Cyber Insurance in 2026: What Insurers Require and How a Pentest Helps

TL;DR

Cyber insurers have moved from asking broad questions about security to requiring specific, documented evidence of controls. Organisations without multi-factor authentication, endpoint protection, tested incident response plans, and documented vulnerability management are facing higher premiums, coverage exclusions, or outright declined applications. A penetration test is increasingly part of what insurers assess. This guide explains what insurers actually look for, where most organisations fall short, and how a structured security testing programme positions you for better coverage at a lower cost.

Why cyber insurance requirements have tightened

The cyber insurance market hardened significantly following a series of large ransomware payouts and supply chain incidents. Insurers discovered that many organisations had purchased coverage while carrying significant, undisclosed security weaknesses. Premium increases, coverage restrictions, and stricter underwriting followed.

The result is that cyber insurance applications now resemble security audits. Underwriters assess specific control categories, verify claims where possible, and price coverage based on the actual security posture they observe rather than the posture organisations claim to have.

What insurers actually assess

Multi-factor authentication

MFA on all remote access and all privileged accounts is now a baseline requirement for most insurers. Organisations without MFA on remote desktop, VPN, and administrative accounts are considered high risk regardless of other controls in place. Some insurers will not offer coverage to organisations that cannot confirm MFA on email and cloud services.

Endpoint detection and response

Traditional antivirus is no longer sufficient in the eyes of most underwriters. Endpoint detection and response tools that provide behavioural analysis, threat hunting capability, and incident investigation support are now expected. Coverage for ransomware events is frequently excluded or restricted for organisations running only legacy endpoint protection.

Backup and recovery

Insurers assess whether backups are immutable, whether they are stored offline or in an isolated environment, and whether they have been tested. Organisations whose backups are accessible from the production network and therefore vulnerable to encryption in a ransomware event represent higher recovery costs and higher claims risk.

Incident response plan

An untested, generic incident response plan carries little weight with experienced underwriters. Insurers look for evidence that the plan has been exercised, that roles and contacts are current, and that the organisation knows how to meet its regulatory notification obligations under NIS2 or DORA. A tabletop exercise conducted in the past twelve months is the most credible evidence.

Vulnerability management and penetration testing

Insurers increasingly distinguish between organisations that have a documented vulnerability management process, those that conduct regular penetration testing, and those that do neither. A recent penetration test report showing that vulnerabilities were identified and remediated demonstrates active risk management. Organisations that cannot produce any evidence of security testing are assessed as carrying unknown and unmanaged risk.

Privileged access management

The management of privileged accounts, service accounts, and administrative credentials is a significant underwriting factor. Organisations with poorly controlled privileged access face higher premiums because credential compromise and lateral movement represent the most common attack path in covered incidents.

The disclosure problem

Cyber insurance policies contain warranty clauses requiring accurate disclosure of security controls at the time of application. This creates a significant liability risk for organisations that claim to have controls they do not actually have, or that fail to disclose known vulnerabilities.

When a claim is made and an insurer investigates, they will assess whether the controls disclosed at application time were actually in place. If they find a material discrepancy, they may void the policy or deny the claim. Disputed claims on this basis have increased significantly as insurers have invested in forensic investigation capability.

A penetration test conducted before renewal provides documented evidence of your actual security posture at a specific point in time. If vulnerabilities were found and remediated, the test report demonstrates due diligence. If vulnerabilities were found and are in the remediation process, accurate disclosure of this is far safer than non-disclosure.

How a penetration test improves your insurance position

Evidence of active risk management. A pentest report shows that your organisation identifies and addresses vulnerabilities rather than assuming security controls are working. This reduces the perceived risk profile in underwriting.

Gap identification before renewal. Testing before your renewal date allows you to remediate findings before application, avoiding the premium impact of disclosing unaddressed weaknesses.

Accurate disclosure. A recent test report provides a defensible basis for answering underwriting questions about your security controls. This reduces the risk of post-claim disputes about disclosure accuracy.

Reduced premiums over time. Organisations that demonstrate a maturing security programme through recurring testing and documented remediation typically see more favourable renewal terms as their track record develops.

Cyber insurance and regulatory compliance

NIS2 requires essential and important entities to implement risk management measures that overlap significantly with what cyber insurers require: vulnerability management, incident handling, supply chain security, and security testing. An organisation building toward NIS2 compliance is simultaneously building toward a stronger insurance position.

The practical implication is that the cost of a penetration test, an incident response plan review, and the remediation of identified vulnerabilities should be evaluated against both the reduction in insurance premiums and the reduction in regulatory risk. For most organisations, the investment pays for itself in reduced premiums within one to two renewal cycles.

FAQ

What do cyber insurers require?

Cyber insurers typically require multi-factor authentication on all remote access and privileged accounts, endpoint detection and response, network segmentation, documented backup and recovery procedures, a tested incident response plan, and evidence that security controls are being maintained. Premium applications include privileged access management, email filtering, patch management, and increasingly, documented penetration testing results.

Does cyber insurance require a penetration test?

An increasing number of insurers include penetration testing in their questionnaires or underwriting requirements, particularly for larger organisations and those in high-risk sectors. Even where it is not explicitly required, a recent penetration test report demonstrating that vulnerabilities have been identified and remediated strengthens your underwriting position and can reduce premiums. Organisations without any documented security testing are increasingly viewed as higher risk.

What happens if you make a claim and did not disclose a security gap?

Cyber insurance policies contain warranty clauses requiring accurate disclosure of security controls at the time of application. If an insurer investigates a claim and finds that a material security gap existed that was not disclosed, the insurer may void the policy or deny the claim. This is a growing source of disputed claims. Maintaining documented evidence of your security controls, including penetration test findings and remediation actions, is the strongest protection against this outcome.

How does a penetration test affect cyber insurance premiums?

A penetration test affects premiums in two ways. First, it generates evidence that your organisation actively identifies and addresses vulnerabilities, which reduces the perceived risk profile. Second, it allows you to identify and remediate gaps before renewal, avoiding the premium increases that come from disclosing unaddressed weaknesses. Organisations that can demonstrate a mature, documented security testing programme typically receive more favourable underwriting terms.

What is the relationship between cyber insurance and NIS2?

NIS2 requires essential and important entities to implement risk management measures including penetration testing and security assessments. Organisations that comply with NIS2 requirements will typically also satisfy a large portion of the security controls that cyber insurers require. The security posture needed for NIS2 compliance and the security posture needed for favourable cyber insurance terms are significantly overlapping.

Related services and resources

Sectricity provides penetration testing that generates the documented evidence of security testing that insurers increasingly require. Our compliance-mapped security testing covers both NIS2 requirements and the control categories that underwriters assess. For related guidance, see our guides on incident response planning and penetration testing in the EU. Start with a free security scan.