Cyber Insurance Renewal Guide
A working reference for mid-market firms: what underwriters actually measure, what credible answers look like and how to close the gaps before the next renewal.
Cyber insurance applications grew from roughly 40 questions in 2021 to 70 or more in 2026. The control floor rose with them. Firms that answer the 2026 application with 2021 language see one of three outcomes: premium increase, new exclusions or non-renewal. This guide answers 22 of the questions buyers ask most often when a renewal is on the horizon.
How the renewal process works
Cyber insurance renewal is a recurring, high-stakes operational moment. The earlier in the cycle the firm starts, the more leverage it has on premium and terms.
What is a typical cyber insurance renewal cycle?
Cyber insurance policies typically renew annually. The application process opens 60 to 90 days before expiration, with the underwriter reviewing the application package over 2 to 4 weeks and issuing terms 30 days before expiration. Policies that lapse during a gap period leave the firm uninsured during that window. Plan to have the application complete and signed at least 30 days before expiration.
When should we start preparing for renewal?
Begin internal preparation 90 days before policy expiration. The first 30 days cover gap assessment against last year's application and identification of new control expectations. The next 30 days cover remediation of high-impact gaps. The final 30 days cover application drafting, evidence collection and broker review. Starting later usually means accepting whatever premium and terms the carrier proposes.
Who at the firm needs to be involved in the renewal process?
At minimum: the executive sponsor (typically CFO or COO), an IT or security lead with operational visibility, the firm's risk manager or HR lead for incident-history questions and the broker. For larger firms, legal counsel reviews policy language and exclusions. Every named participant should know their role 60 days before expiration so handoffs do not slip.
What does the application process actually look like?
A typical 2026 application is a 70-question questionnaire covering controls, incident history, data inventory and program documentation. The carrier may also request artifacts like network diagrams, IR plans, backup verification logs and SOC reports. Some carriers require a pre-renewal scan or risk assessment. The application is signed by an authorized officer and submitted through the broker.
How are cyber insurance premiums determined?
Premiums reflect three factors: revenue and industry risk classification (the base), control posture as evaluated through application answers (the multiplier) and incident history (often the largest single influence). A firm with strong controls in a low-risk industry might pay 0.5 to 1 percent of revenue annually. Weak controls or a recent claim can shift premiums materially or trigger non-renewal.
What controls underwriters expect
The control floor has risen sharply since 2021. A 2026 application expects specific tools, named frequencies and documented evidence. Vague answers fail.
What is the minimum control set carriers expect today?
The current floor: phishing-resistant MFA on all remote access and privileged accounts, EDR (not legacy antivirus) on every endpoint, immutable backups with tested restores, 24x7 security monitoring (in-house, MSP or MDR), incident response plan reviewed within 12 months and annual security awareness training with simulated phishing. Carriers will exclude or non-renew policies for firms below this floor.
What does "underwriter-grade" MFA actually mean?
SMS and push-only MFA are now considered weak by most carriers and are flagged as exclusion-eligible by some. Underwriter-grade MFA in 2026 is FIDO2 hardware tokens, passkeys or app-based MFA with number matching for all privileged accounts. Standard accounts can still use app-based MFA with number matching. SMS MFA is acceptable as a fallback only, not as the primary factor.
What backup architecture passes underwriter scrutiny?
The carrier expectation is now the 3-2-1-1-0 model: 3 copies of data, on 2 different media, with 1 offsite, 1 immutable or air-gapped and 0 errors verified through tested restores. The immutable piece is the ransomware floor. Backups that a ransomware operator can encrypt alongside production data do not satisfy the requirement.
What endpoint protection do carriers require?
Endpoint Detection and Response (EDR), not legacy signature-based antivirus. The carrier expectation is 100 percent coverage on managed endpoints, with monthly compliance review. Common failure: a real inventory shows 85 to 92 percent coverage rather than the 100 percent the firm assumed. The gap is usually unmanaged BYOD devices, abandoned virtual machines or legacy systems excluded from the deployment.
What incident response evidence do underwriters review?
The application typically asks if the IR plan is documented, current (reviewed within 12 months) and tested (at least one tabletop in the last 12 months with documented output). Tested specifically means a tabletop exercise, not a fire drill. The output should include attendees, scenarios run, decisions made and follow-up actions. A plan that exists on paper without exercise output answers the question weakly.
What logging and SIEM expectations exist?
Carriers increasingly expect centralized log retention (1 year minimum for security-relevant events) and active SIEM monitoring or MDR coverage. The expectation is not that the firm runs an in-house SOC, but that some entity (in-house, MSP, MDR provider) monitors logs in real time with documented response procedures. Logs collected is not the same as logs monitored. Carriers verify the difference.
Common gaps that cause premium increases or non-renewal
Renewal outcomes are decided in the gaps. The same five patterns surface across mid-market portfolios year after year.
What are the most common renewal failure patterns?
Five recurring failure patterns: MFA gaps (deployed for email but not the VPN or ERP), backup non-compliance with the immutable requirement, EDR coverage below 95 percent, incident response plans that exist but have not been tabletop-tested in 12 months and DMARC stuck in monitor mode rather than enforcement. Each is individually fixable, but firms often have several at once.
Why do firms see premium increases at renewal?
The common drivers: weak control answers compared to the prior year (the firm did not improve, but the carrier raised expectations), industry-wide loss experience increases (ransomware activity in the firm's vertical), policy retention (claims under the prior policy) or new exclusions narrowing coverage. A firm that closes 5 to 7 control gaps between renewals often sees flat or slightly reduced premium.
What conditions trigger non-renewal?
Non-renewal usually follows one of three triggers: a recent significant claim under the policy, a control gap the carrier explicitly will not insure (commonly: no immutable backup, no EDR, no MFA on privileged accounts) or industry-specific risk reclassification (for example, certain manufacturing verticals after high-profile ransomware attacks). Brokers can sometimes find alternative carriers, but at premium and term differences.
What exclusions are carriers writing today?
Common 2026 exclusions: ransomware coverage gated on specific control attestations, social engineering and wire fraud sub-limits, war and nation-state activity (now standard), pre-existing vulnerability exclusions if the firm knew of an unpatched issue and MFA-conditional coverage that voids if MFA was not enforced at the time of incident. Read the exclusions section, not just the coverage summary.
Practical preparation
Most renewal pain comes from compressed timelines. A standing evidence library and a 90-day sequence remove the scramble.
How do we prepare for renewal in 90 days?
A practical 90-day sequence: days 1 to 30 for gap assessment against last year's application and the carrier's current questionnaire (often updated each year), days 31 to 60 for remediation of high-impact gaps and evidence collection, days 61 to 90 for application drafting, broker review and final remediation of anything outstanding. Reserve the last 10 days for application sign-off and submission.
What documentation should we have ready before the application opens?
An evidence library should cover: written information security policy, incident response plan, business continuity plan, asset inventory, network diagram, MFA enforcement attestation, EDR coverage report, backup verification logs (most recent successful restore), DMARC enforcement screenshot, training completion records, vendor risk inventory and any prior risk assessment reports against NIST CSF or CIS Controls. Maintain dated copies.
How do we run a pre-renewal self-assessment?
Pull last year's application. For every question, score the current answer as Strong, Soft or Weak. Soft answers are where the gap usually is. Map each Soft or Weak answer to the specific control, tool or process that would make it Strong. Prioritize the highest-impact lifts first (typically MFA expansion, EDR coverage, immutable backup, tested restores). Re-score 30 days before submission.
What evidence library should we maintain year-round?
A monthly cadence works for most firms: pull EDR coverage report, MFA enforcement audit, backup verification logs and patch compliance summary on the first of each month. Store dated copies in a shared location. Annual cadence: refresh policy documents, run tabletop exercise, update IR plan, complete vendor risk review. The library compounds across renewals and security questionnaires.
Working with brokers and Atticus Rowan
The broker places coverage. The MSP operates the security program the application describes. Both roles are necessary and they do not overlap.
What does our broker do versus what does Atticus Rowan do?
The broker negotiates with carriers, places coverage and advises on policy structure and limits. Atticus Rowan operates the security program that the application describes: deploying and documenting controls, running monthly evidence collection and producing the artifacts the broker submits. Both roles are necessary. The broker cannot make the firm secure. The MSP cannot place coverage. Coordinated, the renewal goes smoothly.
When should we engage Atticus Rowan for renewal support?
Three common engagement points: 90 to 120 days before renewal for full readiness work (gap assessment, remediation, application support), 60 days before renewal for application support only when controls are already in place, or any time during the policy year for an ongoing engagement that maintains evidence and control posture so renewal is routine. The earlier, the more we can move premium.
What does an Atticus Rowan cyber insurance readiness engagement include?
A readiness engagement typically covers: gap assessment against the current carrier questionnaire, remediation of MFA, EDR, backup and logging gaps, documentation refresh (IR plan, security policy, asset inventory), evidence library setup, application drafting support and broker coordination during renewal week. Engagements are scoped per organization. The 30-day assessment is the entry point for any new client engagement.
What outcomes can we expect from cyber insurance readiness work?
Practical outcomes vary by starting posture, but a typical engagement produces: stable or reduced premium at renewal (vs industry-average increases), removal of conditional exclusions, application complete 30 days before deadline (rather than scrambling at the wire) and a maintained evidence library that also serves customer security questionnaires and PE diligence cycles. The engagement compounds across renewals and other use cases.
Related cornerstone reading
- The 25 questions you'll fail on your next cyber insurance renewal — the working list of weak-answer questions and what credible responses look like.
- Cyber insurance renewal walkthrough — step-by-step guide to a defensible renewal.
- MFA, EDR, backups: the cyber insurance trifecta — what carriers expect at the floor and how to attest to it.
- Lower cyber insurance premium — specific controls that move premium materially.
- The 3-2-1-1-0 backup rule — modern backup architecture for ransomware survivability.
Renewal coming up?
If your cyber insurance renewal is in the next 6 months and you want a fresh set of eyes on the application before it lands with your broker, schedule a conversation. We can walk through your current posture, identify the gaps that move premium and scope what a credible close-the-gap plan looks like.
Schedule a Discovery Call