Your Cyber Insurance Carrier Wants Receipts Now

A founder I work with runs a 41-person professional services firm. Her cyber renewal quote came back last week. Same carrier, same coverage, 34% higher than last year. The broker explained it as "the new questionnaire."

Eleven pages this year. Last year's was four. The new one asked for screenshots of MFA enforcement, evidence of a quarterly backup restore test, vendor security review documentation, and an EDR coverage map by department. Same firm, same risk profile, more receipts.

Her quote came in higher because she couldn't produce most of them in the week the broker asked.

What changed

S&P forecasts a 15-20% across-the-board premium increase for cyber lines in 2026. That's the headline. The bigger story sits underneath it.

Carriers stopped underwriting cyber insurance like insurance. They're underwriting it like an audit. The questionnaire isn't a formality anymore. It's the file the underwriter uses to decide whether your control posture matches what you said it was. Companies that can produce screenshots, logs, and policy documents on request get priced toward the lower end of the increase band. Companies that can't get priced toward the upper end, or get exclusions added that hollow out the policy where you'd actually file a claim.

Three controls show up in almost every 2026 questionnaire. MFA enforcement on email and remote access, with logs. Backup restore testing, with dates and results. Endpoint detection and response coverage, broken out by device type.

If your IT lead can pull artifacts on those three in a day, your renewal is a routine repricing. If they can't, you're in the discretionary pile.

Cyber underwriters in 2026 are not asking whether you have controls. They're asking whether you can prove it.

What to do before your renewal

Pull last year's policy and the original application this week. Find your renewal date. If it's within ninety days, your control documentation cleanup starts now, not after the broker calls.

Ask your IT lead or MSP three questions in writing. Can you produce a current MFA enforcement report. When was our last backup restore test, and where's the documentation. What's our EDR coverage rate by endpoint type. Make them answer with artifacts, not assurances. The artifact is what the underwriter wants. The assurance is what got you to last year's premium.

Read this year's exclusions against last year's. The 2024 policy your firm signed had narrow carve-outs. The 2026 policy has broader ones. Ransomware sublimits, business email compromise caps, social engineering exclusions that didn't exist two cycles ago. Brokers won't walk you through the changes line by line if you don't ask. A 30% increase on a five-figure premium with smaller coverage is a worse deal than the headline number suggests.

The shape of 2026 cyber

Cyber capacity isn't shrinking. It's being rationed by documentation quality. Firms that treat the questionnaire like a security audit will renew with smaller increases and broader coverage. Firms that treat it like the same form they filled out last year will see their first hard repricing.

The carrier didn't decide to charge you more. You did, the day you stopped producing the evidence.