Article 1 · 2026 cyber market shift
What changed in 2026 cyber insurance.
The US cyber insurance market quietly restructured itself between 2024 and 2026. Six structural shifts now reshape every renewal conversation. If you signed your last policy before 2025, the form in front of you this year is materially different — and the gap between the two is where claims get denied.
This piece is for the owner reading the renewal application and the broker fielding underwriter questions. Six shifts, the typical premium outcomes, and the lie-at-application pattern that's voiding claims at scale.
What's different in 2026
The 6 big shifts in 2026 cyber insurance
Read these in order — they compound. The AI exclusion is the headline, but the MFA-evidence requirement and the ransom payment cap are the structural changes most likely to affect your specific claim outcome.
AI exclusions are now standard, not optional
Through 2024, AI exclusions in cyber policies were rare and negotiable. In 2026, every major US cyber carrier (Chubb, AIG, Travelers, Beazley, Coalition, At-Bay, Resilience, Munich Re, Tokio Marine HCC, CNA, Liberty Mutual, AXA XL) ships a default AI exclusion endorsement. The language varies — some exclude AI-generated content, some exclude losses caused by AI vendors, some exclude AI-driven decision outputs — but the default position has flipped from "AI is silently covered" to "AI is excluded unless you negotiate it back in." Owners who skipped the policy comparison in 2024 will read the 2026 renewal and find an exclusion that wasn't there before.
Ransomware payment caps regardless of policy limit
Most 2026 cyber policies now cap ransom payment reimbursement at $100k-$500k regardless of the overall policy limit. A $5M cyber policy with a $250k ransom payment cap means if you pay a $1.2M ransom, the carrier reimburses $250k and you eat the $950k delta. This is the single biggest market shift owners are walking into blind — the headline policy limit looks unchanged but the ransomware sub-limit is the only number that matters when you're actually negotiating with the threat actor. (Sources: Marsh US Cyber Market Update 2025; Aon Cyber Insurance Snapshot Q4 2025.)
Social engineering carved into its own line item
Business email compromise, vendor impersonation, deepfake voice attacks, and CEO-fraud wire transfers were all loosely lumped under "cybercrime" or "funds transfer fraud" through 2024. In 2026 every carrier separates social engineering into its own coverage line with its own sub-limit (typical $100k-$250k), its own deductible, and its own underwriting questionnaire. Expect questions about dual-approval workflows on wire transfers above a threshold, callback verification protocols, and whether your AP team has documented training within the last 12 months.
MFA evidence required at application — not attestation
From 2021-2024, carriers accepted "yes" on the MFA question with no evidence. After three years of claims where the insured had attested to MFA but only had it on one admin account, carriers now require evidence at application: a screenshot or CSV export from Microsoft Entra, Okta, Google Workspace, or your identity provider showing MFA enforcement on all admin accounts at minimum, and ideally all users. Attestation without evidence is now treated as a soft denial trigger if a claim event involves credential compromise.
Third-party / supply-chain notification within 72 hours
When a vendor in your stack gets breached and your data is affected, 2026 cyber policies require notification to the carrier within 72 hours — even if you haven't confirmed your specific data was exposed yet. This matches state breach notification timelines (most US states now require 30-day notification post-confirmation) but compresses the carrier-notification window dramatically. Owners who learn about a vendor breach via a news article and wait two weeks to notify the carrier risk a notification-window denial under the policy.
Continuous monitoring — EDR + 24/7 SOC, not "we have antivirus"
The 2024 application asked "do you have antivirus" and "yes" was an acceptable answer. The 2026 application asks: what EDR product, deployed on what percentage of endpoints, monitored by whom, with what response SLA. Carriers want CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint Plan 2, Sophos Intercept X, or similar tier-1 EDR — backed by either an in-house 24/7 SOC or a contracted MSSP (Arctic Wolf, eSentire, Critical Start, Expel, EFROS, etc.) with a documented response SLA. "We have Webroot" or "we have McAfee Total Protection" is now scored as no EDR.
What this means for premiums
Typical 2026 outcomes by risk class
The overall US cyber market softened in 2025 after the 2022-2023 hard-market peak — but the softening is uneven. Clean accounts (low-risk class) are seeing flat or negative renewals; accounts with prior incidents and stale controls are seeing the opposite.
Low-risk class
Profile:Sub-$50M revenue, no prior incidents, MFA enforced everywhere, tier-1 EDR + 24/7 SOC contracted, documented IR plan, offline backups tested within 30 days
Expect:Flat to -5% renewal. Some markets quoting -10% to -15% on year-over-year for clean accounts as the market softens off 2022-2023 peaks.
Mid-risk class
Profile:Mid-market, one minor incident or near-miss in past 24 months, MFA on admins only, EDR partially deployed, no formal IR plan
Expect:+15% to +30% renewal. May require remediation commitments (deploy MFA to all users within 90 days, etc.) to bind coverage at the quoted premium.
High-risk class
Profile:Prior ransomware claim in past 36 months, missing MFA evidence, legacy AV instead of EDR, no SOC, no IR plan, vendor concentration in regulated data
Expect:+40% to +100% renewal — if any carrier will quote. Multiple non-renewals reported in 2025 for accounts that haven't materially improved posture since the last incident.
Sources: Marsh US Cyber Market Update Q4 2025, Aon Cyber Insurance Snapshot 2025, AM Best US Cyber Insurance Segment Report 2026, S&P Global Ratings cyber insurance commentary. Premium ranges are directional; specific quotes depend on industry vertical, jurisdiction, claims history, and submission completeness.
Claims investigation
What carriers are doing differently in claims investigation
The first thing the claims investigator does in 2026 is pull your renewal application from the binder file and verify every control you attested to. If you said you had MFA on all admin accounts in May and the breach in November was caused by an admin account without MFA, the claim is reviewed for material misrepresentation. Carriers have hired specialized forensic vendors (Kivu, Tetra Defense, Mandiant, Arete, Charles River Associates) whose specific job is to verify pre-incident controls — not just remediate the incident.
The second thing they do is cross-check your incident history. State breach notification registries (most US states publish breach notifications publicly), SEC filings for public companies, federal cybersecurity disclosure requirements, and an emerging set of underwriting databases (Coalition, SecurityScorecard, BitSight) all feed back into the claims process. If you had an incident in 2024 that you didn't disclose at the 2026 renewal, the claim investigator will find it within the first week.
The third thing they look for is whether your IR vendor was on the policy's approved panel. Many 2026 policies now condition full reimbursement on using a carrier-approved IR firm — and if you called your favorite local IT shop instead of the panel firm, the reimbursement is capped or denied for the IR vendor line item. The IR panel is in the policy schedule; read it before the renewal binds.
The most expensive mistake at renewal
The "lie at application, get denied at claim" pattern
Every cyber carrier has examples in 2024-2025 of insureds who attested to controls they didn't have, suffered a claim event, and had the claim denied citing material misrepresentation under the application. The pattern is consistent: owner under time pressure, application questions are technical, broker answers "yes" on behalf of the owner without verifying, the policy binds, and the gap surfaces only when the claim is filed and the forensic investigation cross-checks the application answers.
The two most common false attestations in denied claims: MFA enforcement (attested yes, only had on one account) and backup testing (attested yes, never actually tested a restore). Both are easy to verify on the forensic side and both are consistent enough in the application questionnaire across carriers that the misrepresentation is hard to argue away.
The remedy is simple in concept and hard in execution: tell the truth. If you don't have MFA on every admin account today, say so on the application and either accept the higher premium or deploy MFA before binding. If you've never restored from your backup, say so. Most carriers will work with you on a 30-90 day remediation commitment that becomes a binding condition of coverage — and the alternative is signing a policy that won't pay when you need it to.
The next article in this hub — the application cheat sheet — walks through the 7 questions on a 2026 cyber application and how to answer each one honestly without scoring yourself out of coverage.
FAQ
Application accuracy — the questions owners ask
If I attested to MFA in 2024 but only had it on one account, can the carrier deny a 2026 claim?
Yes — and they do. Material misrepresentation on the application is the most common reason cyber claims get denied or rescinded in 2025-2026. The remedy is to true up the answer at the 2026 renewal: deploy MFA broadly, gather the evidence, and submit accurate application answers. Carriers reward the cleanup; they punish the cover-up.
What counts as a 'prior incident' on the application?
Almost everything. Any unauthorized access, business email compromise, wire transfer fraud (even reversed), data exposure (even self-reported), ransomware deployment (even paid in cash and not via insurance), or vendor breach affecting your data. If you formally notified state regulators, the SEC, IRS, or affected individuals — disclose. If you investigated and concluded no harm — disclose anyway and let the underwriter decide.
Should I tell the carrier about an incident the FBI is still investigating?
Yes. The exception for ongoing law enforcement investigations under most state breach notification laws does NOT extend to your cyber insurance application. Carriers treat omission of an active incident — even one the FBI told you to keep confidential — as material misrepresentation. Disclose to the carrier under their standard confidentiality, then coordinate timing of public disclosure separately.
What does 'documented IR plan' mean to a carrier in 2026?
A written document — typically 4-12 pages — that names the IR coordinator, lists the IR vendor on retainer, defines escalation thresholds, lists the regulators and the breach notification timelines for each US state where you have customers, and includes contact information for the carrier's claim hotline. A two-paragraph blurb in your employee handbook does not count. The carrier will ask to see the document.
Three ways to get ready before renewal
Quantify what an incident would cost, benchmark your renewal readiness in five minutes, or book a 20-minute call to walk through your application question by question.