What Controls Do Cyber Insurers Require in 2026? The 10 That Decide Your Application
The 10 security controls cyber insurers actually score in 2026 — what carriers ask, what passes, and the quiet answers that get applications declined.
Read articleCompliance
A practical 90/60/30-day cyber insurance renewal calendar for small businesses that need cleaner answers, better evidence, and fewer last-minute surprises.
If your cyber insurance renewal is less than 90 days away, stop treating the questionnaire like paperwork. Treat it like an evidence request. The best renewal work happens before the carrier asks the questions: find the weak answers, fix what you can, and package proof before underwriting turns into a deadline problem.
That does not mean building a huge compliance program overnight. For most small businesses, the renewal calendar is a focused 90/60/30-day project:
The control list is not mysterious. CISA, NIST, and the FTC all point small organizations toward the same operating basics: know what matters, use MFA, patch systems, back up critical data, train people against phishing and fraud, and plan for response and recovery.
Sources: CISA StopRansomware Guide, NIST Small Business Cybersecurity Corner, FTC Cybersecurity for Small Business
This article does not sell insurance and does not promise a premium reduction. Obsidian Ridge helps small businesses build the evidence behind the answers. The insurer decides the policy terms.
Cyber insurance questionnaires are difficult when the business has to discover its own environment while answering them.
That is the real renewal trap. The problem is not one hard question. It is a stack of questions that sound simple until someone asks for proof:
If the first honest answer is "we need to check," the renewal is already late. The 90-day calendar creates enough time to check, fix, and prove.
For a deeper control-by-control view, see the live guide to what cyber insurers require in 2026 and the 2026 cyber insurance questionnaire breakdown. This article is the working calendar around those controls.
At 90 days, do not start with tool shopping. Start with an evidence inventory.
Create one folder for the renewal and collect five things:
Then run a control pass against the questions most likely to matter.
Confirm MFA is enforced on:
Do not rely on "people can turn MFA on." Underwriters care whether it is enforced.
Export the endpoint list from your EDR, MDR, or antivirus console. Compare it against the real device list:
The dangerous gap is almost always a server, a shared workstation, or a computer that belongs to a person nobody thought about.
Write down:
If the answer is "we think backups run every night," you do not have evidence yet. You have a belief.
Look for:
Remote access is one of the fastest places for a renewal review to become uncomfortable.
Find the plan, then ask the harder question: when was it tested?
NIST's incident response guidance is written for structured response work, but the small-business version is simpler: one named owner, one call list, one containment path, one communication path, and one recovery owner.
Source: NIST Computer Security Incident Handling Guide, SP 800-61 Rev. 2
At 60 days, stop collecting and start closing the gaps that can change the application answer.
The priority is not "everything." The priority is the controls that are most likely to create underwriting friction.
Start with the systems that can reset other systems:
If a system supports stronger MFA than SMS, prefer that. But do not let perfect become the reason a key account is still password-only.
Many businesses have endpoint protection on employee laptops and forget servers. That is a problem because servers hold the data ransomware wants.
If servers are not covered, decide quickly:
The worst answer is silent non-coverage.
Backups are not proven until something comes back.
At 60 days, pick one meaningful restore test:
Record the date, system, person, steps, result, and time to restore. This becomes renewal evidence and a better recovery plan.
For the deeper version, see Backups Are Not Recovery.
Disable what is not needed. Add MFA where remote access remains. Remove old vendor accounts. If RDP is exposed, treat that as urgent.
CISA's ransomware guidance repeatedly emphasizes reducing attack paths before an incident, not after.
Source: CISA StopRansomware Guide
Business email compromise does not always need malware. It needs one rushed payment change.
Write a short rule:
No vendor bank-detail change, urgent invoice, or funds-transfer request is approved from the first email alone. Verify through a known phone number or known secondary channel before approval.
That rule belongs in the renewal file because it is both a real control and a practical fraud reducer.
At 30 days, the work shifts from fixing to packaging.
Create a simple evidence pack:
The evidence pack does not need to be theatrical. It needs to be honest and easy for an underwriter, broker, or leadership team to understand.
This is where a lot of applicants lose time. They may have a control, but the proof lives in five portals, two inboxes, and someone's memory.
The last week is for review, not reinvention.
Do three things:
Do not say "yes" because the answer should be yes. Do not round up from partial deployment to full deployment. Do not copy last year's answer if the environment changed.
The application is part of the risk record. A cleaner answer is not useful if it is not true.
Avoid these renewal mistakes:
That last point matters. Better preparation can improve the quality of an application, but nobody outside the insurer controls premium, binding, exclusions, or claim decisions.
Ask this:
"Can you give me the evidence pack behind our cyber insurance answers?"
That one question separates an operating partner from a tool installer.
You are not asking for a marketing deck. You are asking for proof:
If the answer takes weeks, you have learned something useful before the insurer does.
Obsidian Ridge helps small businesses make the renewal process evidence-backed instead of panic-driven. The Cyber Insurance Readiness Sprint is built for this exact job: map the questionnaire, close priority gaps where possible, and produce a signed evidence pack tied to the carrier's questions.
The promise is the deliverable, not the insurer's decision:
7 days. Flat fee. Signed evidence pack mapped to your carrier's questionnaire - delivered, or we keep working at no additional cost until it is. We don't control underwriter decisions. We control whether you walk in with the evidence they ask for.
If you want to self-assess first, start with the free Cyber Insurance Readiness Questionnaire. If the renewal is inside 90 days and the evidence is scattered, book a 30-minute briefing.
Start 90 days before renewal if possible. That gives you one month to find gaps, one month to fix the controls that matter, and one month to package evidence and answer carefully.
For most small businesses, start with MFA, endpoint coverage, backups, remote access, incident response, patching, email security, payment verification, and training records.
Focus on evidence and the highest-risk gaps. Prove MFA, endpoint coverage, backups, and remote-access status first. Do not invent maturity you cannot support.
No. No security provider should promise an underwriting outcome. Obsidian Ridge can help build the evidence pack and close practical gaps; the insurer controls pricing and policy terms.
Ask what controls the carrier is most sensitive to this year, whether any prior answers created concern, and what evidence would help underwriters understand your current posture.
Last updated
July 17, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Start 90 days before renewal if you can. The first month is for finding control and evidence gaps, the second month is for fixing the gaps that affect underwriting, and the final month is for packaging proof so the application does not become a scramble.
Fix the controls that produce yes/no underwriting friction: MFA on email and admin accounts, endpoint coverage on servers and workstations, tested backups, remote-access exposure, incident response ownership, and written payment-change verification.
Useful evidence includes MFA screenshots or exports, endpoint coverage lists, backup restore-test logs, patch reports, incident response plan test notes, security training records, and written payment-verification procedures.
No. If you wait for the questionnaire, you have less time to fix the answers that matter. Use the common control set first, then map the insurer's actual questions to the evidence you already gathered.
Better preparation can improve the quality and credibility of your application, but no provider can promise a premium reduction or underwriting outcome. The goal is to answer honestly, show evidence, and avoid preventable declinations or weak terms.
Related reading
The 10 security controls cyber insurers actually score in 2026 — what carriers ask, what passes, and the quiet answers that get applications declined.
Read articleWhat cyber insurance for CPA and tax firms actually covers in 2026, the underwriting questionnaire controls carriers review, and how to pass the application without overspending.
Read articleA practical walkthrough of cyber insurance for first-time SMB buyers in 2026 — what the policy covers, what the questionnaire asks, the controls carriers review, and how to pass the application without overspending.
Read article