· RNITS · Cybersecurity Service  · 15 min read

Cyber Insurance in 2026: Why SMBs Are Getting Denied at Renewal

Carriers stopped trusting questionnaires. They want proof. Here's what cyber insurance actually requires from SMBs in 2026 — and why most don't find out until renewal week.

Cyber Insurance in 2026: Why SMBs Are Getting Denied at Renewal

The phone call always lands on a Tuesday.

A small business owner in Massachusetts opens an email from their broker. Their cyber insurance renewal is up in three weeks. The carrier has new questions this year. A lot more than last year. And the broker is hinting that without good answers on a few specific items, the renewal premium is going to land somewhere between “uncomfortable” and “we should talk.” Sometimes the carrier just declines outright.

By Tuesday afternoon, the owner is calling us. They want to know two things. What do these questions actually mean. And how do we answer “yes” to all of them by Friday.

That conversation has happened more times than we can count over the last twelve months. Cyber insurance has quietly stopped being a checkbox renewal and turned into a real underwriting exercise. Carriers got burned on ransomware payouts. They are clawing back. SMBs are caught in the middle — most have no idea the rules have changed until the questionnaire shows up.

This post walks through what carriers are actually asking for in 2026, why so many small businesses are getting denied or priced out, and the part nobody talks about: most SMBs already own 70 percent of the controls the carrier wants. They just have not turned them on.

What changed at the carrier level

Cyber insurance used to be cheap and lightly underwritten. Five years ago a small business could fill out a one-page form and get a million-dollar policy for a few thousand dollars a year. Some carriers did not even verify what the applicant said. The market grew fast. So did the claim volume.

Then ransomware happened at scale. Carriers paid out billions. Loss ratios at some major underwriters went over 100 percent — meaning they paid more in claims than they collected in premiums. That was not sustainable.

The response from the insurance industry has been steady tightening since 2022, and 2026 is the year it really shows up at the SMB level. A few things changed all at once:

  • Questionnaires got longer. What used to be ten questions is now sixty to a hundred. Some carriers want supporting documentation — screenshots of MFA settings, proof of EDR coverage, a copy of your written incident response plan.
  • Coverage got narrower. Many policies now exclude losses tied to specific control failures. If you said you had MFA on email and the breach happened through an account without MFA, the claim can be denied even if the premium was paid.
  • Sub-limits went down. A million-dollar policy might still pay out a million for a covered event, but ransomware sub-limits now often cap at $250,000 or $500,000. Business interruption sub-limits got tighter too.
  • Premiums went up for SMBs that did not improve controls. Renewals at 50 percent over the prior year are common. We have seen 100 percent and 200 percent for businesses that did nothing different.
  • More carriers walked away from small business entirely. The smallest end of the market — under twenty employees — is harder to insure now than it was three years ago, even for companies that have never had a claim.

None of this is hypothetical. We see it every week in NH and MA. The pattern is consistent.

What carriers are actually checking now

Different carriers ask different questions, and there is not a single national standard. But the core list has converged. If you are renewing in 2026, expect these to come up:

Multi-factor authentication, everywhere it matters. Not just on email. On VPN. On remote desktop. On admin accounts in Microsoft 365 or Google Workspace. On any cloud service that holds customer data. On your password manager. Carriers are moving from “do you have MFA” to “do you have MFA on every privileged account, every external-facing service, and every backup admin login.” The answer for most SMBs is “mostly, but not all.”

Endpoint detection and response, not antivirus. Traditional antivirus is no longer accepted by most carriers. They want EDR — Defender for Business, CrowdStrike, SentinelOne, Sophos Intercept, Huntress. Something that does behavioral detection, not just signature matching. Some questionnaires ask for the specific product name. They will check.

Immutable, offsite, tested backups. Three things in that sentence. Immutable means the backup cannot be altered or deleted, even by an admin with stolen credentials — typically achieved with cloud object lock, write-once storage, or an air-gapped copy. Offsite means a copy exists outside your primary network. Tested means you actually restore from backup at least annually and document that the restore worked. The ransomware claim playbook from 2024 onward is “we encrypted your stuff and your backups.” If your backups can be reached from a domain admin account, the carrier assumes they will be encrypted too.

A written incident response plan. Not a vague intent. An actual document. Who calls who. What goes to legal. When law enforcement gets notified. Which vendor handles forensics. Some carriers want to see the document. Most just want you to confirm it exists and is reviewed annually.

Tabletop exercises. A growing number of carriers want evidence that you have actually walked through a simulated incident in the last year. The team gathered. The plan got tested. Someone wrote down what worked and what did not. This used to be enterprise-only. It is showing up on SMB questionnaires now.

Email filtering and phishing protection. The built-in protection in Microsoft 365 Business Premium or Google Workspace generally counts. Some carriers want a third-party tool on top. Most accept the native tooling if it is configured properly.

Patch management with documented cadence. Not “we update sometimes.” A written policy with a target window — typically thirty days for critical patches, ninety days for everything else — and evidence that the policy is followed.

Vendor risk management. If a third-party vendor’s breach causes your loss, who is on the hook. Carriers want to see that you have at least thought about this. Vendor SOC 2 reports. Data processing agreements. Some basic due diligence on anyone with access to your network.

Privileged access management. Domain admin accounts should not be used for daily work. Local admin rights should be limited. Service accounts should not have email and password reset permissions. Some carriers are starting to ask for evidence of tiered admin models.

Security awareness training. Annual training for all staff. Phishing simulation campaigns at some cadence. Documented completion.

That list is not exhaustive but it covers the bulk of what shows up at the SMB level. Notice what is on it. Notice what is not. There is no requirement to buy a SIEM. There is no requirement to have a 24/7 security operations center. The carriers have learned that piling on enterprise-grade tooling at SMBs does not actually reduce their loss ratio. What reduces losses is the basics, deployed correctly.

The questionnaire trap

Here is the part that nobody warns small business owners about, and it is the most expensive lesson in cyber insurance.

The questionnaire is a contract. When you answer “yes” to “do you have MFA on all email accounts,” that answer becomes part of your policy. If you have a breach and the forensic investigation reveals that one shared mailbox — the one your accounting team used — did not actually have MFA, the carrier can deny the claim. They do not have to. Some are reasonable. But they have the legal right to.

We have seen this play out. A New England SMB had a payroll fraud incident. Compromised account, money wired out, classic. The carrier paid initially. Then the forensic firm wrote up its report and noted that the compromised account was a service account that the questionnaire had implicitly covered as “MFA enabled” but in reality did not have MFA on the legacy IMAP path. The carrier clawed back the payment. The legal fight took eighteen months and the SMB ended up settling for less than half.

This is not a rare horror story. It is the new baseline. Carriers are using forensic findings to enforce questionnaire accuracy after the fact. The deductible is the cheap part. The denied claim is the expensive part.

Two things follow from this:

First, do not answer “yes” to anything you have not personally verified. “Yes” is a load-bearing word. If your IT person or your MSP says you have MFA on everything, ask them to show you. Click through the admin portal. See the green checkmarks. Do this before you sign.

Second, write down what is not covered. If you have MFA on email but not on VPN, the questionnaire should reflect that. Carriers will sometimes still write the policy with a control gap noted. They will rarely deny a claim over something they were told about up front.

A clipboard checklist and magnifying glass over an insurance application form, suggesting careful review

Why claims get denied even when the policy pays

Even when the headline number on the policy looks generous, the actual payout for a real incident often disappoints. A few reasons:

Sub-limits. A two-million-dollar policy with a $250,000 ransomware sub-limit means you are getting $250,000 toward a ransomware event, not two million. Read the schedule of limits, not just the policy face value.

Co-insurance. Some policies have co-insurance clauses where the insured pays a percentage of the loss above the deductible. If you have 20 percent co-insurance on a $500,000 loss, your share is $100,000.

Specific exclusions. “Acts of war” exclusions have expanded since 2022 and now sometimes apply to nation-state-attributed ransomware. Social engineering exclusions are common. Voluntary parting clauses can exclude wire transfer fraud.

Sub-vendor exclusions. If your loss came through a vendor — your IT provider was compromised, your accounting software vendor leaked data — the policy may exclude that loss class entirely or apply a different sub-limit.

Notification timing. Many policies require notification within seventy-two hours of an event. Miss the window and the carrier can reduce or deny the claim.

The combined effect is that a “million-dollar policy” rarely pays out a million dollars even on a clean claim. Real-world net recovery is often a fraction of the face value. This is not the carriers being sneaky — it is the policy doing exactly what the policy says it does. The problem is that nobody read the policy.

The un-MSP read on all of this

Most MSPs respond to tightening insurance requirements by selling more tools. New EDR product. New backup product. New phishing simulation platform. New compliance management subscription. Add it all to the monthly bill and bill the SMB to “make them insurable.”

We do not do that. We are the un-MSP — meaning when a client comes to us with a tightened renewal questionnaire, the first conversation is about what they already own, not what we can sell them.

Here is what we usually find:

Most SMBs running Microsoft 365 Business Premium already have Defender for Business, Conditional Access, MFA enforcement, basic email filtering, OneDrive for Business with retention, and Intune-based patch management included in the license. They are paying for it every month. They are using maybe a third of what is there. The license already covers most of what the carrier is asking for. It just has not been turned on, configured, or documented.

Most SMBs running Google Workspace Business Plus have the same story. The 2-step verification is built in. The endpoint management is built in. The Vault retention is built in. The advanced phishing protection is built in. Configure it correctly and most of the questionnaire answers itself.

Most SMBs already have a cloud backup of some kind. The gap is usually that it is not immutable, or that the admin credentials for the backup are the same as the daily-use credentials for the IT system, or that nobody has tested a restore in two years.

The number of net-new tools an average SMB needs to buy in order to pass a 2026 cyber insurance questionnaire is usually one or two. Sometimes zero. The work is in configuration, documentation, and verification — not procurement.

That is the conversation that traditional MSPs do not want to have, because it does not generate a new line item on the invoice. It is also the conversation that gets the renewal signed without a fight.

Eight questions to ask before your renewal

Run this list before you fill out the questionnaire. If the answer to any of these is “I am not sure,” find out before you write anything down.

  1. Is MFA enforced on every user account, every admin account, and every external-facing service — not just email?
  2. Is there an EDR product running on every endpoint, with central reporting that shows current coverage status?
  3. Is there a backup that cannot be deleted by a domain admin account, and was it test-restored in the last twelve months?
  4. Is there a written incident response plan, and was it reviewed in the last twelve months?
  5. Was there a tabletop exercise in the last twelve months?
  6. Are local admin rights and domain admin rights restricted to people who actually need them, with separate accounts for daily use versus admin tasks?
  7. Is patching documented with a target cadence, and is there evidence the cadence is being met?
  8. Are vendors with network access tracked, and is there at least basic due diligence on what they have access to?

If you can answer “yes, and I can prove it” to all eight, your renewal is likely to go fine. If you cannot, the renewal is going to be expensive — or denied — and you have time before it happens to fix the gaps.

What to do if you are sixty days from renewal

The order matters. We have seen SMBs panic and buy three new products in a week, and then still answer the questionnaire wrong because nothing was actually configured.

Do these in order:

First, audit what you already own. Pull the license tier on your Microsoft 365 or Google Workspace tenant. Look at the security tools that come with it. Check what is enabled and what is not. Most SMBs are surprised by the answer.

Second, close the obvious MFA gaps. Service accounts. Shared mailboxes. Anything that does not have MFA. If a system literally cannot do MFA, document the gap and put compensating controls around it (IP restriction, conditional access).

Third, verify the backup. Run an actual restore test of a real file. Document that you did it. Confirm the backup credentials are isolated from daily admin credentials.

Fourth, write down the incident response plan. Even a one-page version is better than nothing. Who you call, in what order, with what phone numbers. Save it somewhere that is accessible during an incident.

Fifth, do a tabletop. Get the management team in a room for an hour. Walk through “we have just been hit by ransomware, what happens next” out loud. Take notes. The point is not perfection — the point is having done it.

Sixth, only then evaluate net-new tools. If the audit revealed a real gap that existing licenses cannot fill, fill it. If the audit revealed that the gap is configuration, fill the configuration gap, not the procurement gap.

That sequence consistently gets SMBs to a clean renewal. It does not require a panic-buy. It does not require a six-figure MSP retainer increase. It requires a few weeks of focused work on the right things.

A note for our NH and MA neighbors

We work with small businesses in New Hampshire and Massachusetts, and the local insurance market has its own rhythm. Several of the regional brokers are using a small set of carriers, which means the questionnaires we see tend to overlap. That makes preparing for a renewal a lot more predictable than it sounds. If you have a renewal coming and you are not sure what the carrier is going to ask, your broker often knows. Ask.

For onsite work we cover the 150-mile radius from Tyngsboro, MA, which puts most of southern NH and eastern MA inside our normal service area. For configuration audits and policy review, we work remotely with clients across the country. The tooling for both is the same.

Bottom line

Cyber insurance in 2026 is harder to qualify for than it used to be, and the carriers are not going to loosen up. The questionnaires are longer. The verification is real. The denied-claim risk is higher. Premiums for SMBs that do not improve controls will keep climbing.

The good news is that most of what carriers want is achievable inside the licenses you are already paying for. The work is in turning things on, configuring them right, and writing things down — not buying a stack of new products.

If you have a renewal coming up in the next ninety days and you are not sure how the questionnaire is going to land, this is exactly what we do every week. We will run a free cyber security audit against your environment, show you where the gaps are against a typical 2026 carrier questionnaire, and give you a plain-English answer about what to fix before renewal. No sales pitch. No tool stack. Just a clear picture of where you stand.

Schedule a free audit or get in touch here.

The Rnits Company. The un-MSP. (978) 226-8931.

Share:
Back to Blog

Related Posts

View All Posts »