Five years ago, buying cyber insurance for a small business meant filling out a one-page form and answering a handful of yes/no questions. You checked a few boxes, paid your premium, and moved on. Those days are gone.
In 2026, a cyber insurance application for even a 10-person company reads like a security audit. Underwriters want to see written policies, proof of specific technical controls, and your signature attesting that all of it is true. Get one of those attestations wrong and your claim can be denied months later, exactly when you need the payout most.
This post walks through what underwriters actually require now, why they tightened up, what a modern application asks for, and how a small business with no security team can satisfy the requirements honestly.
Why underwriters got strict¶
Insurance is a math business. From roughly 2019 through 2021, cyber insurers paid out far more in ransomware and business-email-compromise claims than they collected in premiums. Loss ratios in the cyber line blew past anything the underwriters had modeled. The market reacted the way any insurance market reacts to a bad book: prices went up, coverage got narrower, and the application got harder.
The turning point was ransomware. When a single incident can encrypt every server in a company and demand a six-figure ransom, insurers stopped treating cybersecurity as a footnote and started treating it like fire safety. You cannot get affordable property insurance on a building with no smoke detectors and no sprinklers. By 2026, you cannot get affordable cyber insurance without multi-factor authentication, tested backups, and written policies that say how your business handles risk.
The important shift for small business owners is this: underwriters are no longer asking whether you could defend yourself. They are asking you to prove you have specific controls in place, in writing, and to sign your name to it. Your premium (and whether you can get covered at all) now depends on the answers.
What a 2026 application actually asks¶
Applications vary by carrier, but after seeing enough of them the pattern is consistent. Here is the kind of checklist a small business will face on a 2026 application or renewal:
MFA
[ ] MFA enforced on email (Microsoft 365 / Google Workspace)
[ ] MFA enforced on remote network access / VPN
[ ] MFA enforced on privileged / admin accounts
[ ] MFA on remote access to critical systems
Endpoint & network
[ ] Endpoint Detection & Response (EDR) deployed on all endpoints
[ ] Email filtering / anti-phishing in place
[ ] Firewall with default-deny inbound rules
Backups & recovery
[ ] Backups run at least daily
[ ] At least one backup copy offline or immutable
[ ] Backup restores tested in the last 12 months
[ ] Documented recovery time objective (RTO)
Written policies & process
[ ] Written information security policy
[ ] Documented incident response plan
[ ] Access control / least-privilege policy
[ ] Vendor / third-party risk management process
[ ] Security awareness training for staff
[ ] Data retention & disposal policy
Notice how much of the bottom section is not technology at all. It is paperwork. Roughly half of a modern application is asking whether you have written down how your business handles security, not whether you own a particular tool. That surprises most owners, and it is where the majority of small businesses fall short.
The written policies they now expect¶
When an application asks “do you have a written information security policy,” a single vague paragraph in your employee handbook does not count. Underwriters (and, more importantly, the claims adjusters who read your policies after an incident) expect real documents that describe how your business actually operates.
The seven that come up most¶
- Acceptable Use Policy: what employees may and may not do with company devices, email, and data. This is the foundation document almost every application expects.
- Access Control Policy: who gets access to what, how access is granted and removed, and how you enforce least privilege. This is what backs up your “yes” on the least-privilege checkbox.
- MFA / Authentication Policy: a written statement that multi-factor authentication is required on email, remote access, and admin accounts, and how it is enforced. Owning MFA is not enough; underwriters want the rule written down.
- Incident Response Plan: the step-by-step of who does what when something goes wrong: who is called first, how you contain the incident, when you notify the insurer, and who is legally responsible for reporting. Carriers weight this heavily because a fast, organized response is what limits their payout.
- Backup & Disaster Recovery Policy: how often you back up, where copies live, how you keep one copy offline or immutable, and how you test restores. After ransomware, this is the single most scrutinized document.
- Vendor / Third-Party Risk Management Policy: how you vet the outside vendors who touch your data (your IT provider, your cloud apps, your payroll processor). Many breaches enter through a vendor, and underwriters know it.
- Data Retention & Disposal Policy: what data you keep, for how long, and how you securely destroy it. You cannot lose data you no longer store, and insurers reward that logic.
Some carriers also ask for a security awareness training policy and a change management policy, but the seven above are the core set that a modern application circles back to again and again.
The controls behind the policies¶
Policies describe intent; controls are the actual technology. Three of them now function as near-hard requirements. If you cannot check these boxes, expect either a declined application or a sharply higher premium.
- Multi-factor authentication (MFA). This is the single control underwriters care about most, because it stops the majority of account-takeover and business-email-compromise attacks. At minimum, enforce it on email, on any remote/VPN access, and on every administrator account. Missing MFA on remote access is one of the most common reasons a 2026 application gets declined outright.
- Endpoint Detection & Response (EDR). Traditional antivirus is no longer sufficient in most carriers’ eyes. EDR watches for suspicious behavior and can isolate a compromised machine before ransomware spreads across the network. Many applications now name it specifically.
- Backups that are offline or immutable and tested. Ransomware groups deliberately hunt for and delete backups before they trigger encryption. A backup you have never restored from is not a backup; it is a hope. Underwriters want daily backups, at least one copy that attackers cannot reach, and evidence you have actually run a test restore.
None of these are exotic or expensive for a small business anymore. MFA is built into Microsoft 365 and Google Workspace at no extra cost. Reputable EDR runs a few dollars per device per month. Immutable cloud backup is a standard feature of most modern backup services. The gap is rarely money: it is that nobody has turned the features on and written down that they are on.
The written-policy gap most SMBs have¶
Here is the pattern I see constantly. A small business is actually doing fine on the technology. MFA is on. Backups run every night. The IT provider deployed EDR last year. The owner reads the application, sees the technical questions, and honestly checks “yes.”
Then the application asks for the written incident response plan, the access control policy, the backup and disaster recovery policy. And there is nothing. Not because the business is careless, but because writing security policies has never been anyone’s job. The owner is running the company. The IT provider handles the technology, not the governance paperwork. So the documents simply do not exist.
That is the written-policy gap: real security controls, no written policies to back them up. It is the most common failure point on a modern cyber insurance application, and it is entirely a documentation problem, not a security problem. The controls are already there. What is missing is the paper that describes them, and on a 2026 application, the paper is half the grade.
What happens if you attest falsely¶
This is the part that gets glossed over, and it is the part that can hurt the most. Every cyber insurance application ends with an attestation: you sign that your answers are accurate. That signature is not a formality. It is a legal representation the insurer relies on to price and issue the policy.
If you check “yes, MFA is enforced on remote access” to get the policy issued, and then a breach happens through a remote account with no MFA, the insurer’s forensics team will find that out. When they do, the carrier can deny the claim on the grounds of material misrepresentation, and in serious cases rescind the policy entirely, treating it as if it never existed. You will have paid premiums for coverage that evaporates at the exact moment you need it.
The lesson is not to be pessimistic about coverage. It is to be honest on the application and to close the gaps before you sign, not after. A slightly higher premium on an accurate application is far cheaper than a denied claim on a false one. If you cannot truthfully check a box today, the right move is to fix the underlying control now, then attest to it, not to check it hopefully and deal with the consequences during a claim.
How to satisfy this without a security team¶
Most businesses reading this do not have a CISO, a compliance officer, or anyone whose job is to write policy. You do not need one. Here is the realistic path.
First, close the technical gaps. They are usually quick. Turn on MFA for email, remote access, and admin accounts. Confirm with your IT provider that EDR is deployed everywhere and that backups are daily, immutable or offline, and have been test-restored in the last year. This is often a single afternoon of work, and it moves the most important checkboxes.
Then close the written-policy gap. You have three options. Hire a consultant to write custom policies (thorough, but often several thousand dollars and weeks of turnaround). Copy free templates off the internet (cheap, but generic, inconsistent, and frequently missing the exact items underwriters ask for). Or start from a purpose-built policy bundle and customize it to your business.
That middle path is exactly why we built our Cyber Essentials policy bundle. It is a set of ready-to-customize written policies (acceptable use, access control, MFA, incident response, backup and disaster recovery, vendor management, data retention, and more) mapped to the questions cyber insurance applications actually ask. You fill in your company details, adjust anything that does not fit, and you have the written documents underwriters expect, without paying consultant rates or gambling on random templates. It will not turn on MFA for you or configure your backups (that is still the technical work above), but it closes the paperwork half of the application, which is the half most small businesses are missing.
If you are not sure which gaps apply to you, email support@breachsecurity.io with what your business does, how many employees you have, and a copy of the application or renewal questionnaire you are staring at. We will tell you honestly what you need to fix, what you already have covered, and whether the bundle is the right fit or whether you are better served somewhere else. Sometimes the honest answer is that you are closer to ready than you think.