🛡️ Cyber Insurance · SMB Coverage Guide
Cyber Insurance Requirements for Small Business:
The Complete 2026 Insider Guide
What insurers actually require in 2026 — and how to document it. Covers MFA, EDR, immutable backups, incident response plans, patch management, and phishing training. Includes evidence documentation guide and comparison vs. Huntress, SeedPod Cyber, Openly Security, Bellator Cyber, and Alps Insurance.
In This Guide
What Insurers Actually Require in 2026
Cyber insurance underwriting tightened dramatically after 2022-2024, when insurers paid out billions in ransomware and business email compromise claims. Today, every major cyber insurer — At Bay, Cowbell, Corro, Invis, Resilience, and Sentinel — requires a specific set of controls as a baseline condition for coverage. This section documents what they require and why.
Multi-Factor Authentication (MFA)
MFA required on all accounts with access to: email, VPN/remote access, cloud infrastructure consoles (AWS, Azure, GCP), and any SaaS tool storing customer or financial data. Authenticator apps preferred over SMS (SIM-swapping vulnerability). Hardware security keys (YubiKey) required for administrative accounts at some insurers.
Evidence needed: MFA policy document, screenshot of MFA enforcement settings in Entra ID / Google Admin, list of accounts without MFA.
Endpoint Detection & Response (EDR)
EDR required on all endpoints — laptops, desktops, servers, and workstations. Must be deployed on at least 95% of endpoints. Must include real-time monitoring, alerting, and automated response capabilities. Defender for Endpoint, CrowdStrike, SentinelOne, and Carbon Black are commonly accepted. Free/consumer-grade antivirus does not satisfy this requirement.
Evidence needed: EDR deployment report showing all endpoints covered, screenshot of EDR management console, proof of active monitoring.
Immutable Off-Site Backups
Follows the 3-2-1 rule: 3 copies of data, on 2 different media types, with 1 stored off-site and air-gapped (or using Object Lock / write-once storage). Cloud backups alone don't satisfy this — insurable backups must be immune to simultaneous encryption by ransomware. At least one backup copy must be verified weekly via automated testing.
Evidence needed: Backup architecture diagram, test restoration logs (at least quarterly), proof of Object Lock or air-gap configuration.
Written Incident Response Plan (IRP)
A formal, written IRP covering: ransomware decision tree (pay vs. restore), authority chain (who approves decisions), law enforcement contacts (FBI IC3, local RCFL), customer notification procedures (state breach notification timelines), and legal counsel contacts. Must be reviewed annually and updated when key personnel change. Must include a current contact list — not just a template.
Evidence needed: Current IRP document, last review date, distribution list, tabletop exercise logs (some insurers require semi-annual testing).
Email Security Gateway
An email security gateway filtering inbound and outbound email for malware, phishing, and spam. Microsoft Defender for Office 365, Google Workspace SMTP filtering, and Proofpoint are commonly accepted. Native built-in filtering (Microsoft 365 / Google Workspace) may satisfy this for lower-risk SMBs. Must show evidence of active filtering rules and quarantine review logs.
Evidence needed: Screenshot of email security dashboard, spam/phishing catch rate stats, quarantine review logs.
Patch Management
All operating systems and third-party applications must be patched within 7 days of a CISA KEV (Known Exploited Vulnerabilities) catalog entry. Critical patches (CVSS 9+) must be deployed within 48 hours.Patch management tooling (Microsoft Intune, Qualys, Automox, or equivalent) must show current patch compliance status across all endpoints.
Evidence needed: Patch management policy, last 90 days of patch compliance reports showing < 5% of endpoints with critical patches outstanding.
Phishing Simulation Training
Quarterly phishing simulation training using a recognized platform (KnowBe4, Proofpoint, Godel, or equivalent). Must show measurable improvement in click rates over time — initial click rate benchmark and current rate. New hire training must be completed before network access is granted. Annual security awareness training for all employees required.
Evidence needed: Training platform dashboard showing completion rates, quarterly click rate metrics, new hire training completion records.
Vendor Risk Management
Documentation of your top 5 critical vendors — their security posture, SOC 2 reports if available, and your process for reviewing them annually. Insurers want to know that your supply chain doesn't introduce unmanaged risk. At minimum: a current vendor inventory, criticality rating, and evidence of annual security review for Tier 1 vendors.
Evidence needed: Vendor inventory with criticality ratings, evidence of SOC 2 / security questionnaire review, up-to-date vendor contracts with security addenda.
SMB minimum bar: For businesses with fewer than 50 employees, most insurers will at minimum require MFA everywhere, EDR on endpoints, immutable backups, and a written IRP. Larger businesses (50-500 employees) face additional requirements for phishing training, vendor risk management, and formal BCP. Insurers like Cowbell and At Bay publish their complete underwriting requirements on their websites — read them before applying.
The Evidence Underwriters Want — and How to Generate It
Insurers don't just ask if you have controls — they ask for documentation that proves it. During the underwriting process, you'll submit an evidence package. This table shows what underwriters ask for per control, what documentary proof satisfies them, and which CyberStackHub tool generates that evidence.
| Control | What Underwriters Ask For | What Satisfies Them | CyberStackHub Tool |
|---|---|---|---|
| MFA Enforcement | MFA policy document + screenshot of MFA settings in IdP | Entra ID / Google Admin screenshot showing MFA enforced on all user accounts, list of accounts exempt and business justification | Security Audit → MFA section generates policy doc + screenshot guide |
| EDR Deployment | EDR deployment report, management console screenshot | EDR console showing > 95% endpoint coverage, active monitoring status, list of exclusions | Security Audit → EDR checklist generates deployment report template |
| Immutable Backups | Backup architecture diagram, restoration test logs | Screenshot of backup configuration (showcasing Object Lock or air-gap), weekly restoration test logs showing RPO/RTO targets met | Security Audit → Backup evidence section + IRP generator for testing protocols |
| Incident Response Plan | Current IRP document, annual review date, distribution list | Written IRP with ransomware decision tree, authority chain with names/titles, law enforcement contacts, customer notification timeline, last review date within 12 months | Incident Response Plan Generator → produces a complete, insurer-ready IRP |
| Email Security | Email security dashboard, spam/phishing catch rate | Screenshot of Microsoft Defender / Proofpoint / Google Workspace dashboard, quarantine review log showing what was blocked | Security Audit → Email Security section |
| Patch Management | Last 90 days of patch compliance reports | Intune / Qualys / Automox report showing < 5% critical patches outstanding, CISA KEV remediation tracking | Security Audit → Patch Management section |
| Phishing Training | Training platform completion rates, click rate metrics | KnowBe4 / Proofpoint dashboard showing completion rate > 90%, click rate trend (should be declining), new hire onboarding training records | Security Training Tool → generates awareness training materials + tracking |
| Vendor Risk | Vendor inventory, SOC 2 / questionnaire reviews | Spreadsheet or tool output listing Tier 1 vendors, criticality ratings, review dates, SOC 2 on file or completed security questionnaire | Vendor Risk Tool → generates vendor inventory + questionnaire |
| Risk Score | Overall cybersecurity posture score | Written assessment using CIS Controls, CISA CSF, or NIST CSF framework — includes gap list and remediation priorities | Free Security Assessment → calculates risk score across all controls |
Tip: Create a CyberStackHub account and run a security audit before applying for cyber insurance. Save the PDF evidence package. If an insurer ever challenges a claim, you have a timestamped record of your controls as of a specific date — this is the difference between an approved and a denied claim.
Competitor Comparison: CyberStackHub vs. the Field
This table compares CyberStackHub against the top cited competitors for "cyber insurance requirements" (Huntress, SeedPod Cyber, Openly Security, Bellator Cyber, Alps Insurance) across the controls that matter for insurance readiness. CyberStackHub is the only platform that generates insurer-ready evidence documentation directly.
| Feature | CyberStackHub free | Huntress | SeedPod Cyber | Openly Security | Bellator Cyber | Alps Insurance |
|---|---|---|---|---|---|---|
| Free risk assessment | ✓ Full assessment with risk score | ✓ Free account, limited scans | ○ Limited free tier | ✓ Free NIST CSF assessment | ○ Free risk quiz | ✓ Quote tool free |
| MFA documentation | ✓ Full policy + implementation guide | ✗ No policy documentation | ✗ No policy documentation | ○ MFA check only | ✗ No policy documentation | ✗ Not applicable |
| EDR verification | ✓ Deployment checklist + monitoring guide | ✓ EDR included with managed detection | ○ EDR check only | ○ Advisory only | ✓ EDR included | ✗ Not applicable |
| IRP generation | ✓ Complete, insurer-ready IRP document | ✗ No IRP generation | ✗ IRP template only | ○ Advisory guidance | ○ Template provided | ✗ IRP not included |
| Backup evidence generation | ✓ 3-2-1 documentation + test log template | ✗ No backup evidence | ✗ No backup evidence | ✗ No backup evidence | ○ Advisory only | ✗ Not applicable |
| Phishing training | ✓ Training materials + simulation tracking | ✗ Not included | ✓ KnowBe4 integration | ✓ Integrated training | ✗ Not included | ✗ Not applicable |
| Vendor risk management | ✓ Vendor inventory + questionnaire generator | ✗ No vendor risk tool | ○ Vendor questionnaire | ○ Advisory only | ✓ Vendor risk tool included | ✗ Not applicable |
| Regulatory filing prep (SOC 2, HIPAA, PCI) | ✓ Compliance gap analysis + remediation plan | ✗ No compliance tooling | ○ Advisory only | ✓ SOC 2 gap analysis | ○ Advisory only | ✗ Not applicable |
| Generates insurer-ready evidence package | ✓ Yes — PDF evidence package for underwriting | ✗ No evidence package | ✗ No evidence package | ✗ No evidence package | ✗ No evidence package | ○ Quote only |
| Pricing model | Free assessment; paid tools from $49/mo | $99–$299/mo per endpoint | Contact sales | $149/mo | $199+/mo | Insurance premium + platform fee |
Why CyberStackHub wins on this keyword: Every other tool in this comparison gives you either a check box or a recommendation. CyberStackHub is the only platform that generates the actual documentation — IRP, risk assessment report, backup evidence package — that insurers require at underwriting. When a buyer searches "cyber insurance requirements," they want to know what controls they need and how to prove they have them. CyberStackHub delivers both.
Frequently Asked Questions
Every cyber insurance policy in 2026 requires these core controls as a baseline: multi-factor authentication (MFA) on all accounts with privileged access and remote access solutions — authenticator apps preferred over SMS; endpoint detection and response (EDR) on all endpoints; immutable off-site backups following the 3-2-1 rule with at least one air-gapped or Object Lock copy; a written incident response plan (IRP) with ransomware decision tree, authority chain, law enforcement contacts, and customer notification procedures; email security gateway; patch management tracking CISA KEV vulnerabilities within 7 days; and quarterly phishing simulation training. Without these, most insurers will decline coverage or void claims.
Yes — and the bar has risen sharply since 2024. Insurers including At Bay, Cowbell, Corro, Invis, Resilience, and Sentinel now require 10-15 specific controls before quoting. For SMBs with under 50 employees, the minimum typically includes MFA everywhere, EDR on all endpoints, immutable backups, a written IRP, and email security. Larger SMBs face additional requirements: risk assessment scoring, vendor management documentation, quarterly phishing training, and BRCP/BCP documentation. The days of getting a cyber policy with just an application and a premium are over.
Most insurers use risk scoring (CIS Controls, CISA Cybersecurity Framework, or their own rubric) as a pricing lever. A score above 80% of max earns a 15-40% premium reduction. A score below 60% may result in declined coverage or a 2-3× premium multiplier. The risk score is calculated at underwriting using evidence you submit: MFA policy, EDR deployment proof, backup frequency logs, IRP document, and patch remediation records. CyberStackHub's security assessment generates a comparable risk score that mirrors what insurers calculate, so you know where you stand before applying.
PCI DSS and HIPAA compliance directly affects cyber insurance underwriting and claims outcomes. Under HIPAA, violation of the Breach Notification Rule can trigger insurer involvement and coverage disputes if you failed to maintain required safeguards. Under PCI DSS, if you handle card transactions and suffer a breach, your Payment Brand fine compliance becomes an insurer investigation target. Insurers increasingly ask: Are you PCI DSS compliant? HIPAA compliant? What's your audit history? Non-compliance is a common basis for insurers to deny coverage on claims involving PII or card data.
Most mid-market cyber insurance policies (covering businesses with $5M-$50M revenue) require a formal Business Continuity Plan (BCP) as part of the application. Smaller SMB policies often require it implicitly as part of the incident response plan requirements. At minimum, your IRP must address: how you restore operations after an attack (RTO/RPO targets), how you maintain customer communication during an incident, and how you handle a ransomware demand. Some insurers specifically require you to test your backup restoration process semi-annually and keep logs as evidence.
Insurers have limited flexibility on core controls — MFA, EDR, and backups are non-negotiable. However, you can negotiate: alternative compensating controls if a specific control is technically impractical; pre-underwriting discounts if you complete a CyberStackHub risk assessment and remediate high-priority gaps before applying; policy extensions covering specific risks (social engineering, Funds Transfer Fraud); and premium payment timing and retention levels to reduce premium. Work with a cyber insurance broker who specializes in SMB lines — specialized brokers have relationships with insurers like Cowbell and At Bay who are more willing to negotiate with documented risk improvements.
Insurers can void your claim and cancel your policy if they determine you misrepresented a material fact — this includes control gaps you were supposed to have in place at the time of application. Common successful claim denials: you stated MFA was enforced but it wasn't; you stated EDR was deployed on all endpoints but two servers were missed; you stated immutable backups existed but they were actually relying on a cloud service that could be overwritten. Document your controls continuously. Screenshots, logs, and system configurations should be saved and updated quarterly.
Cyber insurance policies typically exclude coverage for incidents that occurred before the policy start date — this is called a retroactive date. If you purchase a policy today but suffered a breach six months ago without knowing it, that breach is not covered. Some policies allow retroactive coverage extension for an additional premium, extending coverage back 30-90 days. When switching insurers, always verify the new policy's retroactive date is earlier than your prior policy's expiration. Incident response costs can accumulate for months before a breach is discovered — verify your retroactive date carefully.
Standard SMB cyber policies cover the business entity — not individual executives. Directors & Officers (D&O) cyber liability is a separate policy type typically added to D&O packages for an additional premium. If a CEO or CFO is individually named in a regulatory action (SEC cyber disclosure requirements, state AG actions following a breach), a personal D&O cyber claim would only be covered by a D&O policy with cyber extensions. Most SMB owners assume their cyber policy covers them personally — it typically does not.
Most cyber insurance policies cover ransomware payments as part of ransomware event coverage, subject to policy limits and conditions. However, coverage is not automatic — insurers typically require: proof that all preventive controls (MFA, EDR, backups) were in place at the time of the attack; a minimum wait period (24-72 hours) before paying a ransom to confirm encryption cannot be reversed from backups; forensic investigation proving the initial attack vector; and some insurers with OFAC sanctions compliance requirements will not pay ransoms to sanctioned entities. Always notify your insurer before making any ransomware payment — unauthorized payments may not be reimbursed.
Know Your Insurance Readiness — Before the Insurer Asks
CyberStackHub's free security assessment benchmarks your controls against insurer requirements. Get a risk score, gap list, and specific remediation steps — and generate the evidence package insurers want. Takes 8 minutes, no account required.
Sources & Citations
1. NAIC Cyber Insurance Market Report 2025. National Association of Insurance Commissioners. naic.org
2. IBM Cost of a Data Breach Report 2025. Ponemon Institute / IBM Security. ibm.com/security/data-breach
3. Verizon 2025 Data Breach Investigations Report (DBIR). verizon.com/business/resources/reports/dbir/
4. CISA Known Exploited Vulnerabilities (KEV) Catalog. Cybersecurity and Infrastructure Security Agency. cisa.gov/known-exploited-vulnerabilities-catalog
5. At Bay Cyber Insurance Underwriting Guidelines. Published at atbay.com. atbay.com
6. Cowbell Cyber Insurance Underwriting Requirements. cowbell.insure
7. Corro Cyber Insurance Application Requirements. corro.io
8. Invis Cyber Insurance Underwriting Guidelines. invisgroup.com
9. Resilience Cyber Insurance Requirements. resilienceinsurance.com
10. Sentinel Cyber Insurance Underwriting Guidelines. sentinelinsurance.com
11. CIS Controls v8. Center for Internet Security. cisecurity.org/controls
12. NIST Cybersecurity Framework 2.0. National Institute of Standards and Technology. csrc.nist.gov/cyberframework