Cyber insurance underwriting has changed dramatically over the past three years. What used to be a simple questionnaire has evolved into a rigorous evidence-based review process. For 2026 renewals, insurers expect documented proof that your organization actively manages human-layer risk, not just technical controls. Here is what you need to prepare.
The Shifting Landscape of Cyber Insurance
Insurers paid out record claims in 2023 and 2024, driven largely by ransomware attacks that originated with phishing emails. In response, underwriters have significantly tightened their requirements. Organizations that cannot demonstrate robust phishing defenses now face premium increases of 30 to 100 percent, higher deductibles, or outright coverage denials. The message is clear: insurers want to see that you are actively reducing the likelihood of a phishing-initiated breach, not just hoping your firewall will catch it.
Core Requirements for 2026
While each insurer has its own questionnaire, the following controls appear on virtually every 2026 renewal application:
- Multi-factor authentication (MFA): Enforced across all remote access, email, and privileged accounts. SMS-based MFA is increasingly flagged as insufficient; insurers prefer authenticator apps or hardware keys.
- Endpoint detection and response (EDR): Deployed on all endpoints with 24/7 monitoring or a managed detection service.
- Security awareness training: Regular, documented training for all employees, not just onboarding. Insurers want to see completion rates above 90 percent.
- Phishing simulation programs: This is the newest hard requirement. Insurers now ask for simulation frequency, click-rate trends, and evidence that results are used to target additional training.
- Incident response plan: A documented, tested IR plan with defined roles, communication procedures, and recovery time objectives.
Building Your Evidence Pack
An evidence pack is the collection of reports, logs, and documentation you submit to your insurer at renewal time. A strong evidence pack for 2026 should include the following:
- Phishing simulation summary reports showing campaign frequency (monthly or more), organization-wide click rates, and trend lines demonstrating improvement over the past 12 months.
- Training completion reports with dates, module names, and per-employee completion status.
- MFA deployment coverage reports from your identity provider.
- EDR coverage and alert-response metrics from your security operations team.
- A copy of your incident response plan with the date of the most recent tabletop exercise.
How Phishing Simulation Data Impacts Premiums
Insurers are increasingly using phishing simulation data as a direct input to premium calculations. Organizations that can demonstrate a sustained click rate below 5 percent, combined with monthly simulation cadence and remedial training for repeat clickers, are seeing premium reductions of 10 to 25 percent compared to organizations without a simulation program. Some insurers have begun offering preferred rates for companies that use adaptive or spaced-repetition simulation models, recognizing that these approaches produce more durable behavioral change.
Start Preparing Now
If your renewal is in the next six months, the time to act is now. Begin running monthly phishing simulations, document every campaign, and ensure your training completion rates are above the 90 percent threshold. Build your evidence pack incrementally rather than scrambling at renewal time. The organizations that treat cyber insurance requirements as a year-round program, rather than a last-minute checkbox, consistently secure the best terms and the lowest premiums.