Cyber Insurance Requirements: Complete Guide to Coverage, Controls, and Application (2026)
January 29, 2026
Updated: February 22, 2026
25 min read
Risk Management
Cyber insurance is a specialised insurance product that covers financial losses from cyber incidents — including data breaches, ransomware attacks, business interruption, and third-party liability — with underwriting requirements that now mandate specific security controls such as MFA, EDR, and incident response plans.
Cyber insurance has evolved from a niche product into a critical component of enterprise risk management. With the average cost of a data breach reaching $4.88 million (IBM 2025) and ransomware attacks demanding payments in the millions, even well-defended organisations face financial exposure that can threaten their survival. Meanwhile, insurers have responded to escalating claims by tightening underwriting requirements — the days of buying cyber insurance with minimal security controls are over.
Today's cyber insurance requirements read like a security audit checklist: multi-factor authentication, endpoint detection and response, privileged access management, incident response plans, backup strategies, and employee security awareness training are all standard prerequisites. Organisations that can't demonstrate these controls face premium increases of 50–100%, exclusions on key coverages, or outright denial.
This guide explains what cyber insurance covers, what security controls insurers require, how to navigate the application process, and how your compliance programmes (GDPR, NIS2, ISO 27001, SOC 2) align with insurance requirements.
Quick Reference
Details
What is cyber insurance?
Insurance coverage for financial losses resulting from cyber incidents (breaches, ransomware, business interruption, liability)
Other names
Cyber liability insurance, cyber risk insurance, data breach insurance
Ransomware is #1 claim type; business email compromise is #2
Key Takeaways
Share article
Need help with compliance?
Contact us for a free consultation
Cyber insurance covers financial losses from cyber incidents — including breach costs, ransomware payments, business interruption, legal defence, and regulatory fines
Insurers have dramatically tightened underwriting requirements since 2020 — MFA, EDR, and tested backup are now minimum thresholds for most carriers
Cyber insurance is not a substitute for security — it's a risk transfer mechanism for residual risk after you've implemented reasonable controls
The application questionnaire is essentially a security audit — answer honestly, because inaccurate answers can void your policy
ISO 27001, SOC 2, and NIS2 compliance directly support your cyber insurance application by demonstrating mature security controls
First-party coverage protects you; third-party coverage protects against liability claims from others (customers, regulators)
War exclusions and systemic risk exclusions are expanding — understand your policy's exclusions before a claim
Organisations with mature security programmes can negotiate premium reductions of 15–30%
Cyber insurance (also called cyber liability insurance or cyber risk insurance) is a specialised insurance product that covers financial losses arising from cyber incidents. It's designed to fill the gap that traditional insurance policies (general liability, property, professional indemnity) don't cover.
Cyber incidents covered typically include:
Data breaches (unauthorised access to personal or confidential data)
Ransomware attacks
Business email compromise and social engineering fraud
Network security failures
System outages caused by cyberattacks
Cyber extortion
Regulatory investigations and fines
What Cyber Insurance Covers (and Doesn't)
What's Typically Covered
Coverage Area
What It Pays For
Breach response costs
Forensic investigation, notification to individuals, credit monitoring, call centre
Update information annually; demonstrate control improvements to negotiate better terms
Application Accuracy Warning
Critical: Your application is a representation of your security posture. If you claim to have MFA on all remote access but you don't, and a breach occurs through an unprotected remote access point, the insurer may deny the claim or rescind the policy. Be honest. If a control is partially implemented, say so. Insurers prefer honest partial implementation over dishonest claims of full coverage.
Common Policy Exclusions
Exclusions to Watch
Exclusion
What It Means
Negotiation Tip
War/hostile acts
Attacks attributed to nation-states may be excluded
Ask for specific wording; "cyber war" definitions vary; some policies now have "cyber operation" sub-limits
Infrastructure failure
Widespread outage (major cloud provider, internet backbone)
Ask whether the exclusion applies only to non-cyber infrastructure or also to cyberattacks on infrastructure
Unencrypted data
Losses from breach of unencrypted portable devices
Ensure your encryption policy covers all portable devices and media
Failure to patch
Losses from exploitation of known vulnerabilities not patched within a defined timeframe
Understand the expected patching timeline; align with your vulnerability management policy
Prior acts
Incidents or circumstances known before the policy inception
Ensure your retroactive date provides adequate coverage for past acts
Regulatory fines
Some policies exclude regulatory fines in certain jurisdictions where they're considered non-insurable
Ask specifically about GDPR fine coverage; varies by insurer and jurisdiction
Betterment
Costs to improve beyond pre-incident state
Understand that insurance restores, not upgrades
Social engineering sub-limit
BEC/wire fraud may have a lower sub-limit than the main policy
Negotiate adequate social engineering limits if BEC is a concern
Cyber Insurance and Compliance Alignment
Your compliance programmes directly support your cyber insurance posture:
Social engineering or ransomware claims hit a low sub-limit
Review and negotiate sub-limits for specific claim types
8
Not reviewing at renewal
Policy doesn't reflect your current risk profile
Annual review of coverage, limits, and exclusions
9
No broker
Miss better terms; overpay; don't understand options
Use a cyber-specialist broker
10
Failing to improve controls
Premiums increase annually; coverage restricted
Demonstrate security improvements at each renewal
Frequently Asked Questions
How much cyber insurance do I need?
There's no universal formula, but consider these factors: (1) Number of records you hold (breach notification costs scale linearly), (2) Revenue at risk from business interruption, (3) Regulatory exposure (GDPR fines can reach 4% of global turnover), (4) Contractual requirements (customers may require minimum coverage), (5) Industry benchmarks (your broker can provide). General benchmarks: small businesses ($1M–$3M), mid-market ($5M–$20M), enterprise ($25M–$100M+).
Is cyber insurance required by law?
No EU or US law currently mandates cyber insurance specifically. However, several regulations effectively make it a strong recommendation: NIS2 requires "appropriate" risk management measures (insurance is one such measure); DORA requires financial entities to consider insurance in their risk management; many customer contracts require minimum cyber insurance coverage. Some industries (healthcare, financial services) have de facto requirements.
Does cyber insurance cover GDPR fines?
This varies by insurer and jurisdiction. In some EU countries, regulatory fines are considered non-insurable on public policy grounds. In others, they're insurable. Many cyber insurance policies include GDPR fine coverage but with specific conditions and sub-limits. Ask your insurer explicitly about GDPR fine coverage and in which jurisdictions it applies.
What's the difference between cyber insurance and professional indemnity (E&O)?
Professional indemnity (E&O) covers claims arising from professional negligence or errors in your services. Cyber insurance covers losses from cyber incidents. There's overlap when a cyber incident causes professional service failure, but they're distinct products. If you're a service provider (SaaS, consulting, managed services), you likely need both.
How does ransomware coverage work?
Most cyber policies cover ransom payments (where legally permissible) and ransom negotiation services. However: (1) the insurer typically must approve any payment before it's made, (2) sub-limits may apply (e.g., $1M ransom sub-limit on a $5M policy), (3) extortion by sanctioned entities may be excluded, (4) the insurer may recommend against payment if backup recovery is viable. The cost of recovery (forensics, restoration, business interruption) is typically more significant than the ransom itself and is separately covered.
Will my premiums go down if I get ISO 27001?
Yes — most insurers offer 10–20% premium discounts for ISO 27001-certified organisations. Similarly, SOC 2 Type II reports can yield 10–15% discounts. The key is providing the certificate/report during your renewal. Beyond the discount, certified organisations tend to have fewer claims, which compounds the premium benefit over time.
How do I handle cyber insurance in vendor contracts?
Many enterprise customers require their vendors to maintain minimum cyber insurance coverage (e.g., $5M per occurrence). Include cyber insurance requirements in your vendor risk management programme. When onboarding critical vendors, request their certificate of insurance and verify coverage types and limits.
What happens if my security controls change after I get the policy?
Most policies require you to maintain the security controls you represented in your application. If your security posture materially degrades (e.g., you disable MFA), you should notify your insurer. Failure to maintain represented controls can result in claim denial. Conversely, improving controls can support better terms at renewal.
Cyber insurance is a critical layer in your risk management strategy — but it works best when built on a foundation of strong security controls. The organisations that get the best coverage at the best price are the ones that invest in security first and use insurance to transfer residual risk. The bonus: the controls that insurers demand (MFA, EDR, backup, incident response, security training) are the same controls that make breaches less likely and less costly in the first place.
Invest in security. Get insured. Sleep better.
Need help aligning security controls with insurance requirements? Vision Compliance builds security programmes that satisfy both regulatory requirements and cyber insurance underwriting standards. From ISO 27001 certification to incident response readiness, we help you demonstrate the controls insurers want to see. Schedule a free consultation →
Sources: IBM Cost of a Data Breach Report 2025, Munich Re Cyber Insurance Market Report 2025, Coalition Cyber Claims Report 2025, NIS2 Directive (EU 2022/2555), DORA (EU 2022/2554), Marsh McLennan Cyber Insurance Insights
Robert Lozo, mag. iur., is a Partner at Vision Compliance specializing in EU regulatory compliance. He advises organizations on GDPR, NIS2, AI Act, and financial regulation, delivering audit-ready documentation and compliance roadmaps across regulated industries.
