Key Takeaways
- ›Premiums for SMB cyber policies are up 30–50% across two renewal cycles — the soft market is over.
- ›Four controls now dominate underwriting: MFA everywhere, EDR everywhere, tested backups, documented IR plan.
- ›Carriers are denying claims when post-incident forensics expose gaps the original application didn’t disclose.
- ›Start the 90-day prep window before your renewal — audit the controls, close gaps, document everything.
For most of the last decade, cyber insurance was a checkbox. You bought a policy, you renewed it, your premium might creep up a little, and that was that. That world is gone. In its place is an insurance market that treats cyber underwriting like a real-money risk — because the carriers learned the hard way that it is.
Premiums for small and mid-sized business cyber policies are up 30–50% over the last two renewal cycles. Application questionnaires that used to be a single page now run to eight pages of specific technical questions. And the answer that matters most to whether a claim gets paid isn’t even on the form: it’s whether the controls you said you had in place were actually in place at the moment of the incident.
This isn’t hypothetical. Carriers are denying applications outright, raising premiums by tens of thousands of dollars, and increasingly rejecting claims by pointing to gaps between the application and the post-incident forensics. For Las Vegas businesses heading into a 2026 renewal, the game has changed.
30–50%
Premium hike, 2 cycles
8
Pages of underwriting
4
Controls that decide
What Changed
Three things happened in sequence. First, ransomware payouts ballooned through 2021–2023, eating insurer reserves at a rate the industry hadn’t modeled for. Second, carriers responded by aggressively raising premiums and tightening underwriting. Third — and this is the one that’s still rolling out — carriers started denying claims when the policyholder’s actual environment didn’t match what was claimed on the application.
The shift is structural. The 2024 MGM Resorts incident and the wave of MSP supply-chain breaches changed how regional underwriters look at any business in the desert. If you’re in Las Vegas, the rest of the country may see your zip code and assume “MGM exposure” — sometimes fairly, sometimes not. Either way, your application gets read with more skepticism than it did three years ago.
The Four Controls Carriers Actually Require
There used to be a dozen controls on a cyber application. Today, four dominate the underwriting decision. Get all four right and your renewal is comparatively painless. Miss any one — or implement it half-way — and you’re looking at a denial or a price that prices you out.
1. MFA on every account that matters. Email is the obvious one (and remains the most common control failure). But carriers now look for MFA on remote access (VPN, RDP, anything reachable from the public internet), on cloud admin accounts (Microsoft 365 admin, Google Workspace admin, AWS root), and on any account with privileged access to financial systems or customer data. “We have MFA on Office 365 for most users” — the most common claim — isn’t enough. Carriers want documentation that EVERY account in those categories has MFA enforced, not optional.
2. EDR on every endpoint. The word matters. “Antivirus” — even a paid Norton or McAfee — doesn’t satisfy most carriers in 2026. They want endpoint detection and response, which means a tool that catches behavioral patterns (not just known malware signatures), records activity for forensics, and supports active response (isolation, kill processes). Defender for Business / Endpoint, CrowdStrike, SentinelOne, Sophos Intercept X are common qualifying products. “Antivirus is included with our M365” is no longer a yes-answer to this question.
3. Tested backups. “We have backups” is not the answer. Carriers want: backups that are immutable or air-gapped (ransomware can’t reach them), running on a schedule that matches your RPO commitment, and — critically — TESTED. A documented test restore within the last 6 months is what proves the backups work. Many businesses discover at incident time that their backups have been silently failing for months.
4. A documented incident response plan. Written. Dated. With named roles. Practiced at least annually (tabletop exercise minimum). Some carriers now require evidence of the most recent tabletop — not just the existence of the plan.
The “We Have MFA” Trap
The single most common reason for claim disputes in 2026 is the gap between “we have MFA” and “MFA was enforced on the account that got breached.” Many businesses turn MFA on for everyone-except-the-CEO-because-she-finds-it-annoying, or for everyone-except-the-shared-warehouse-account, or for everyone-except-during-the-30-day-grace-period-for-new-hires.
Every one of those exceptions is the account the attacker eventually uses. And every one of those exceptions, if disclosed in post-incident forensics but not disclosed on the original application, gives the carrier grounds to deny coverage.
“Every MFA exception is the account the attacker eventually uses — and if it wasn’t disclosed on the application, it’s the gap that voids the claim.”
The rule for the application: answer truthfully, with specifics. If MFA is enforced for “all M365 users except service accounts and 4 named legacy applications,” say that — don’t say “all users.” Honest disclosure with documentation is the only protection.
Before Your Renewal — A 90-Day Prep Checklist
Cyber insurance renewals work best when you start preparing 90 days before the renewal date. Here’s what to actually do:
Action Checklist — 90 Days Out
- 1Day 90–60 — Audit the four controls. Get a written report from your IT team or MSP confirming MFA (every account, every system), EDR (every endpoint, every server), backups (with a test-restore date), and the incident response plan (most recent revision date and most recent tabletop). Don’t take “yes we have that” — get the documentation.
- 2Day 60–30 — Close gaps. Whatever the audit surfaces, fix before the application goes in. Buying the right answer on the application is far cheaper than buying the wrong answer and then dealing with a denial or a 60% premium hike. If MFA isn’t on every email account, fix that first. If EDR isn’t deployed everywhere, fix that next. If backups haven’t been tested, test them.
- 3Day 30–0 — Application with documentation. When the carrier sends the renewal questionnaire, answer it the same week. Include documentation for the four controls (a screenshot of MFA enforcement in your Entra ID portal counts; a backup test log counts; the IR plan PDF counts). Carriers reward transparency with lower premiums; they punish “we’ll get you that later” with delayed quotes and tougher pricing.
The Bottom Line
Cyber insurance isn’t going back to being easy. The carriers learned in 2022–2024 that pricing without underwriting doesn’t work, and they’re now applying discipline that’s overdue. For Las Vegas businesses, that’s a forcing function — uncomfortable now, useful long-term. The controls the carriers want are the controls you should have anyway.
The good news: every business that already runs MFA-on-everything, EDR-everywhere, tested backups, and a documented IR plan goes into renewal with leverage. Carriers compete for those policyholders. The risk is on the “we have most of that but not all” businesses who get caught in the gap between application and reality.
Talk to Brydan
Renewal in the next 90 days?
Brydan Solutions audits the four core controls carriers care about, designs business continuity solutions with tested backups and a documented incident response plan, and provides the documentation underwriters now expect. We also run Brydan SIEM with 24/7 SOC monitoring — the detection capability carriers increasingly require.
Continue Reading
