Cyber insurance stopped being a paperwork exercise around the time carriers started losing money on ransomware. Today, 41% of cyber-insurance applications are denied on first submission, and the top reasons are missing MFA and missing EDR. The application has quietly become a security audit, and most small companies walk into it cold.
The way through is to treat the carrier’s checklist as an engineering backlog. Internally we call it the insurability backlog. Roughly eight controls show up on every 2026 application, and most teams can close the gaps in 60 to 90 days. The priciest line item, a third-party penetration test (required within 12 months for $5M+ policies), runs $3K to $15K at small-business scope.
We’re gmware, a software development firm in Austin, TX with delivery centers in Bangalore and Mohali, India, and a growing share of our cybersecurity work now starts with the same sentence: “our renewal came back with conditions.” Here’s the checklist, the costs, and the order we’d do the work in.
| 2026 cyber insurance reality | Number |
|---|---|
| Applications denied on first submission | 41% |
| Top denial reasons | Missing MFA and EDR |
| Typical SMB annual premium | $1K to $7.5K |
| Pentest at small-business scope | $3K to $15K |
| Coverage tier requiring an annual third-party pentest | $5M+ |
The 2026 cyber-insurance reality
Why 41% of cyber insurance applications fail first submission
Because carriers got burned and rewrote the rules. Marsh McLennan’s data puts first-submission denials at 41%, with missing multi-factor authentication and missing endpoint detection and response as the leading causes. The underwriting logic isn’t subtle: 88% of small-business breaches involve ransomware, against 39% at large organizations, so SMB policies are where carriers bleed. Add that 49% of small businesses get attacked in a given year and average breach losses run about $254K, and the carrier position makes sense: no MFA, no EDR, no policy.
Ransomware share of breaches, by org size
There’s good news hiding in that 41%, though. Denials overwhelmingly cite absent controls, not exotic ones. The two fixes that clear most first-pass denials are also the two cheapest items on the list below, which means a denial is usually a 30-day problem pretending to be an existential one.
The 8 controls on every 2026 application
Application forms vary by carrier, but the same eight controls keep appearing on every form that’s crossed our desk:
| # | Control | What the carrier asks for | Engineering effort |
|---|---|---|---|
| 1 | Multi-factor authentication | MFA on email, remote access, and admin accounts; phishing-resistant MFA is increasingly specified | Low: days, mostly configuration |
| 2 | Endpoint detection and response | EDR deployed on all endpoints and servers | Low to medium: rollout plus tuning |
| 3 | Tested backups | Offline or immutable copies, with documented restore tests | Medium: the testing is the real work |
| 4 | Patch and vulnerability management | A defined cadence and a critical-patch SLA | Medium: more process than tooling |
| 5 | Email security and phishing training | Filtering plus a recurring user-training program | Low |
| 6 | Privileged access management | Separated admin accounts, least privilege, a real offboarding process | Medium |
| 7 | Incident response plan | Written, with named owners, tested at least annually | Low to medium: writing it is easy, testing it isn’t |
| 8 | Logging and monitoring | Centralized logs with someone actually watching them | Medium to high: the “someone” is the hard part |
The effort column is our delivery-experience read, not an industry benchmark, so your environment can move any row. The pattern worth absorbing: nothing on this list is exotic. It’s hygiene, formalized into a contract condition.
One nuance on row one, because it trips teams up: carriers increasingly care how you do MFA, not just whether. Plenty of forms still take a plain yes, but the phishing-resistant language tells you where this is heading: authenticator apps as the floor, hardware-backed keys on admin accounts if you want your answer to age well. If you’re rolling out MFA this quarter anyway, skip straight past SMS codes. Doing it twice costs more than doing it right once.
What the required pentest costs
For most small businesses, $3K to $15K buys a focused-scope penetration test; the broader market norm runs $5K to $35K across web, API, mobile, network, and cloud scopes. Carriers that require one (standard at the $5M+ coverage tier) want third-party evidence, not your internal vulnerability scan dressed up in a report template.
Don’t over-buy here. Red-team engagements run $50K to $150K+, and no insurance application asks for that depth. If budget is tight, a risk assessment at $1K to $5K is a sensible pre-step: it tells you what the pentest will find before you pay to have it found. And scope the test to the assets the policy actually covers. Testing everything is a way to spend $35K learning what $8K would’ve told you.
Pick the right depth of test
What cyber insurance costs a small business
SMB premiums run $1K to $7.5K per year, and your application answers decide where in that band you land. Carriers price what they can verify, which makes every control in the table above do double duty: it moves the quote down, and it shrinks the odds you ever eat the ~$254K average loss yourself. The spending wave is already in motion (small-business cybersecurity spend is heading toward $109B by 2026) and carriers are effectively deciding how a chunk of it gets allocated.
One disclosure, since we have a side here: we’re engineers, not brokers. Buy the policy through a broker who knows your industry’s carriers. Build the controls with people who can produce evidence an underwriter accepts. The second part is the part we sell.
The 60 to 90 day implementation sequence
Order matters. Do the cheap, high-coverage items first so a resubmission can go out early:
| Window | Work | Why this order |
|---|---|---|
| Days 0 to 15 | MFA everywhere (email, VPN, admin accounts); backup inventory plus a first restore test | These clear the two top denial reasons fastest |
| Days 15 to 45 | EDR rollout; patching cadence defined; email filtering and phishing training launched | Visible, verifiable controls carriers check next |
| Days 45 to 75 | Privileged-access cleanup; centralized logging; incident response plan written | Slower, process-shaped work |
| Days 75 to 90 | IR tabletop exercise; third-party pentest; evidence pack assembled | Proof, in the format underwriters want |
The 60 to 90 day insurability sequence
Most applications can credibly resubmit after the day-45 mark; the pentest and tabletop close out the rest. This sequence is how we run it, not a regulation. Compress it in a 15-person environment, stretch the logging row in a 150-person one.
Collect evidence as you go instead of at the end: a screenshot of the MFA policy the day it’s enforced, the EDR console showing coverage counts, the dated restore-test log. Underwriters move faster on artifacts than on attestations, and assembling the pack in week twelve from memory is how teams end up re-doing work they’d already finished.
What happens at claim time if your application overstated things
This is the part that should worry you more than the premium. The application is a representation the carrier relies on, and answering “yes” to MFA when only the VPN has it hands the carrier an argument for contesting your claim, at the exact moment you’re holding a six-figure incident. We’re not lawyers and this isn’t coverage advice, but the engineering implication is plain: answer the form accurately, and where the honest answer is “partially,” close the gap before binding instead of rounding up.
An accurate “no, remediation in progress, dated plan attached” reads better to an underwriter than a “yes” an adjuster can later disprove from your own configuration logs. Carriers employ forensics people. Your environment will testify.
How these controls overlap with SOC 2 and HIPAA work
Heavily. Same controls, different evidence formats. MFA, access management, logging, incident response, and tested backups all map onto SOC 2’s control set, and since 83% of enterprise buyers already require SOC 2 from their SaaS vendors, insurance work doubles as sales infrastructure. Our SOC 2 in 90 days plan shows where the two backlogs share line items. Healthcare teams should sequence this against the 2027 HIPAA Security Rule changes at the same time, because mandatory MFA and encryption are arriving from that direction too.
Point the lens outward as well. Your software vendors sit inside your attack surface, so the same eight questions belong in your vendor due diligence. Our 22-question vendor checklist has a security section built for exactly that conversation.
How gmware gets teams through the carrier audit
We run the application form itself as the gap assessment: every question gets mapped to a control, an owner, and the evidence an underwriter would accept. Implementation runs through our IT support and DevOps and infrastructure teams, with engineering throughput from Bangalore and Mohali and coordination from Austin on US hours. We scope the pentest to the policy, schedule it after remediation rather than before, and hand you an evidence pack instead of a promise.
“Underwriters don’t want essays. They want screenshots, configs, and a restore log with a date on it.” (our security practice lead)
If a renewal or a first application is coming, tell us what your environment looks like, and we’ll map the eight controls to a costed 60 to 90 day plan within 48 hours. Start the conversation.