Compliance
The 10 security controls cyber insurers actually score in 2026 — what carriers ask, what passes, and the quiet answers that get applications declined.
If you want to know what controls cyber insurers require in 2026, skip the brochures and read an actual application. We did — eight current applications and ransomware supplementals across seven carriers (Coalition, Corvus, Beazley, At-Bay, The Hanover, Fusion, Tokio Marine HCC) — and they converge on the same ten control areas — which carriers break into roughly two dozen specific application questions (the granular, question-by-question walkthrough is the 2026 questionnaire breakdown). In 2026, the security-control questionnaire is the underwriting decision. A wrong answer on any one line can decline the application up front or quietly void a claim after a loss.
Below are the ten controls underwriters actually score, in their own language: what they ask, what answer passes, and the quiet disqualifier — the response that looks survivable to you but reads as a hollow control to the person pricing your risk.
Obsidian Ridge does not sell insurance. We help regulated SMBs — dental practices, law firms, accounting firms — pass underwriting honestly and operate the controls behind the answers. If you'd rather work the list yourself first, the free 2026 Cyber Insurance Readiness Questionnaire is this exact checklist as a downloadable worksheet.
Before 2021, a cyber application was firmographics and a short security checkbox. After the ransomware surge, carriers rebuilt the application around the controls that actually change loss outcomes, and made them mandatory rather than informational. The questionnaire is now detailed enough to separate a control that exists from one that works — and the answers you give become conditions the carrier can hold you to when you file a claim. That is the part most applicants miss: the questionnaire is not a formality you complete to get a quote. It is the contract's first draft.
Applications break MFA out by system: remote access and VPN, RDP and RD Gateway, web email (the webmail portal and the mailbox app), privileged and service accounts, cloud, and the backup console itself.
What passes: MFA enforced across all of those with modern factors.
The quiet disqualifier: MFA on the VPN but not on webmail or the admin console — the per-system breakdown exists to surface that gap. Several carriers also exclude static factors like certificates or pre-shared keys from what they count as MFA.
Carriers ask for the product and vendor of your endpoint stack and how widely it is deployed.
What passes: EDR or managed detection and response on substantially all workstations and servers, tied to continuous monitoring.
The quiet disqualifier: "substantially all workstations but not servers" is a selectable answer on some forms — choosing it tells the underwriter your servers are bare, which is precisely where ransomware does its damage. Unmonitored EDR does not count as EDR. This is the control behind our managed detection and response service.
Carriers probe whether backups are offline or air-gapped, immutable, MFA-protected, encrypted, and recoverable within three days.
What passes: backups that are immutable or MFA-gated, encrypted, and test-restored within the last 12 months.
The quiet disqualifier — three traps: a plain cloud sync that is neither immutable nor MFA-protected; a "syncing service" like DropBox, OneDrive, SharePoint, or Google Drive presented as backup (ransomware encrypts those alongside production); and backups that have never been integrity-tested for malware before restore. Untested backups score zero.
Carriers ask whether admins use separate accounts for administrative versus day-to-day work, whether local admin credentials are unique per machine, and whether a password vault manages privileged accounts.
What passes: separate admin accounts, a credential vault, least privilege, and MFA on privileged login.
The quiet disqualifier: one account used for both web browsing and domain administration is a selectable, failing answer. A vault that stores credentials but does not monitor privilege usage is the weaker tier.
Carriers distinguish basic filtering from a secure email gateway with URL rewriting and attachment sandbox detonation before delivery, plus external-sender tagging and SPF enforcement.
What passes: a real secure email gateway with SPF strictly enforced.
The quiet disqualifier: ordinary email filtering does not satisfy this — one carrier's own glossary states filtering "does not protect against more targeted and sophisticated email attacks." SPF left in monitor-only mode also fails.
Carriers ask your timeframe to install critical patches, a separate and faster timeframe for zero-days, and the status of any end-of-life software.
What passes: critical patches inside roughly 30 days, a faster lane for zero-days, and no internet-facing EOL software.
The quiet disqualifier: EOL software is acceptable only if it is segmented, not internet-facing, and under purchased extended support. "No formal patch management program" and "beyond one month" are literal selectable answers that fail.
Every form that asks pairs the existence of an incident response plan with whether it has been tested, and asks for named responsibilities.
What passes: a written plan with named action items and roles, tested in the last 12 months.
The quiet disqualifier: "we have a plan" is never enough — one carrier asks for the actual date of your last test, which exposes a plan tested years ago or never.
Carriers decompose remote desktop into internal versus external, standard port 3389 versus non-standard, and MFA versus password-only — and ask about IDS/IPS, protective DNS, and segmentation between IT and operational technology.
What passes: no externally exposed RDP without MFA, IT and OT separated, and internet-facing systems in a DMZ.
The quiet disqualifier: externally exposed RDP on port 3389 with password-only authentication is the single most diagnostic answer in the whole application. A flat network where operational technology shares a segment with IT is a selectable, failing answer.
Carriers ask whether you verify funds-transfer requests and vendor bank-detail changes through a separate channel, whether you require dual authorization, and at what threshold.
What passes: out-of-band verification on every payment-change and vendor-bank-change request, plus dual authorization above $25,000.
The quiet disqualifier: $25,000 is the common trigger, but some carriers set no dollar floor at all — verification is required on every request, so a "we verify over $X" policy fails. Confirming a change by replying to the same email also fails the definition of out-of-band.
Carriers ask how often you run social-engineering training, whether you run phishing simulations (asked separately from training), and whether finance and accounts-payable staff are trained specifically.
What passes: continuous training plus phishing simulations for all staff, finance included.
The quiet disqualifier: "never / not regularly" is a literal checkbox on some forms, classroom training without simulation is the weaker answer, and training that skips the people who actually wire money is the gap that matters most.
Three of those ten answers act as auto-decline signals, called out specifically by major reinsurers in their 2026 underwriting guidance: missing MFA on administrator accounts, EDR on workstations but not servers, and backups that have never been restore-tested. If you fix nothing else before you apply, fix these three. They are the difference between a quote and a declination, and between a paid claim and a denied one.
The ten controls are universal, but the exposure that drives your premium is not.
The downloadable questionnaire covers twelve verticals in this detail, including manufacturing, retail, construction, nonprofits, and auto dealerships.
The questionnaire tells you where you stand. Closing the gaps is the work — and the harder part is producing the evidence underwriters accept: the access-control export, the server-coverage attestation, the restore-test log, the out-of-band payment procedure, the tested incident response plan.
Two ways forward:
You do not need to guess what cyber insurers require in 2026. The answer is on the application, and now it is on your desk.
Last updated
June 8, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Current SMB cyber applications converge on the same ten controls: multi-factor authentication across all systems, endpoint detection and response on every workstation and server, immutable or MFA-protected backups with a tested restore, privileged access management, a real secure email gateway with enforced SPF, patch and vulnerability management, a written and tested incident response plan, network segmentation with no exposed RDP, out-of-band funds-transfer verification, and security-awareness training with phishing simulation. A wrong answer on any one can decline the application or void a claim.
The security-control questionnaire stopped being paperwork around 2021 and became the underwriting gate. Carriers now price against a demonstrated control posture, so the application enumerates the specific controls — and asks them in enough detail to catch the difference between a control that exists and one that actually works.
No. Applications break MFA out by system — remote access, web email, privileged and service accounts, cloud, and the backup console. MFA on the VPN but not on webmail or the admin console is exactly the gap the per-system breakdown exists to expose. Several carriers also discount static factors like certificates or pre-shared keys.
Three answers act as auto-decline signals: no MFA on administrator accounts, EDR on workstations but not servers, and backups that have never been restore-tested. Reinsurers call this trifecta out specifically in their 2026 underwriting guidance, and a single one can sink an otherwise strong application.
Yes. Carriers do not grade on a curve. A two-person dental practice and a 200-person firm answer the same control questions. The advantage a small business has is that the highest-impact controls — MFA everywhere, immutable backups, phishing simulation — are also among the cheapest to implement.
Score yourself against the real controls first. The free 2026 Cyber Insurance Readiness Questionnaire is the application's control list as a worksheet — what carriers ask, what passes, and the quiet disqualifiers. Close the gaps, then apply. For firms that need the evidence packet underwriters accept, the Cyber Insurance Readiness Sprint produces it in a fixed-scope engagement.
Related reading
What cyber insurance for CPA and tax firms actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Read articleA CISSP-led walkthrough of cyber insurance for first-time SMB buyers in 2026 — what the policy covers, what the questionnaire asks, the four controls that move premiums the most, and how to pass the application without overspending.
Read articleThe 22 cyber-insurance underwriting controls that move premiums in 2026 — what each one asks, why carriers care, and how to answer without overcommitting your stack.
Read article