Cyber insurance has matured rapidly from a niche product to a mainstream risk transfer mechanism for organisations of meaningful size. The market has also matured in a less comfortable direction for buyers — underwriting has tightened, questionnaires have lengthened, evidence requirements have risen, and premiums increasingly reflect actual security posture rather than industry averages. Organisations facing renewal cycles in 2026 are encountering substantially more demanding underwriting than they faced three years ago, and the organisations that produce favourable renewal outcomes understand what underwriters are actually looking at.
What Underwriters Actually Care About
Multi-factor authentication coverage — specifically, whether MFA is enforced for all privileged access, all remote access, all email, and all critical systems. Endpoint detection and response (EDR) — coverage across the endpoint estate, with specific tooling identified. Backup discipline — frequency, immutability, isolation, testing. Patch management — patch latency on critical and high-severity vulnerabilities, with metrics. Incident response capability — documented playbooks, exercised plans, retained response provider relationships. Privileged access management — coverage and operational discipline. Each of these dimensions has specific evidence underwriters now request, and self-attestation increasingly requires supporting documentation.
The Questionnaire That Has Become a Substantive Audit
Cyber insurance questionnaires used to be short and broad. Modern questionnaires are detailed and specific — fifty to a hundred questions covering control implementation in measurable terms. Underwriters increasingly cross-reference questionnaire responses with publicly available information about the organisation and with the underwriter's own threat intelligence. Inconsistencies surface during underwriting and produce coverage disputes during claims. Treating the questionnaire as a paperwork exercise has become operationally expensive.
Ransomware-Specific Underwriting
Ransomware has driven much of the underwriting tightening. Underwriters now look specifically at backup immutability and isolation (the organisation's ability to recover without paying), at MFA depth (the most common entry point for ransomware), at EDR coverage (detection before encryption), and at the explicit ransomware response plan. Coverage for ransomware specifically may be sublimit-restricted; some insurers exclude ransom payments entirely; some require explicit pre-approval before any payment. Organisations seeking material ransomware coverage need to demonstrate ransomware-specific resilience controls, not just general security posture.
A pattern in declined renewals: the organisation had favourable terms for years, made few changes to their security posture, and was declined or non-renewed when the market tightened. The security posture that was acceptable three years ago is now below the market floor. Renewal cycles that hold up require ongoing security investment, not just renewal-time scrambling. Organisations that have invested steadily produce smoother renewals; organisations that have not face surprises.
Coverage Structure Worth Understanding
Modern cyber policies typically cover first-party costs (response, recovery, notification, regulatory defence) and third-party liability (claims from affected parties). Specific sublimits often apply to ransomware, business interruption, and regulatory fines. Exclusions matter materially — acts of war, infrastructure attacks, dependent business interruption from cloud providers — and the exclusion language has been increasing. The headline policy limit is one number; the effective coverage for any specific scenario depends on the interaction of limits, sublimits, and exclusions. Reading the policy thoroughly is non-optional; the marketing summary is not the policy.
How to Run a Renewal That Produces Favourable Outcomes
Start the renewal cycle three to six months before expiration. Complete the questionnaire honestly with supporting evidence rather than aspirational responses. Engage the broker meaningfully — they understand the market and can position the organisation. Where security gaps exist, address them before underwriting rather than during. Have the organisation's security leadership available for underwriter calls; underwriters increasingly want to talk to the CISO rather than just read questionnaires. Plan for premium increases regardless of posture; the broader market trend has been upward.
Components of a Programme That Holds Up at Renewal
- Documented security posture mapped to common questionnaire dimensions, kept current year-round
- MFA, EDR, backup, and patch management metrics produced and reviewed monthly
- Incident response capability documented, exercised through tabletops, with retained response provider
- Privileged access management programme with measurable coverage
- Vendor risk programme with attention to the dependencies that produce concentrated cyber exposure
- Engagement with the broker that goes beyond annual renewal — market intelligence year-round
- Honest gap analysis pre-renewal with specific remediation before submitting questionnaires
When Cyber Insurance Is the Right Tool
Cyber insurance is risk transfer — appropriate for risks that exceed the organisation's appetite to retain and that the insurance market is willing to price. It is not a substitute for security investment; underwriters will not insure organisations whose posture is below the market floor, and even when coverage is available, claims experience is heavily affected by the organisation's controls. The right framing is layered defence — security investment as the first line, insurance as the tertiary line covering residual exposure that controls cannot eliminate. Organisations that treat insurance as a substitute for controls produce expensive renewals and disappointing claims experiences; organisations that treat it as risk transfer on top of strong controls produce favourable outcomes on both sides.