surable

July 17, 2026 · requirements · pillar

The 7 controls every cyber insurance application asks about in 2026

The short answer

In 2026, cyber insurance applications consistently require seven controls: enforced MFA on email, remote access, and admin accounts; endpoint detection and response (EDR); tested, offline-capable backups; timely patching with no unsupported systems; email security protections; documented security awareness training; and a written, tested incident response plan — each backed by evidence, because applications end with a signed attestation.

T

The Founder

Founder, Surable · 20 years in IT and information security

A cyber insurance application in 2026 is a security audit with a signature line. Carriers stopped taking "we're careful" for an answer several renewal cycles ago; now they ask for specific controls, ask whether they're documented, and have you attest — in writing — that your answers are accurate. Answer wrong and the best case is a premium surcharge. The worst case is a denied claim months later, when it matters most.

Here are the seven controls that appear, in some form, on virtually every small-business cyber application — what carriers mean by each, and what evidence you should have in hand before you sign.

1. Multi-factor authentication (MFA) — on email, remote access, and admin accounts

The first page of nearly every application. Carriers ask about three places specifically: business email, remote access (VPN, remote desktop, remote-support tools), and privileged/administrator accounts. "Enabled for most people" fails the question — underwriters ask whether it's enforced, because attackers find the one exception.

Evidence to have: your MFA enforcement policy, plus a screenshot or export from Microsoft 365 / Google Workspace showing enforcement status. (CIS v8.1 IG1, safeguards 6.3–6.5.)

2. Endpoint detection and response (EDR)

Traditional antivirus checks files against known signatures. EDR watches for attacker behavior — the hands-on-keyboard activity that precedes ransomware — and many carriers now ask for it by name, sometimes listing acceptable products. Unmanaged, nobody-watches-it protection generally doesn't support a "yes."

Evidence to have: the product name, what it covers (every workstation and server), and who sees alerts.

3. Backups that are tested — and survivable

Every application asks about backups. The better questionnaires ask three follow-ups: Are they automatic? Is there an offline or immutable copy ransomware can't reach? Have you tested a restore? That last one matters more than most owners expect: refusal to pay has become the norm — a record 86% of ransomware victims refused in Coalition's 2026 claims analysis — and working, tested backups are what make refusing a real option.

Evidence to have: your backup and recovery policy, and a dated note from your last restore test.

4. Patching — and no end-of-life systems

The 2026 Verizon DBIR puts vulnerability exploitation at the top of initial-access vectors, which is why applications ask how quickly you patch and whether anything in the environment no longer receives security updates (Windows Server 2012, old firewalls, abandoned line-of-business software). An unsupported, internet-adjacent system is one of the fastest routes to a declination — or to an exclusion written specifically around it.

Evidence to have: a patch-management policy with real cadences, and an asset list showing support status.

5. Email security beyond the defaults

Business email compromise and funds-transfer fraud drive 58% of incidents in Coalition's 2026 claims data — more than ransomware. Carriers respond by asking what sits in front of your inbox: advanced filtering, anti-phishing/impersonation protection, and increasingly whether SPF, DKIM, and DMARC are configured on your domain.

Evidence to have: your email security configuration summary, and — the control that pairs with it — a written funds-transfer verification procedure requiring phone confirmation of any bank-detail change. It's free, and it prevents the single most common loss type outright.

6. Documented security awareness training

Applications don't ask whether your people are careful; they ask whether training is documented and recurring, and sometimes whether you run phishing simulations. The attendance log is the answer — "we remind people to be careful" is a "no" in underwriting terms.

Evidence to have: your training policy, this year's attendance records, and the materials you use.

7. A written, tested incident response plan

The requirement that fails the most applications, because it's pure documentation and nobody owns it. Carriers ask two things: is the plan written (named roles, current phone numbers, isolation steps, carrier and counsel contacts), and has it been tested — a one-hour tabletop walk-through counts, if you keep dated notes.

Evidence to have: the plan itself and the notes from your last exercise. If you have neither, this is a one-afternoon fix with the right template — and it single-handedly flips one of the most common "no" answers to an honest "yes."

What ties all seven together: the attestation

Every application ends the same way: a signature affirming your answers are true. That's the part that turns a sloppy "yes" into a denied claim later. The working rule — ours, and the one that protects you — is simple: make every answer honestly "yes," or disclose accurately with compensating controls. Never shade an answer. The application is the exam, and the attestation is the part with consequences.

If you want to know which of the seven you'd pass today, the free Readiness Check scores you across all of them in about five minutes — instantly, no email required.

Common questions

Do small businesses really get declined for missing these controls?+

Yes — qualification is the real fight now. Survey data shows 76% of companies had to invest in their defenses specifically to qualify for coverage (Sophos, 2024), and carriers respond to gaps with declinations, ransomware exclusions, and surcharges. A shaded answer is worse: it can surface at claim time as a denial.

Which control should I fix first?+

Enforced MFA on email is the highest-leverage fix: it's free, takes an afternoon in Microsoft 365 or Google Workspace, and its absence is the most common hard stop in underwriting. Tested backups and a written incident response plan are next.

Do I need written policies, or just the technical controls?+

Both. Applications ask whether policies and plans are written and current, and the attestation you sign asserts your answers are accurate. A control that isn't documented is a control you can't prove — and in a claim dispute, proof is what matters.

Are requirements the same across all carriers?+

The core seven appear across virtually all major small-business cyber carriers. Wording and depth differ — some ask supplemental questionnaires about backups or funds-transfer procedures — which is why mapping your documents to each carrier's actual questions matters.

Sources

Find out where you stand — free, in 5 minutes

Instant readiness score across the ten domains carriers probe, plus your top three gaps and how to fix them.

← All guides