Skip to content
2026

Now taking on 4 new clients this year — white-glove onboarding, month to month.

Book a call
HomeBlogCybersecurity

Cyber Insurance in 2026: What Small Businesses Must Have

A printed cyber insurance policy document with a metal padlock and reading glasses on a wooden desk, representing 2026 cyber insurance requirements for small businesses

Cyber insurance in 2026 works differently than it did three years ago. Carriers no longer take your word for it. Before they quote a policy they verify a short list of security controls, and they check those same controls again if you ever file a claim. Put plainly: if multi-factor authentication, tested backups, and endpoint protection aren't in place, you either can't buy a policy or you risk having a payout contested. The upside is that the controls underwriters want are the same ones that keep you from needing to file in the first place.

What do cyber insurance carriers require in 2026?

Most carriers now require multi-factor authentication on email and remote access, endpoint detection and response on every machine, backups you have actually tested a restore from, a written incident response plan, and email filtering that catches phishing. Many add security awareness training and tighter control over admin accounts. Miss one item and you are usually either declined or quoted at a noticeably higher premium.

Here is the short list most applications now check:

  • Multi-factor authentication (MFA) on email, VPN, remote desktop, and any admin login. This is the single most common dealbreaker.
  • Endpoint detection and response (EDR) that watches devices around the clock, not just legacy antivirus.
  • Tested, offline backups with a documented restore process, so ransomware can't encrypt your only copy.
  • A written incident response plan naming who does what in the first hour of an attack.
  • Email security and phishing filtering, since email is still how most attacks start.
  • Security awareness training for staff, often on a quarterly schedule.

Why did the requirements get stricter?

Ransomware is the reason, and the claims data is blunt about it. According to Huntress, 91% of cyber insurance losses in the first half of 2025 were ransomware, and roughly 65% of small and mid-sized businesses still don't use MFA. Carriers paid out heavily, then rewrote their applications to screen out the easy targets. MFA blocks the most common way in, so it became the first thing they ask about.

What does this mean for a 20-person firm?

You don't need an enterprise security budget to qualify. You need the controls configured correctly and documented. For a typical 20-person office that means MFA turned on across Microsoft 365 and any remote access, EDR deployed on every laptop and server, and a backup you have restored from at least once so you know it works. Most small firms already own half of this through their Microsoft 365 licensing and just haven't switched it on. A good managed IT and security provider can close the gaps in a couple of weeks, which is often faster than the renewal quote takes to come back.

How do you qualify without overpaying?

Fill out the application honestly, because a misstatement is the fastest way to have a claim denied later. Put the required controls in place first, keep evidence that they are running, and ask your IT provider for a one-page summary of your security posture you can hand to the broker. Firms that show a clean control set frequently get better premiums than those that leave boxes blank. If you are still shoring up the basics, our post on the controls that actually stop attacks is a good place to start.

By The NetSys Group Team. The NetSys Group has delivered managed IT, cybersecurity, and cloud services since 1998. Our engineers hold degrees in electrical and computer engineering and are certified Microsoft and Cisco instructors, serving businesses across NY, NJ, CT, PA, and Southwest Florida.

Frequently asked questions

Is cyber insurance required by law?

No federal law requires it, but plenty of contracts do. Vendors, lenders, and larger clients increasingly ask small businesses to carry a cyber policy before they will sign. Regulators in finance and healthcare also push you toward it through their security expectations, even when they don't name it outright.

Will my claim be denied if I didn't have MFA?

It can be. If your application said MFA was in place and it wasn't, carriers have grounds to reduce or deny the payout. This is why the honest answer on the application matters as much as the price. Match what you attest to with what is actually running.

How much does cyber insurance cost for a small business?

Premiums vary with revenue, industry, and the controls you have in place, so a firm with MFA and EDR usually pays less than one without. Rather than quote a range that won't fit your situation, we would point you to a broker and make sure your security posture supports the lowest reasonable rate.

What is the difference between first-party and third-party coverage?

First-party covers your own losses, like recovery costs, lost income, and ransom. Third-party covers claims from others harmed by a breach on your systems, such as clients whose data was exposed. Most small businesses want both, and most package policies include them.

Not sure whether your current setup would pass an underwriter's checklist? Contact The NetSys Group for a complimentary risk assessment, and we will show you exactly where you stand before renewal.

Reading is free. So is knowing where you stand.

Turn insight into action.

Take a free cybersecurity or AI readiness assessment, or book a call with a NetSys engineer — no obligation, no runaround.