Cyber insurance isn't optional anymore for most small businesses. If you process customer data, accept credit cards, store health records, or work with enterprise clients, your insurance carrier is almost certainly asking questions about your security posture. And those questions have gotten more specific in 2026.
This guide breaks down what carriers are requiring now, what's changed from previous years, and how to meet those requirements without a massive IT budget.
What Carriers Require in 2026
Cyber insurance underwriters now evaluate applicants against a checklist of security controls. The specific requirements vary by carrier and policy size, but the most common requirements for policies over $1 million include:
Multi-Factor Authentication (MFA): This is now nearly universal. Carriers want to see MFA on email, VPN access, remote desktop, and administrative accounts. If you don't have MFA enabled, most carriers won't even quote you. This is the single most common reason applications get denied.
Endpoint Detection and Response (EDR): Traditional antivirus is no longer sufficient. Carriers expect endpoint detection tools that can identify and respond to behavioral threats, not just signature-based malware. Solutions like CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint meet this requirement.
Penetration Testing: An increasing number of carriers now require annual penetration testing for policies above certain thresholds. This has accelerated sharply. Where three years ago only a handful of carriers asked for pentesting, the majority of policies over $1 million now include it as a requirement or strong recommendation.
Backup and Recovery: Carriers want to see that you have regular, tested backups stored offline or in a separate environment. The emphasis is on "tested." Having backups that you've never verified is almost as bad as having none.
Security Awareness Training: Annual security training for employees, particularly around phishing. Some carriers ask for documentation proving training was completed.
Patch Management: A documented process for applying security patches within 30 days of release. Critical patches should be applied within 14 days.
Why Penetration Testing Is Becoming Mandatory
The trend toward mandatory pentesting is driven by data. Carriers have seen that businesses with recent security assessments file fewer claims and recover faster when incidents occur. A penetration test gives the underwriter confidence that you've identified your most critical vulnerabilities and have a plan to address them.
What carriers specifically look for in a penetration testing report:
- Testing was conducted by a credentialed professional (OSCP, GPEN, or equivalent)
- Testing covered external network, internal network, and web applications (where applicable)
- The report includes risk ratings and remediation guidance
- Critical and high-severity findings have been addressed or have a remediation plan
- An attestation letter confirming the testing was completed
At Trident Shell, we include the attestation letter formatted for underwriters in every cyber insurance engagement. It's specifically designed to meet what carriers need to see.
What's Changed from Previous Years
The biggest shift in 2026 is that requirements that were previously "recommended" have become mandatory. Three years ago, a small business could get a cyber insurance policy by answering a questionnaire honestly. Now carriers are asking for documentation. They want to see configuration screenshots, training records, and testing reports.
The other major change is premium sensitivity. Businesses that can demonstrate strong security controls are seeing premium discounts of 15 to 25 percent. Businesses that can't are seeing increases of 30 to 50 percent, or outright policy denials. This means investing $2,500 in a penetration test can save $5,000 to $10,000 in premiums. The math works clearly in your favor.
How to Meet Requirements on an SMB Budget
You don't need an enterprise security budget to satisfy your carrier. Here's a practical approach:
Start with MFA. If you do nothing else, enable multi-factor authentication on all critical systems. Microsoft 365 and Google Workspace include MFA at no additional cost. This is free and addresses the number one reason for policy denials.
Deploy EDR. Microsoft Defender for Endpoint is included in many Microsoft 365 Business Premium subscriptions. If you're already paying for Microsoft 365, you may already have access. For non-Microsoft environments, CrowdStrike Falcon Go starts at roughly $5 per endpoint per month.
Get a penetration test. This is where most SMBs stall, because they see enterprise pricing ($15,000 to $50,000) and assume it's out of reach. It doesn't have to be. Trident Shell delivers compliance-ready assessments starting at $1,500 with a 5-day turnaround. The report satisfies what your underwriter needs, and the premium discount typically covers the cost.
Document everything. Carriers want evidence. Keep records of MFA configuration, EDR deployment, backup test results, training completion, and penetration test reports. A simple shared folder with dates and screenshots goes a long way.
What Happens If You Don't Comply
The consequences of failing to meet carrier requirements have gotten more severe. At the mild end, your premiums increase at renewal. At the more serious end, your carrier may decline to renew your policy, and finding replacement coverage at a reasonable rate becomes difficult.
The worst scenario happens after an incident. If you file a claim and the carrier discovers that you misrepresented your security posture on the application, they can deny the claim. This means you've been paying premiums for coverage that won't be there when you need it.
Getting Started
The most efficient approach is to tackle requirements in the order that carriers prioritize them: MFA first, then EDR, then penetration testing. If your renewal is coming up in the next 90 days, start with the penetration test since it takes the most lead time.
Trident Shell specializes in helping small businesses meet cyber insurance requirements. Our cyber insurance penetration testing package is $2,500, includes the attestation letter your underwriter needs, and is delivered in 5 business days. Reach out for a free 15-minute scoping call to discuss your renewal timeline and requirements.