How do you make your IT cyber-insurance defensible? A 2026 guide for commercial businesses.

Between 2022 and 2026 the cyber insurance market changed underneath every commercial business that bought a policy. Premiums rose, retentions climbed, and the renewal questionnaire grew from a one-page checkbox into a multi-section underwriting document. Carriers stopped accepting general assurances and started auditing specific controls. They added "failure to maintain" exclusions that void coverage when stated controls lapse, and they backed those exclusions in court. The result for a 10-25 person manufacturer, engineering firm, or professional services business is simple: passing the renewal and being paid on a claim now both require something the market did not require five years ago. That something is defensibility, and this guide explains how to build it.

What does "cyber-insurance defensible" actually mean?

Cyber-insurance defensible means your IT environment can survive scrutiny from three audiences in sequence. Your insurance underwriter scrutinizes you at renewal. Your incident-response forensics team scrutinizes you after a breach. Your insurance adjuster scrutinizes you when the claim is reviewed. Each audience asks the same question differently: did you do what you said you did, and can you prove it?

That three-audience model matters because most commercial businesses pass audience one and fail audience three. The renewal application asks "is MFA enforced on remote access?" and someone checks yes because most users have MFA most of the time. Twelve months later a forensics report shows the breach happened through a service account that was excluded from the Conditional Access policy, and the claim is denied for misrepresentation. The control was almost in place. Almost is not defensible.

"Defensible" is also distinct from "secure." Security is the engineering work that prevents incidents. Defensibility is security plus consistency over time plus provability to a third party. A control that worked yesterday but was disabled for a deployment last week is not defensible. A control that works today but produces no log is not defensible. The bundle of controls, evidence, and operational discipline that holds up under three audiences is what carriers buy at renewal.

What changed in the underwriting market between 2023 and 2026 is the bar. Coalition's 2025 Cyber Claims Report continues to track the strong correlation between MFA gaps and denied claims, and prior reporting found that the majority of claim denials involved organizations without properly enforced MFA across their environment (Coalition, 2025 Cyber Claims Report). Marsh McLennan's 2025 Cyber Insurance Market Report noted that nearly all current cyber insurance applications include specific MFA implementation questions. The bar is no longer "do you have MFA." It is "where, how, and can you prove it." For the deeper definition with the full three-audience walkthrough, read the spoke What does "cyber-insurance defensible" actually mean?

Why are carriers denying so many claims now?

The short answer is that carrier loss ratios got bad and underwriters tightened. The long answer involves three structural shifts. First, carriers added explicit controls language to policies so that misrepresented or unmaintained controls are now contractual grounds for denial rather than discretionary judgment calls. Second, carriers expanded war and nation-state exclusions in response to NotPetya-era losses, particularly after Merck's $1.4 billion coverage dispute settled in early 2024 (Insurance Journal, Merck Settles Coverage Dispute). Third, the National Association of Insurance Commissioners (NAIC) began publishing more granular market data showing carriers exactly where claim denials concentrate (NAIC, 2025 Cybersecurity Insurance Report).

The denial pattern itself is now systematic rather than discretionary. Insurers apply documented security checklists and policy conditions with rigor and frequently invoke "failure to maintain security" or "failure to follow" exclusions. Those exclusions preclude coverage for claims resulting from an insured's failure to maintain minimum or stated security standards. They are not invoked rarely. They are the default analysis a claims adjuster runs.

The Travelers v. International Control Services dispute is the cleanest example of how this plays out. Travelers denied coverage after discovering that MFA was implemented on the firewall but not on the remote access path the attackers actually used (BreachCraft, 2026 Cyber Insurance Requirements). The control was deployed. It was not enforced where it mattered. The claim was denied. That pattern, attestation present but enforcement gapped, is now the most common denial mechanic in the SMB commercial market. For the top five denial reasons in detail, read the spoke Why do cyber insurance claims get denied?

What controls do carriers actually require in 2026?

The 2026 carrier underwriting standard for SMB commercial businesses converges on roughly eight controls. Coalition, Travelers, Chubb, Hiscox, and Beazley applications differ in wording but ask about the same eight categories. Below is the working list with what each control actually means at enforcement level.

1. Multi-factor authentication on every privileged account, every remote access path, every cloud admin interface

MFA is no longer a generic checkbox. Carriers ask about MFA on email, on VPN, RDP, and SSH remote access, on every privileged or administrative account, and on every cloud admin console (Microsoft 365, Azure, AWS, Google Workspace). Higher-tier policies increasingly require phishing-resistant MFA, meaning FIDO2 hardware keys or platform authenticators rather than SMS codes (CISA, Implementing Phishing-Resistant MFA). For a deep dive, read the spoke What MFA does cyber insurance require in 2026?

2. Managed Detection & Response with 24/7 SOC eyes-on-glass

Modern applications ask whether your environment has 24/7 monitored detection and response, not just whether software is deployed. Managed Detection and Response (MDR) is the productized form of that requirement: Endpoint Detection and Response (EDR) telemetry plus a Security Operations Center (SOC) staffed by humans who investigate alerts and respond. Pure platform alerts without a staffed SOC are increasingly classified by underwriters as inadequate.

3. Endpoint Detection & Response on every endpoint

EDR is the data layer beneath MDR. It records process activity, file changes, network connections, and user behavior on every endpoint. Carriers ask for EDR coverage percentages and treat coverage gaps the same as MFA gaps. A laptop without an EDR agent is an attestation problem waiting to happen.

4. Ring-fencing, application isolation, and least-privilege execution

Ring-fencing controls which applications can talk to which others, which file paths each application can access, and which network destinations it can reach. The concept is that even if an attacker compromises an endpoint, lateral movement is blocked at the application boundary. Carriers added ring-fencing questions in 2024-2025 because lateral movement is what turns a foothold into a ransomware payday.

5. Immutable, off-network, tested backups (3-2-1-1-0 model)

"We have backups" is no longer a defensible answer. The current carrier-acceptable standard is the 3-2-1-1-0 backup rule: three copies of data, on two different media, with one off-site, one immutable or air-gapped, and zero errors verified through routine restore testing (Veeam, Immutable Backups and Cyber Resilience). 89% of ransomware attacks target backups first, and carriers now ask for restore-test evidence by date.

6. Phishing simulation and security awareness training cadence

Most 2026 cyber insurance applications now ask about phishing simulation cadence, click-rate trends, and training completion rates. Quarterly is the typical SMB minimum; monthly is increasingly preferred. Underwriters are asking specifically for the metrics, not just whether a program exists. The 2025 Verizon DBIR found that 22% of breaches involved compromised credentials and that 88% of attacks against basic web applications used stolen credentials (Verizon, 2025 DBIR Executive Summary). Phishing training is the single highest-leverage control against that pattern.

7. Documented incident response plan, tested annually

Carriers ask for a written Incident Response (IR) plan, named roles, tested annually with documented results. The plan needs to cover detection, containment, eradication, recovery, and notification. Tabletop exercise records satisfy "tested annually." A plan that exists in a binder but has never been exercised is a finding, not a control.

8. SIEM and centralized logging with retention

Security Information and Event Management (SIEM) aggregates logs from endpoints, identity providers, firewalls, and cloud services into a central system that retains them for the policy period. Carriers ask about log retention duration and SIEM coverage because logs are what defends a claim under forensic review. Without SIEM, "yes we had MFA enforced" is an assertion. With SIEM, it is a query result. For the difference between MDR, SOC, EDR, and SIEM, read the spoke What is the difference between MDR, SOC, EDR, and SIEM?

How do you prove you have these controls?

The answer is the difference between attestation and evidence. Attestation is what you write on the application. Evidence is what defends the attestation under audit. Carriers do not always ask for evidence at renewal. They almost always ask for it at claim. The defensible posture is to produce evidence on the same cadence as the control, not when a claim is filed and the records have decayed.

Concretely, evidence looks like Microsoft Entra Conditional Access policy exports showing MFA enforcement, sign-in logs showing every privileged login flowed through MFA, MDR engagement records and SOC playbook test logs, restore-test logs from documented quarterly tests, immutability policy attestations, phishing simulation reports with click-rate and completion-rate trend lines, IR tabletop exercise after-action reports, and change management tickets showing every infrastructure change was approved and logged. The combination is what makes a control defensible.

Carriers audit some controls more than others. The most-audited controls are MFA enforcement scope, EDR/MDR coverage percentages, backup restore-test recency, and IR plan dates. The least-audited controls (until a claim is filed) are SIEM retention duration and ring-fencing policy specifics. Once a claim is filed, every control is audited.

A managed services partner produces stronger evidence than internal IT for a specific structural reason. Internal IT changes when staff turn over; the documentation walks out the door. A managed partner runs documented playbooks across many clients, retains records in a separate operational system, and is itself subject to third-party audit. That separation of duties is what underwriters are increasingly looking for, and it is one reason MSP-delivered stacks command better renewal terms than equivalent in-house programs.

Consider a concrete example. A 22-person engineering firm renews on July 1. The application says MFA is enforced on all remote access. In December, a phishing email leads to credential theft on a service account that runs the firm's CAD-license server. The attacker uses that service account to pivot into the file server, encrypt the project archive, and demand ransom. The forensics team reconstructs the path. Question one: was the service account excluded from the Conditional Access policy? Question two: was the exclusion documented and approved? Question three: was the attack visible to MDR before encryption began, and if so, did the SOC respond? If the firm can answer all three with documentation, the claim is defended. If even one answer is "we are not sure," the claim is at risk. The Carrier-Ready Bundle is built around making sure all three answers are documented before the question is ever asked.

Two evidence patterns matter most across all controls. The first is contemporaneous capture: the evidence is created at the same moment the control runs, not reconstructed afterward. A sign-in log entry generated at 8:14 a.m. when an admin logged in is contemporaneous; an after-the-fact spreadsheet is not. The second is independent retention: the evidence sits somewhere your IT team cannot edit, in a system separate from the one being controlled. SIEM retention, MDR provider records, and managed backup vendor logs all qualify. Internal change tickets in the same ticketing system the IT team controls do not, on their own, qualify.

What does a cyber insurance renewal questionnaire actually look like?

A 2026 renewal questionnaire from Coalition, Travelers, Chubb, or Hiscox is roughly eight sections: Identity and Access, Detection and Response, Backup and Recovery, Training and Awareness, Network Controls, Vendor and Supply Chain, Incident Response, and Policy and Governance (Coalition, Cybersecurity Requirements). Each section asks five to fifteen questions, most of which require yes/no plus narrative.

The trap is not the questions themselves. The trap is the "yes-but-not-really" answer pattern. Examples that get applications signed but claims denied: "Yes we have MFA" (but not on service accounts that were compromised); "Yes we have backups" (but never restore-tested in the last 12 months); "Yes we have an IR plan" (but it was written by a vendor and never exercised internally). Each of those answers will pass underwriting and fail claim review. The section-by-section walkthrough with sample answers is upcoming in this cluster; for now, the eight controls below are the underlying answer set every section is asking about.

How does an MSP-delivered stack reduce your premium?

Adding 24/7 managed detection and response, documented backup defensibility, and an MSP-managed Conditional Access regime typically unlocks two pricing levers at renewal. The first is direct premium credits, where carriers offer percentage discounts for specific controls (most common: MDR, MFA on all privileged accounts, immutable backups). The second is structural improvements like lower retentions and broader coverage sublimits, which often matter more financially than the headline premium number.

Brokers like Marsh and Aon publish periodic premium-impact reports that quantify these credits. The exact discount varies by carrier and risk profile, but lower retentions and expanded sublimits are common outcomes for SMB commercial businesses that move from a baseline IT posture to a defensible MSP-managed posture. The cleaner the documentation, the better the terms. The Phase 2 spoke on SOC premium impact will dig into this in detail.

Three soft savings often matter more than the premium credit itself. First, broker time: a clean evidence package cuts the back-and-forth between broker and underwriter from weeks to days, freeing leadership attention for actual work. Second, scope expansion: defensible posture lets a business confidently expand coverage limits, add cyber-extortion endorsements, or move from a $1M policy to a $3M policy without surprise pricing. Third, leverage at renewal: when a business shows up to renewal with a documented year of clean MDR data, it shifts the conversation from "prove you deserve to be insured" to "compare these terms to the market." That leverage compounds over multi-year renewal cycles.

What if your IT cannot pass the questionnaire today?

Most 10-25 person commercial businesses cannot pass a 2026 renewal questionnaire honestly. That is not a moral failing; it is a market reality. The market changed faster than internal IT investments. The path from where you are today to defensible posture is a 60-to-90-day program rather than a multi-year transformation, because the controls themselves are well-understood and tooled.

The standard 90-day path looks like this. Days 0-30: assess current posture against the eight-control standard, deploy MDR/EDR, baseline Conditional Access, deploy MFA, deploy ring-fencing, verify backup immutability, write IR plan. Days 31-60: run first phishing simulation, document control evidence, conduct first IR tabletop, finalize SIEM retention. Days 61-90: validate restore tests, complete documentation binder, prepare renewal-ready evidence package. By day 90 the questionnaire is answerable, the evidence is filed, and the next renewal can be approached without the "yes-but-not-really" trap.

The 90-day timeline depends on three operational realities. First, the controls in question are productized: MDR, EDR, ring-fencing, immutable backups, phishing simulation, and SIEM are all available as managed offerings rather than custom builds. Second, deployment can run in parallel: the team handling MFA does not block the team handling backups, which does not block the team handling EDR. Third, evidence collection starts on day one rather than at the end: every control deployed in the first 30 days begins generating logs that count toward the policy-period evidence trail by day 31. Internal IT teams trying to do the same work serially, and starting evidence collection only after deployment is complete, often see the same scope take 9 to 12 months and produce a thinner evidence trail at the end.

The most common rough patches are not technical. They are organizational. Three friction points recur across commercial onboardings. The first is service-account inventory: most environments have more service accounts than anyone realized, and getting MFA or password rotation onto each one requires application-by-application coordination. The second is legacy authentication: turning off basic auth and IMAP for old applications often breaks a workflow that someone uses once a quarter, and that workflow has to be re-tooled. The third is shadow IT, where the marketing team's SaaS app, the engineering team's cloud storage, and the finance team's third-party portal all live outside the IT team's view until the security baseline forces a complete environment inventory. None of these are blockers; all of them are reasons the timeline is 90 days rather than 30.

TDS-IS productizes this 90-day path as the Carrier-Ready Bundle. The bundle is the conversion target on our homepage tier card because it is the level of control where commercial buyers most commonly land. It includes every control above, the documentation evidence, the named account manager who carries the renewal conversation, and the 30-day money-back guarantee.

Frequently asked questions

What is the most common reason cyber insurance claims get denied?

The most common reason a cyber insurance claim is denied is a mismatch between the controls attested on the application and the controls actually in force at the time of the incident. Common patterns include MFA enabled on some systems but not on the breached one, EDR deployed but not monitored, and backups that exist but were never restore-tested. For the full top-five list, read Why do cyber insurance claims get denied?

Does my cyber insurance require MFA on every account?

In 2026 the answer is effectively yes for any account that touches sensitive data, privileged actions, or remote access. Major carriers including Coalition, Travelers, and Chubb now require MFA on all email, all remote access (VPN, RDP, SSH), all privileged or administrative accounts, and all cloud admin consoles. Higher-tier policies increasingly require phishing-resistant MFA. Read the spoke What MFA does cyber insurance require in 2026? for the carrier-by-carrier nuance.

Is MDR the same as antivirus?

No. Antivirus blocks known signatures on a single endpoint. Endpoint Detection and Response (EDR) records and detects suspicious behavior. Managed Detection and Response (MDR) is EDR plus 24/7 human SOC analysts who investigate, hunt, and respond. Cyber insurance applications now ask specifically about 24/7 monitored detection and response, not just deployed software.

How long does it take to become cyber-insurance defensible?

A typical 10-25 person commercial business can reach a defensible posture in 60 to 90 days end to end. The first 30 days cover standardized cutover, control deployment, and documentation. The next 30 to 60 days cover control verification, evidence collection, and the first phishing simulation cycle. Renewal questionnaires can usually be answered honestly within 90 days of go-live.

Will my premium go down if I add a SOC?

Adding a managed Security Operations Center often unlocks premium credits, lower retentions, and broader coverage at renewal, especially for SMB commercial businesses. The exact discount varies by carrier and broker, but reduced retention amounts and expanded sublimits are common. The cleaner the documentation of 24/7 staffed monitoring, the larger the credit.

What happens if my attestation does not match my actual controls?

Material misrepresentation on a cyber insurance application can lead to claim denial, partial coverage, or outright rescission of the policy. Carriers increasingly include "failure to maintain" exclusions that void coverage when stated controls were not in force. The defense is documentation: evidence that controls were enforced consistently across the policy period.