The SMB Cyber Insurance Readiness Guide: What Carriers Want in 2026

The cyber insurance market: why renewals got harder

The market tightened after years of ransomware losses, social engineering claims, and application disputes. Carriers now ask more detailed questions about controls that attackers commonly bypass, especially remote access, admin accounts, email, backups, and endpoint security. Verizon’s 2026 Data Breach Investigations Report says 31 percent of breaches now begin with software vulnerabilities, which helps explain why patching and external exposure matter more in underwriting than they did a few years ago.⁴

What changed since 2023 is not just pricing. Underwriting moved from trust-based questionnaires toward evidence-based review. Carriers and their partners increasingly validate answers with outside-in scans, identity exposure checks, and deeper application language around attestation, which is the legal confirmation that your answers are accurate. Industry guidance aimed at insureds notes that renewals now expect screenshots, policies, logs, backup test records, and other proof, not just yes-or-no answers.⁵³

For an executive team, this means your policy process now looks more like lender diligence than a simple insurance form. If your broker says a carrier wants details on MFA, EDR, backups, and incident response, they are asking whether the basics are truly enforced, not whether they exist in a slide deck.³

What carriers look for in 2026

Most carriers still phrase cyber liability readiness differently, but the themes are converging. Coalition highlights MFA, cybersecurity training, backups, identity and access controls, incident response plans, and security risk assessments as core requirements. Verizon’s 2026 report points to the same defense themes: MFA, software updates, user training, encryption, regular testing, and incident response planning.²

The large carriers named most often in middle-market and SMB underwriting conversations include Travelers, Chubb, Coalition, At-Bay, and Tokio Marine HCC. Their forms and underwriting appetite differ, but the direction is the same. They want stronger identity controls, better endpoint visibility, tested recovery, documented governance, and fewer blind spots in cloud and remote access. Chubb’s cyber proposal language also reinforces that applicants have a duty to disclose material facts truthfully, which matters when claims are reviewed later.⁷

This is where NIST CSF 2.0 helps non-technical leaders. It gives a national, business-friendly way to describe readiness. Govern covers policy, accountability, and oversight. Identify covers assets, suppliers, and risk. Protect covers access, training, data security, and platform security. Detect, Respond, and Recover cover the controls that determine whether an incident becomes a contained disruption or a major claim.¹

The 12 controls underwriters treat as non-negotiable

Most smb cyber insurance requirements now cluster around a dozen controls. The exact wording varies by carrier, but the following show up again and again in applications, scans, and renewal reviews.⁸²

1. Multi-factor authentication for email, remote access, admin accounts, and critical cloud apps. CISA and joint ransomware guidance place strong weight on MFA, and newer guidance increasingly points to phishing-resistant MFA for higher-risk access paths.⁹¹¹
2. Endpoint detection and response, or EDR, on laptops, desktops, and servers. Coalition explicitly points to antivirus or EDR as a key requirement.²
3. Offline, immutable, and tested backups. CISA-linked ransomware guidance stresses offline encrypted backups and regular restore testing.¹⁰⁹
4. Formal patch management for operating systems, browsers, VPNs, firewalls, and internet-facing apps.¹²
5. Security awareness training, including phishing reporting.¹⁰
6. Documented incident response plan with named roles and annual exercises.⁹
7. Asset inventory for devices, software, and internet-facing systems. NIST CSF 2.0 places asset understanding inside the Identify function.¹
8. Least-privilege access and separate admin accounts.⁶
9. Email security controls such as SPF, DKIM, and DMARC where appropriate, plus anti-phishing filtering.⁵
10. Vulnerability scanning and, for larger limits or higher-risk sectors, penetration testing.¹²
11. Logging and monitoring that support timely detection and investigation. NIST CSF 2.0 defines Detect as finding and analyzing attacks and compromises in time to respond.¹
12. Vendor and third-party risk management, especially for cloud providers, payroll, finance, and line-of-business platforms. NIST CSF 2.0 added stronger governance and supply chain emphasis in version 2.0.¹

If you only remember one thing, remember this. Carriers are insuring control execution, not policy language. A written standard without proof of enforcement does not help much at renewal or at claim time.³

Tier 1 vs Tier 2 cyber policies: what the gap actually costs you

Many SMBs buy a policy based on premium first, then discover the real cost after an incident. A lower-tier cyber policy may look acceptable on the declarations page but contain tighter sublimits, more exclusions, narrower business interruption language, or weaker support for vendor-caused outages, funds transfer fraud, and incident response services.¹³

A practical way to explain the gap is to compare “paper coverage” with “operational coverage.” Paper coverage says you bought cyber insurance. Operational coverage means the policy still responds when your email is compromised, your managed cloud app is down, or a vendor incident stops your payroll or customer portal. Some 2026 guidance aimed at insureds warns that standard forms may exclude contingent business interruption from third-party incidents unless the policy is negotiated carefully.¹³

For executives, the cost gap shows up in three places:

• More retained loss, because sublimits cap recovery for key events.¹³
• More uncovered downtime, because third-party interruption or social engineering coverage is narrower than expected.³
• More dispute risk, because attestation language lets a carrier revisit whether the control existed as represented.⁷

The smarter buying process is to review controls and coverage together. A stronger control set often improves insurability and reduces the chance that a lower-priced but thinner policy becomes an expensive mistake.³

Common reasons claims get denied

Claims usually do not fail because a carrier “found a loophole.” They fail because the application, policy terms, and actual control state do not line up. A recurring issue is misrepresentation. If the application says MFA is enforced for all privileged accounts or remote access and it turns out only part of the business had it, the insurer may argue the risk was misstated. Multiple cyber insurance readiness advisories now warn that application misrepresentation remains a leading cause of disputes.¹⁴

Another common issue is late notice or poor incident handling. Carrier guidance and cyber claim advisers repeatedly stress prompt reporting after an event and preserving evidence, because delayed notice can affect both coverage and forensic response. CISA’s ransomware guidance also stresses isolating affected systems, reviewing logs, documenting what happened, and restoring from known-good offline backups.¹⁴

A third issue is control drift after renewal. You may have had the right controls when the form was completed, then lost coverage discipline over time. Examples include:

• MFA turned off for a legacy VPN during a migration.³
• Backups running, but restore tests not performed.¹⁰
• EDR purchased, but not deployed to all servers.²
• Critical patches delayed on public-facing systems.⁴

This is why carriers care about attestation and evidence. The claim file often starts by comparing the application to the real-world state of controls at the time of loss.⁷

How carriers verify your answers

Executives often assume underwriting relies on the application alone. That is no longer safe. Many carriers now combine three forms of verification: questionnaire review, formal attestation, and third-party technical validation. Advisories for 2026 renewals note that underwriters increasingly use external scans and other evidence sources to test whether what was attested matches what is exposed on the internet or visible in supporting documents.⁶³

The first layer is the questionnaire. It asks about controls such as MFA, EDR, backups, patching, remote desktop protocol access, incident response, and employee training. The second layer is attestation. That is the signed statement that the answers are accurate and complete to the best of the applicant’s knowledge. Chubb’s proposal language highlights the applicant’s duty to disclose material facts, which underscores the legal weight of these forms.⁷

The third layer is technical validation. This may include:

• Outside-in scans for exposed services, weak remote access, or vulnerable edge systems.⁵
• Requests for screenshots, policies, or backup test evidence.⁶
• Penetration test reports and remediation proof for larger limits or regulated sectors.⁵
• Review of incident response plans and tabletop exercise records.¹²

A good rule is simple. Never answer from memory. Answer from evidence that you can produce quickly. That keeps underwriting cleaner and reduces claim friction later.³

Federal frameworks that make your story credible

This guide is national by design, so the most useful references are federal frameworks and cross-industry guidance. NIST CSF 2.0 is the anchor because it is voluntary, sector-neutral, and built for communication between executives, managers, and practitioners. It also added a dedicated Govern function in version 2.0, which matters because insurers increasingly want to see cybersecurity treated as an enterprise risk issue, not an isolated IT task.¹

CISA guidance is the second anchor. Joint ransomware guidance tied to CISA recommends MFA, preventive patching, offline encrypted backups, threat hunting or monitoring, incident response planning, user awareness training, asset inventory, hardening of remote access, and recovery procedures. Those recommendations align closely with the controls carriers ask about most often.⁹¹²

If your business is regulated, map the same evidence set into the rules that already matter to you. For example:

• HIPAA Security Rule, 45 C.F.R. Part 164 Subpart C, includes administrative, physical, and technical safeguards for protecting electronic protected health information.¹
• Gramm-Leach-Bliley Act Safeguards Rule, 16 C.F.R. Part 314, requires covered financial institutions to develop, implement, and maintain a written information security program.¹
• FTC Safeguards Rule amendments sharpened expectations around risk assessment, access controls, encryption, secure development where relevant, logging, and incident response.¹

Even when a carrier does not ask for these citations directly, using them helps your team show that controls are selected on a recognized standard, not guesswork.¹

How to demonstrate controls to a carrier

“Trust us” is not a strategy. A clean underwriting file is built on evidence that a non-technical decision-maker can understand and a technical reviewer can validate. NIST CSF 2.0 gives a practical structure for this through current profiles, target profiles, and gap analysis. In plain English, that means documenting what exists now, what should exist by renewal, and what work is underway to close the gap.¹

Build a readiness package that includes:

• Control matrix mapped to NIST CSF 2.0 functions and your policy questionnaire.¹
• MFA evidence for email, VPN, admin accounts, and core SaaS systems.¹⁰
• EDR deployment report showing coverage across endpoints and servers.²
• Backup architecture, immutability settings, and recent restore test results.¹²
• Vulnerability scan results, patch cadence, and remediation records.⁴
• Incident response plan with last tabletop exercise date and attendees.⁹
• Security awareness training records and phishing test summaries.¹⁰
• Asset inventory and key vendor list, especially internet-facing systems and critical third parties.¹

For SMB executives, the value is speed and consistency. When a broker, underwriter, customer, lender, or regulator asks the same risk questions in different language, one evidence set can support all of them.³

Pre-renewal action plan: 90 days, 30 days, 7 days

The best time to prepare is at least 90 days before renewal. Start with a control truth test. Pull last year’s application and compare each answer to the current state of your environment. Industry guidance aimed at insureds says this is one of the highest-impact steps an organization can take because the biggest risk is often the gap between intended controls and actual controls.⁵

90 days out

At 90 days, focus on gaps that take time to fix:

• Enforce MFA everywhere the application will ask about it.²
• Close EDR coverage gaps on servers and remote devices.²
• Test backups and document restore success.¹²
• Patch public-facing systems and reduce exposed services.⁴
• Update the incident response plan and run a tabletop exercise.⁹

30 days out

At 30 days, package evidence:

• Create the control matrix and gather screenshots, logs, reports, and policies.³
• Review third-party dependencies and confirm any contingent business interruption concerns with the broker.¹³
• Reconcile policy wording with operational reality, especially social engineering, vendor outages, and business interruption triggers.¹³

7 days out

At 7 days, slow down and verify:

• Re-read every questionnaire answer with your IT or security partner.¹⁵
• Confirm no recent drift in MFA, patching, or backups.¹⁴
• Make sure the signer understands the attestation language.⁷

This cadence reduces scramble, cuts back on bad assumptions, and gives you a better shot at both favorable terms and a cleaner claims position.³

Quick-Start Checklist

Use this as your executive checklist before the next application or renewal. Each item supports what carriers look for in cyber insurance for small business in 2026.²

• Enforce MFA for email, VPN, remote access, admin accounts, and critical SaaS apps.¹⁰
• Move higher-risk access to phishing-resistant MFA where feasible.¹¹
• Deploy EDR to all endpoints and servers.²
• Verify EDR is active, monitored, and not just installed.⁵
• Create offline or immutable backups for critical data.¹²
• Test restores and save the results.¹⁰
• Patch internet-facing systems on a strict schedule.⁴
• Remove or harden exposed remote access paths like RDP and legacy VPNs.¹²
• Maintain an up-to-date asset inventory.¹²
• Maintain a list of critical vendors and cloud services.¹
• Separate admin accounts from daily user accounts.⁶
• Review least-privilege access quarterly.⁶
• Run security awareness training and phishing simulations.¹⁰
• Update the incident response plan with names, roles, and contact paths.⁹
• Run at least one tabletop exercise each year and save the notes.⁵
• Keep vulnerability scan and remediation records.¹²
• Collect screenshots and reports that prove key controls are live.⁶
• Compare last year’s application answers to today’s environment.⁵
• Review policy sublimits, exclusions, and contingent business interruption wording with your broker.¹³
• Make sure the executive signer understands that the application is an attestation, not a marketing summary.⁷

Strategy call

A cyber policy should support your business when things go wrong. It should not become a second crisis because the controls were unclear, undocumented, or overstated. Carriers want evidence, clarity, and follow-through. The SMBs that renew cleanly in 2026 are the ones that can show all three.⁶

Securafy helps SMBs and regulated organizations turn cyber liability readiness into a practical operating plan. A strategy call can help you review your current controls, spot renewal risks, map evidence to common carrier questions, and identify the coverage gaps that could cost you the most at claim time.^{3 1618202224262830}