For most of the last decade, cyber insurance was a cheap hedge against an emerging risk that few executives fully understood. Premiums were modest, underwriting was light, and policies routinely paid out without serious dispute. That market is gone. After a brutal stretch of ransomware-driven losses, cyber insurers now operate with an underwriting rigor that more closely resembles directors-and-officers coverage than commercial property — and the 2026 renewal season has become the moment of truth for thousands of mid-market and enterprise CFOs. The gap between a routine renewal and a punitive one is no longer a question of luck. It is a question of preparation.
What separates a smooth cyber insurance renewal from a painful one is rarely the underlying security posture itself. It is whether the CFO and risk committee can demonstrate that posture in the language underwriters now demand: defensible metrics, documented controls, tested incident response, and a clear chain of accountability. The board members and finance leaders who treat the renewal as a year-round program — rather than a forty-eight-hour scramble before the binding date — are the ones whose premiums stabilize, whose deductibles hold, and whose coverage actually pays out when an incident occurs. The twelve questions that follow are the ones every CFO should put to management before signing the next renewal.
Why the Cyber Insurance Market Has Hardened
The hardening of the cyber insurance market is not an accident. According to the Lloyd’s of London market, ransomware loss ratios at one point exceeded ninety percent — a level at which the underwriting math fails entirely. The result has been the most rapid repricing of any specialty line in modern memory. Capacity has tightened, sub-limits have multiplied, and exclusions that once lived in the margins now sit at the front of the policy. CFOs who treat cyber insurance as a commodity in 2026 will, almost without exception, pay for that assumption.
“Cyber underwriting today looks more like aviation underwriting than like property underwriting. The carrier wants evidence, telemetry and a tested response plan. They are not interested in promises.”
Helen Yost, Cyber Practice Leader, Marsh McLennan
The 12 Questions Every CFO Should Demand Answers To
1. Is multi-factor authentication enforced on every privileged account, without exception?
Multi-factor authentication on privileged accounts is now a binary underwriting threshold. The U.S. Cybersecurity and Infrastructure Security Agency has consistently identified privileged access compromise as the dominant initial vector in ransomware events. Carriers who detect a single domain administrator account without MFA frequently reduce the limit, raise the retention, or decline outright. The CFO does not need to verify the technology. The CFO needs a single number — coverage percentage — and the name of the person who signs off on it.
2. Are immutable backups tested for full restoration at least quarterly?
An untested backup is not a backup. Underwriters increasingly demand evidence of an actual restoration test within the previous ninety days, with documented recovery time and recovery point objectives. The Coveware Quarterly Ransomware Report consistently shows that organizations with verified restoration capability recover faster and pay ransoms far less often than those that rely on backups they have never actually tried.
3. Has the incident response plan been tested in a tabletop exercise within the last twelve months?
A written incident response plan that has never survived contact with a real-or-simulated event is, in underwriting terms, a document and not a control. The renewal application typically asks for the date and outcome of the most recent tabletop exercise, the participants, and the corrective actions taken. CFOs should confirm not only that the exercise occurred, but that an after-action review was produced and signed.
4. What endpoint detection and response coverage exists across the production estate?
Endpoint detection and response coverage is now the closest thing the cyber insurance industry has to a universal control. Underwriters typically expect coverage above ninety-five percent of in-scope endpoints, with central logging and a defined retention period. The CFO question is straightforward: what is our coverage number, and where are the gaps?
5. Are domain controllers, hypervisors, and backup servers segmented from the user network?
Network segmentation is no longer an aspiration. Carriers are explicitly underwriting against the assumption that ransomware actors will reach the user network and ask whether the most valuable assets — domain controllers, hypervisors, backup servers — are reachable from a compromised laptop. As our analysis of the insider threat made clear, lateral movement is the moment a breach becomes a catastrophe. Segmentation is what keeps it from getting there.
6. What proportion of high-criticality vendors hold a current security attestation?
Third-party risk has become the underwriter’s favorite flashlight. The World Economic Forum Global Cybersecurity Outlook identified supply-chain compromise as the leading concern of cyber leaders. CFOs should demand a single proportion: of vendors with privileged access or sensitive data, what percentage carry a current SOC 2 Type II, ISO 27001, or comparable attestation?
7. Is privileged access reviewed and recertified at least quarterly?
Standing privilege is the dry tinder of every modern breach. Underwriters now ask whether privileged access reviews occur, who signs them, and what the average age of an active privileged account is. A CFO who can answer this question quickly signals an organization with mature governance.
8. What is the organization’s mean time to detect, and how does it compare to peers?
Mean time to detect is fast becoming a renewal-application field rather than an internal metric. According to the Mandiant M-Trends report, global median dwell time has declined to roughly ten days, but underwriters benchmark each applicant against industry peers. CFOs should know whether their MTTD trend is improving and whether it is materially better or worse than the peer median.
9. Is there a pre-arranged 24/7 incident response retainer in place?
The presence of a retained, named incident response firm has become a hard underwriting preference and, in some markets, a coverage condition. Carriers want to know that, when an incident occurs, a senior responder is engaged within minutes — not days while procurement chases a statement of work. Boards that have read our analysis on the boardroom economics of ransomware payments already understand why the absence of a retainer is the single most expensive omission in incident readiness.
10. Are email and web protections verified against current phishing techniques?
Phishing remains, as the Verizon Data Breach Investigations Report documents year after year, the dominant initial access vector. Underwriters increasingly want evidence of advanced email filtering, DMARC enforcement at a reject policy, and ongoing phishing simulation results. CFOs should expect to see a phishing resilience score reported quarterly.
11. Has a recent independent penetration test been performed, and have findings been remediated?
An independent penetration test, performed within the prior twelve months by a credentialed third party, with documented remediation, has become the underwriter’s preferred external assurance. The CFO should know who performed it, when, what scope was tested, and what proportion of findings were remediated by class of severity.
12. Has the policy itself been read by someone other than the broker?
The most overlooked question is the simplest. Modern cyber insurance policies contain dense language around war exclusions, ransom payment authorization, sub-limits for business interruption, and notification timelines. CFOs who rely entirely on a broker’s summary risk discovering coverage gaps only when an incident occurs. A line-by-line read by general counsel and the CISO — or a vCISO — is not optional.
Three Renewals That Defined the New Normal
Scenario One: A Logistics Operator That Mistook a Quote for a Renewal
A North American logistics operator with twelve hundred employees received an indicative quote ten weeks before binding and assumed the work was done. Six weeks later, the carrier issued a supplemental questionnaire on EDR coverage and tabletop exercise history. The numbers were not where the underwriter wanted them. The final binding came in at ninety-three percent above the prior premium, with a doubled retention and a sub-limited business interruption clause. The CFO later told her audit committee that two months of preparation would have saved them roughly nine hundred thousand dollars over the policy term.
Scenario Two: A Software Vendor Saved by a Tested Backup
A mid-market software vendor producing financial reporting tools faced a renewal at a moment when the carrier was tightening underwriting in the SaaS segment. The applicant had documented a successful quarterly restoration test, including the exact recovery time achieved on a sample of production systems. The carrier offered terms within four basis points of the prior year — an outcome the broker described as “unheard of in this segment.” The single piece of evidence that moved the underwriter, the broker noted, was the dated restoration log.
“A documented restoration test is now the single most valuable artifact a CFO can place in front of an underwriter. It is more persuasive than any control, any policy, and any certification.”
Mark Bagley, Head of Cyber, Beazley
Scenario Three: A Healthcare Network That Discovered a War Exclusion
A regional healthcare network suffered a ransomware event attributed to a sanctioned threat actor. When the company filed its claim, the carrier invoked a war and hostile-act exclusion that the broker had described, in the renewal binder, as “standard market language.” The dispute consumed eighteen months and seven figures of legal fees before settling. The CFO later said that no internal stakeholder had read the exclusion before signing — and that the most painful part of the post-mortem was discovering how clearly worded the exclusion actually was.
How Senior Practitioners Prepare a Renewal
The discipline that turns cyber insurance renewal from an annual scramble into a routine governance event is straightforward. The renewal process starts the day the previous policy binds. A renewal calendar tracks every underwriting question, every metric, and every tabletop exercise required during the policy year. A senior practitioner — typically a virtual CISO or a cyber-aware general counsel — owns the application and signs every answer. And the broker is treated as an advisor, not as a substitute for an internal owner.
“The CFOs who walk into renewal meetings with a one-page scorecard of their twelve underwriting controls — and the trend lines for each — are the ones who get rate stability. The rest are buying lottery tickets.”
Senior Practitioner, iSECTECH Risk & Compliance Practice
The Renewal Is the Audit
Cyber insurance renewal has quietly become the most rigorous external audit most mid-market companies face — more probing than the SOC 2, more prescriptive than the ISO 27001 surveillance review, and considerably more expensive when the answers are wrong. CFOs who internalize this reality and run the renewal as a year-round program will spend less, recover faster, and avoid the ugly surprises that have come to define the post-2022 cyber market. Those who do not will continue to be repriced, sub-limited, and excluded — quietly, in the binder, until the day a real claim makes the difference visible.
Make Your Next Cyber Insurance Renewal a Routine Conversation
iSECTECH’s Risk & Compliance and Virtual CISO practitioners help CFOs and risk committees prepare for cyber insurance renewals as a year-round discipline — building the metrics program, running the tabletop exercises, performing the independent penetration tests, and reviewing the policy language with general counsel. If your next renewal is approaching, talk to a senior iSECTECH specialist about a renewal-readiness engagement that turns underwriting into a formality. For broader context on the threat landscape your underwriter is pricing against, see our analysis of why phishing remains the entry point of nearly every enterprise breach.
Continue Reading: Week 2 Field Notes
For executives reading this in renewal season, our Week 2 briefs extend the conversation: why mid-market companies now choose virtual CISO over a six-figure hire, why cloud misconfiguration remains the front door to most breaches in 2026, and the CEO deepfake fraud playbook every CFO should rehearse this quarter.