Cyber insurance requirements 2026: the full controls checklist (and how to evidence each one)
Cyber-insurance underwriting has changed. The application questionnaire is now a real security assessment, and brokers won't quote until you can evidence a specific set of controls — multi-factor authentication, EDR, tested backups, vulnerability management, an incident-response plan, and increasingly penetration testing. This is the full requirements checklist for 2026, what each control means, and the cleanest way to prove it. Start by running a free scan to see where you stand.
Why the requirements got stricter — and why honesty matters
After the ransomware-driven loss years, cyber insurers tightened underwriting dramatically. Where a policy once asked a handful of yes/no questions, the modern application demands evidence that specific controls are implemented and operating — because the insurer pricing your risk wants proof that an attacker cannot trivially reach your crown-jewel systems. Two consequences follow. First, missing or weak controls now mean a higher premium, narrower coverage, sub-limits on ransomware, or a declined application outright. Second — and this is the part organisations underestimate — the application is a binding representation. If you answer 'yes' to 'MFA enforced on all remote access' and a claim later reveals it wasn't, the insurer can dispute or deny the payout. The goal therefore isn't to tick boxes; it's to genuinely implement the controls and be able to evidence them. That is exactly what penetration testing does for the technical controls: it proves they actually hold up under attack, rather than merely existing on paper.
- No quote without evidence: brokers increasingly require proof of specific controls before they will price a policy.
- Premium & coverage impact: weak controls raise the premium, add ransomware sub-limits, or get the application declined.
- Binding representation: misstating a control on the application can void a claim — accuracy protects your payout.
- Proof beats paperwork: penetration testing evidences that your technical controls work under real attack, not just on the form.
The cyber insurance requirements checklist (2026)
- Multi-factor authentication (MFA): enforced on all remote access (VPN, RDP, web portals), email/webmail, and privileged/admin accounts. Insurers ask specifically — and a pentest verifies it cannot be bypassed.
- Endpoint Detection & Response (EDR): a modern EDR/XDR deployed across endpoints and servers, not just legacy antivirus.
- Tested, segregated backups: backups that are isolated/immutable and restore-tested — the single biggest factor in surviving ransomware without paying.
- Vulnerability management & patching: regular vulnerability scanning and a documented process to patch high-impact, actively-exploited CVEs promptly.
- Penetration testing: increasingly required (often annual) to evidence that your external surface and applications actually resist attack — see our cyber-insurance penetration testing page.
- Email security & awareness: email filtering/anti-phishing plus security-awareness training, since phishing remains a leading entry vector.
- Privileged access management & least privilege: limiting admin rights and securing privileged accounts to contain an intrusion.
- Incident response plan: a documented, tested IR plan with defined roles and escalation — insurers ask whether it exists and whether it has been exercised.
- Network segmentation & secure remote access: isolating critical systems and removing exposed/legacy remote access, the classic ransomware entry point.
Sample finding
Application said 'MFA enforced everywhere' — testing found a gap that could void a claim
On the insurance application the organisation answered 'yes' to enforcing MFA on all remote access. A scan found an internet-facing remote-access portal where MFA was enforced only at the application layer, leaving the underlying service directly reachable and brute-forceable. This is both a real ransomware entry point and a misrepresentation on the binding application — exactly the kind of gap that lets an insurer dispute a future ransomware claim. It is also the most common reason a 'compliant on paper' organisation is actually exposed.
Fix: Enforce MFA at the gateway for every remote-access path, disable direct exposure of the underlying service, and place the portal behind an identity-aware proxy. Then correct the application to reflect the now-true, evidenced control. A penetration test verifies the fix and gives you the documentation to attach to the renewal.
Reference: OWASP A07:2021 Identification and Authentication Failures · CWE-287 · CIS Control 6 (Access Control Management)
Evidencing your cyber insurance requirements
| — | Free scan | Matproof Sentinel | Traditional consultancy |
|---|---|---|---|
| Automated scan engine | ✓ (3-min preview) | ✓ Full scan | ✗ Manual only |
| OWASP Top 10 coverage | Partial | ✓ Complete | ✓ Complete |
| Proof-of-exploit evidence | ✗ | ✓ Per finding | ✓ Per finding |
| Regulatory mapping (DORA/NIS2/ISO 27001) | ✗ | ✓ Automated | ✓ Manual |
| Audit-ready PDF report | ✗ | ✓ Instant | ✓ 2–4 weeks delivery |
| Continuous / recurring scans | ✗ | ✓ Per deploy | ✗ Annual engagement |
| Time to first result | ~3 min | ~30 min full scan | 2–4 weeks |
| Price | €0 | From €149 | €8,000–€25,000 |
| Source code review (SAST) | ✗ | ✓ On Growth plan | ✓ Scoped engagement |
| API testing (REST/GraphQL) | ✗ | ✓ Automated | ✓ Manual |
Matproof Sentinel for cyber-insurance readiness
- 1 full pentest scan
- AI-prioritized findings with CVSS 3.1
- Proof-of-exploit per finding
- Audit-ready PDF report
- Regulatory mapping (DORA, NIS2, ISO 27001)
- Unlimited scans (up to 3 domains)
- Continuous monitoring
- CI/CD integration (GitHub, GitLab)
- All regulatory mappings
- Priority support
- Unlimited scans + domains
- Authenticated / White-Box testing
- API & cloud infrastructure tests
- Dedicated security account manager
- 24h SLA response time
Frequently asked questions about cyber insurance requirements
What are the minimum requirements for cyber insurance in 2026?
The common baseline: MFA on all remote access, email, and privileged accounts; EDR across endpoints and servers; tested, segregated/immutable backups; a vulnerability-management and patching process; email filtering and security-awareness training; a documented and tested incident-response plan; and, increasingly, penetration testing. Larger policies and post-claim renewals raise the bar further. Insurers verify these via the application questionnaire and increasingly via supporting evidence.
Is penetration testing required for cyber insurance?
Increasingly yes — particularly for mid-market and larger policies and at renewal. Even where it isn't strictly mandatory, a current penetration test is the most credible way to evidence that the technical controls you attested to (MFA, exposed services, web/API security) actually hold up under attack. It can also reduce your premium. See our dedicated page on penetration testing for cyber insurance for what the test should cover.
What happens if I overstate my controls on the cyber insurance application?
The application is a binding representation. If you state a control is in place and a claim later reveals it wasn't, the insurer can dispute or deny the payout — leaving you exposed precisely when you need the coverage. The safe approach is to genuinely implement each control and be able to evidence it; a penetration test plus the supporting documentation makes your statements defensible.
How do I evidence the technical requirements?
Configuration exports and policy documents cover some controls, but the technical ones (MFA enforcement, exposed services, web/API security, patch status of internet-facing systems) are best evidenced by a penetration test: it shows what was tested, what was found, and that exploitable issues were remediated — with CVSS ratings and proof-of-exploit. Matproof Sentinel produces exactly this report, mapped to recognised frameworks, from €149.
Will meeting the requirements lower my premium?
It can. Underwriters price on demonstrable risk: a clean (or remediated) penetration test plus evidence of MFA, EDR, backups, and the rest gives them grounds to quote more favourably. Conversely, gaps push the premium up, add ransomware sub-limits, or get the application declined. The documented remediation status of any findings is what matters most.
Go deeper — related blog articles
See where you stand against the cyber insurance requirements
Run a free scan to surface gaps in your external surface, MFA, and web/API security — then get an audit-ready report you can attach to your insurance application, from €149.
Run a free pentest scan