO and multi-location dental groups inherit the worst cybersecurity posture of their weakest practice — and the 4-quarter program that fixes it without slowing down acquisitions.
Read articleA practical guide to SOC 2 readiness for small businesses, including what founders should do first, what to avoid, and how to prepare without wasting money.
Read article