Compliance
The 22 cyber-insurance underwriting controls that move premiums in 2026 — what each one asks, why carriers care, and how to answer without overcommitting your stack.
Cyber insurance underwriting is no longer paperwork. The 2026 questionnaire is a controls audit, and an honest answer qualifies you for a quote, moves your premium, or disqualifies you.
This article is for the person filling out the renewal. Obsidian Ridge does not sell insurance. We help organizations pass the questionnaire honestly and operate the controls behind the answers.
Twenty-two controls drive 2026 underwriting decisions, in six categories. For each: question form, why the carrier cares (with loss-data source), how to answer, premium weight.
Identity is the most heavily weighted category. Sophos' State of Ransomware 2024 attributes 29 percent of ransomware attacks to compromised credentials, edging out exploited vulnerabilities. Identity is where attackers get in, so it is where underwriters look first.
Question form: Do you require MFA on all M365 or Google Workspace accounts, including service accounts and shared mailboxes? Yes / No.
Why the carrier cares: BEC was the most expensive cyber-crime category in the FBI IC3 2024 Annual Report, with reported losses above $2.9 billion. The path almost always starts with a compromised mailbox.
Honest answer: If MFA is enforced via Conditional Access for every user, Yes — be ready to show the policy export. If executives or service accounts are exempted, No. Fix before applying.
Premium weight: High. Missing is grounds for non-quote at most carriers.
Question form: Is MFA required on all remote access — VPN, RDP, RMM, jump hosts, third-party support tools? Yes / No.
Why the carrier cares: Coveware's Q4 2024 report lists exposed remote access — particularly RDP and unpatched VPN appliances — as a leading ransomware initial-access vector.
Honest answer: Map every path first. RMM, vendor support tools, and dormant VPN accounts are routinely forgotten. Any MFA-exempt path is a No.
Premium weight: High.
Question form: Is MFA required on all privileged accounts — domain admin, M365 global admin, and admin accounts in line-of-business systems (DMS, EHR, practice management, ERP)? Yes / No.
Why the carrier cares: Privileged compromise lets attackers disable backups, EDR, and logging before encryption. IBM Cost of a Data Breach 2024 reports stolen-credential breaches took the longest to contain — average 292 days.
Honest answer: Include break-glass accounts. Safe-stored with a documented checkout procedure is acceptable; no MFA and a shared password is not.
Premium weight: High.
Question form: Do you enforce conditional access or risk-based sign-in policies (geo, device compliance, sign-in risk)? Yes / No.
Why the carrier cares: Token theft and AiTM phishing have eroded basic MFA. Conditional access closes the gap by blocking sign-ins from non-compliant devices or anomalous geographies. Carriers treat this as a separate control.
Honest answer: A baseline Entra ID policy (block legacy auth, require compliant device for admins, geo-block) qualifies. A blanket MFA-only policy with no device or risk signals does not.
Premium weight: Medium.
Question form: Have you disabled legacy auth protocols (POP, IMAP, SMTP basic auth, EWS basic auth) tenant-wide? Yes / No.
Why the carrier cares: Legacy protocols do not support MFA. While enabled, attackers password-spray around the MFA you deployed. Microsoft attributes a disproportionate share of M365 compromise to legacy auth.
Honest answer: Check sign-in logs for zero legacy auth in the last 30 days before saying Yes. Many tenants still have a service account on SMTP basic auth for a printer or CRM connector.
Premium weight: Medium.
If identity is how attackers get in, endpoints are where they live. IBM's 2024 Cost of a Data Breach puts average dwell time at 194 days. Detection — not prevention — shortens it.
Question form: Is EDR or MDR deployed on 100 percent of workstations and servers, including domain controllers and hypervisors? Yes / No.
Why the carrier cares: Traditional AV does not detect lateral movement, credential theft, or living-off-the-land tooling. EDR does. Sophos' State of Ransomware 2024 shows mature EDR/MDR organizations had substantially lower median recovery costs.
Honest answer: Count agents. 97 percent is not a Yes — it is the three uncovered endpoints the attacker lands on. See Managed Detection and Response.
Premium weight: High.
Question form: Is your EDR or MDR monitored 24/7 by a SOC with documented escalation and a named on-call responder? Yes / No.
Why the carrier cares: Ransomware operators time attacks for nights, weekends, and holidays. An alert no one reads until Monday is not a control. Coveware shows median time from initial access to encryption is now under 24 hours for many affiliates.
Honest answer: Internal IT with after-hours phone coverage is not 24/7 SOC. If alerts are not triaged at 3 a.m., it is a No.
Premium weight: High.
Question form: Does ITDR monitor your M365 or Google Workspace tenant for suspicious sign-ins, mailbox rules, and OAuth grants? Yes / No.
Why the carrier cares: Endpoint EDR does not see token theft, malicious inbox rules, or rogue OAuth grants. ITDR does. Fast-rising on 2026 questionnaires as BEC losses climb in IC3 data. Managed ITDR is the operational answer.
Honest answer: Native M365 alerts forwarded to an unmonitored inbox do not count. Needs a monitored pipeline.
Premium weight: Medium, trending toward High.
Question form: Do you patch critical vulnerabilities within 14 days and high-severity within 30 days, with documented evidence? Yes / No.
Why the carrier cares: Unpatched edge devices — VPN gateways, firewalls, file-transfer appliances — remain a top ransomware initial-access vector in Coveware and Mandiant data. Carriers want a defined SLA.
Honest answer: "We patch regularly" is a No. A documented cadence with a monthly patch report is a Yes.
Premium weight: Medium.
Question form: Do you restrict local admin on workstations and use PAM or just-in-time elevation for admin tasks? Yes / No.
Why the carrier cares: Standing local admin turns a phishing click into a domain-wide problem. Removing it halves the blast radius of most commodity malware.
Honest answer: If every user has local admin "because the line-of-business software needs it," it is a No. Fix: application allowlisting plus elevation-on-demand.
Premium weight: Medium.
When everything else fails, backups decide whether you pay or restore. Carriers underwrite accordingly.
Question form: Do you follow 3-2-1-1-0 — three copies, two media, one offsite, one immutable or air-gapped, zero errors on the last test? Yes / No.
Why the carrier cares: Sophos' State of Ransomware 2024 found organizations with usable backups paid ransoms less than half as often. Immutability defeats the standard attacker playbook of deleting backups before encryption.
Honest answer: "We back up to a NAS" is not immutable. Cloud backup with object lock, or air-gapped, is.
Premium weight: High.
Question form: Have you completed a documented full restore test in the last 90 days, with the log retained? Yes / No.
Why the carrier cares: Backups never restored fail at the worst moment. IBM Cost of a Data Breach 2024 ties faster recovery to lower breach cost.
Honest answer: A log dated within 90 days, naming systems tested and time to recover, is the evidence. Older is a No.
Premium weight: High.
Question form: Is data encrypted at rest (BitLocker, FileVault, server-side) and in transit (TLS 1.2+) across endpoints, servers, and cloud storage? Yes / No.
Why the carrier cares: Encryption at rest narrows breach-notification obligations under most state laws — encrypted-data loss is often a non-event for notification. Carriers like the math.
Honest answer: BitLocker enforced via Intune with key escrow is a Yes. "Should be on" is a No.
Premium weight: Medium.
Email and money-movement controls sit together because most wire-loss events start with a spoofed or compromised inbox.
Question form: Is DMARC at p=quarantine or p=reject for your sending domains, with SPF and DKIM passing? Yes / No.
Why the carrier cares: Domain spoofing is the workhorse of vendor-impersonation BEC. p=none is monitoring, not a control. Carriers ask for enforcement level explicitly.
Honest answer: Run a DMARC lookup on every sending domain. p=none is a No.
Premium weight: Medium.
Question form: Does inbound mail include link rewriting, time-of-click URL analysis, and attachment sandboxing? Yes / No.
Why the carrier cares: Phishing payloads increasingly hide behind benign links that weaponize after delivery. Time-of-click catches what static scans miss.
Honest answer: M365 Defender Safe Links, Google Workspace advanced phishing protection, or an equivalent gateway qualifies.
Premium weight: Medium.
Question form: Do you require a verbal callback to a previously known number (not the one in the email) before changing vendor payment instructions or wiring funds? Yes / No.
Why the carrier cares: Vendor-impersonation BEC is the highest-loss BEC subcategory in FBI IC3 data. A callback is the most effective process control against it.
Honest answer: Written and trained, not "we usually call." Often a crime-rider coverage condition.
Premium weight: Medium, conditional High on crime rider.
Question form: Do you require dual approval for outbound wires above a defined threshold, with approvers documented? Yes / No.
Why the carrier cares: Single-approver wires are the loss pattern. Dual control is the fix. Crime riders increasingly require it above a stated dollar amount.
Honest answer: $10,000 is reasonable for most SMBs; $100,000 is too high. Document the policy and named approvers.
Premium weight: Medium, conditional High on crime rider.
Underwriters want evidence that security is operated as a program, not a set of tools.
Question form: Do you maintain a WISP covering administrative, technical, and physical safeguards, reviewed within 12 months? Yes / No.
Why the carrier cares: A WISP is state-mandated for businesses holding personal data on residents of Illinois, Massachusetts, and New York, and is operative under the FTC Safeguards Rule for financial institutions. Carriers ask because regulators do.
Honest answer: A living document with a named owner and review date. A template downloaded once is a No.
Premium weight: Medium.
Question form: Do you maintain a written IR plan with named roles, carrier hotline, and a tabletop within the last 12 months? Yes / No.
Why the carrier cares: IBM Cost of a Data Breach 2024 reports organizations with a tested IR plan saved an average $1.49 million per breach. Carriers price that in.
Honest answer: Include the carrier hotline and call them before you call IT — late notification is the most common cause of denied coverage on otherwise-covered events.
Premium weight: Medium.
Question form: Do you run SAT with quarterly phishing simulations and tracked completion rates? Yes / No.
Why the carrier cares: The human layer is still the busiest attack surface. Carriers want completion data and click rates — not a training video. See Managed SAT.
Honest answer: Completion under 90 percent is a No in practice. Tracked, enforced, repeated.
Premium weight: Medium.
The last two cover what is outside your network and what is in your past. Both are rated more heavily in 2026.
Question form: Do you maintain a vendor inventory, contracts with breach-notification clauses, and evidence critical vendors carry cyber coverage? Yes / No.
Why the carrier cares: Third-party compromise is one of the fastest-growing root causes in SMB claims data. MOVEit and Change Healthcare made supply-chain risk a board-level topic for every carrier.
Honest answer: A spreadsheet with columns for the breach-notification clause and the vendor's COI is enough. It must exist.
Premium weight: Medium.
Question form: Any cyber incident, claim, or circumstance that could give rise to a claim in the past 24 months? Any material changes to controls, ownership, or operations since the last application? Yes / No, with full disclosure.
Why the carrier cares: Material misstatement is grounds for rescission. Carriers cross-check prior-loss data. A disclosed, well-handled incident is almost always survivable; an undisclosed event discovered later is not.
Honest answer: Disclose. If a staff mailbox was compromised and you reset passwords — disclose it. The disclosure language and how the event was handled is what underwriters score.
Premium weight: High — on accuracy. Clean 24 months reduces premium; an honestly disclosed event with documented response is neutral; a discovered undisclosed event is rescission.
The most expensive surprise in 2026 policies is not the premium — it is the ransomware co-insurance clause. Many carriers now apply 50 percent co-insurance to a ransomware loss if the insured cannot demonstrate, at the time of loss, that the named controls were operating. Named controls are usually MFA on all surfaces, EDR or MDR with monitoring, immutable tested backups, and a written IR plan.
A $500,000 ransomware loss on a $1,000,000 policy with 50 percent co-insurance pays $250,000. If the carrier also finds material misrepresentation, the entire claim can be denied.
The clause lives in the ransomware endorsement, not the declarations page. Read it before renewal. Map each named control to evidence you can produce on the day of loss — not the day of the application.
Several line items operators expect to help do not.
None of these reduce premium. Several inflate IT budgets without changing a single answer.
If you are reading this with a renewal application open, work in this order. Each step unlocks the next.
Vendor management, DMARC enforcement, conditional access, and the rest layer in after the first five. They matter — but they do not move the premium if the foundation is missing.
The four heaviest premium-moving controls — MFA on every identity surface, MDR with a 24/7 SOC, ITDR on the productivity tenant, and an operating SAT program — sit inside our Foundation and Protected tiers. Operated, monitored, reported monthly. The evidence package is a byproduct.
The Cyber Insurance Readiness sprint takes the current questionnaire, maps every question to the underlying control, identifies gaps, and produces the evidence package — attestations, policy exports, restore logs, training reports — that goes back to the broker. Fixed scope, designed to submit a clean application in 30 days.
For regulated verticals, the questionnaire layers on top of the industry framework. We do this for dental practices under HIPAA and law firms under bar confidentiality rules.
If you are unsure where your posture sits, the fastest read is the Cybersecurity Maturity Assessment. To walk through your carrier questionnaire with a CISSP-led team before applying, book a briefing.
The 22 controls are not a wish list. They are the operating baseline a 2026 cyber carrier prices you against — and, increasingly, the baseline customers and regulators expect whether you carry a policy or not.
Last updated
May 16, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Yes. General liability and errors-and-omissions policies do not respond to forensics, ransomware, breach notification, regulatory defense, or wire fraud. Carriers, banks, and many enterprise customers now treat cyber liability as a baseline contractual requirement, and the cost of the policy is almost always smaller than the deductible on a single uninsured incident.
It is a hard requirement on three surfaces — email, all remote access (VPN, RDP, RMM, jump hosts), and privileged admin accounts. Most 2026 carriers will decline to quote without MFA on all three, and misrepresenting MFA on the application is the single most common reason a claim is denied or a policy is rescinded after a loss.
Many 2026 policies now apply 50 percent co-insurance to a ransomware loss if the insured cannot demonstrate that named controls — typically MFA, EDR or MDR, immutable backups, and a written incident response plan — were operating at the time of loss. A $500,000 ransomware loss on a $1,000,000 policy can end up paying $250,000 after co-insurance is applied. The clause lives in the ransomware endorsement, not the marketing page.
A more expensive firewall, multiple antivirus brands stacked on the same endpoint, a generic 'we passed an audit' attestation with no operational evidence, and 'we have a great IT guy' do not move the premium. Underwriters score controls that are operational, monitored, and documented — not equipment receipts.
Because third-party compromise is now one of the most common breach root causes in SMB claims data. Carriers want to see a vendor inventory, signed contracts with breach-notification clauses, and evidence that critical vendors carry their own cyber coverage. Vendor risk has moved from a nice-to-have to a rated control.
Yes. The base cyber policy generally does not cover funds-transfer fraud. The crime or social-engineering rider does, but the wording matters — confirm that the rider covers social-engineering fraud where staff are tricked into authorizing a transfer, not only direct computer-funds-transfer fraud. For any business that handles wires, escrow, or payment changes, this rider often matters more than the headline limit.
Very. Any incident in the last 24 months — even one you handled without a claim — must be disclosed. Material misstatements on the application are grounds for rescission. Carriers also commonly add prior-act exclusions that exclude any loss arising from an event that began before the policy inception date, which is why renewing without a gap matters.
Non-renewal is becoming more common when controls have slipped or after a claim. The firm has 30 to 60 days to find replacement coverage, and the next application will ask about the prior non-renewal. The practical fix is not shopping harder — it is closing the control gaps that triggered the non-renewal, then re-quoting with documentation in hand.
Related reading
What cyber insurance for CPA and tax firms actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Read articleA CISSP-led walkthrough of cyber insurance for first-time SMB buyers in 2026 — what the policy covers, what the questionnaire asks, the four controls that move premiums the most, and how to pass the application without overspending.
Read articleWhat IRS Publication 4557, IRS Publication 5708, the FTC Safeguards Rule, AICPA SSTS Section 1.3, and the state breach laws actually require of CPA firms in 2026 — the technical safeguards, the documented program, and where most firms get it wrong.
Read article