1-800-INSURANCE national hotline is supporting the response to 2026 Winter Storm Fern. Learn more
1-800-INSURANCE

Cyber Insurance in 2026

Cyber insurance rates dropped 5-6% in 2024, but stricter underwriting now requires MFA, EDR, and immutable backups. Learn what's covered and how to qualify.

Talk through your options today

Call 1-800-INSURANCE
Published January 9, 2026

Key Takeaways

  • The global cyber insurance market is expected to reach $16.3 billion in 2025, with stricter underwriting standards requiring multi-factor authentication (MFA), endpoint detection and response (EDR), and immutable backups.
  • Ransomware remains the most costly cyber threat, accounting for 44% of all breaches in 2024, though ransom demands dropped 22% to an average of $1.1 million and 63% of victims now refuse to pay.
  • Premium rates decreased 5-6% in late 2024 for the first time in seven years, creating opportunities for businesses with strong cybersecurity controls to secure better coverage at lower costs.
  • European regulations like DORA and NIS2 are raising compliance expectations globally, with major incident reporting requirements as short as four hours under DORA.
  • Business email compromise and funds transfer fraud now account for 60% of cyber insurance claims, surpassing ransomware as the most frequent attack type.
  • A single major systemic cyber event could rapidly transform the market, potentially triggering premium increases or coverage restrictions similar to what happened in 2020-2022.

If you're running a business in 2026, here's what keeps cybersecurity experts up at night: it's not just whether you'll get hacked—it's whether your insurance will actually cover it when it happens. The cyber insurance market has been on a wild ride, and understanding where things stand today could save you from a very expensive surprise down the road.

The good news? For the first time in seven years, cyber insurance premiums actually dropped in late 2024—about 5-6% on average. The catch? Insurers are pickier than ever about who gets coverage. They want to see proof that you've got the basics locked down: multi-factor authentication on everything, real-time threat detection, and backups that hackers can't touch. Miss one of these requirements, and you might not get a policy at all.

The Cyber Insurance Market in 2026: Bigger, Tougher, Smarter

The global cyber insurance market hit $15.3 billion in 2024 and is projected to reach $16.3 billion in 2025, according to Munich Re. That's substantial growth in a market that barely existed 15 years ago. But here's the thing about that growth—it's not just more policies being sold. It's insurers finally figuring out how to price cyber risk without losing their shirts.

Between 2020 and 2022, the cyber insurance market went through what industry insiders politely call "a correction." Premiums skyrocketed—sometimes doubling or tripling—as ransomware gangs became more sophisticated and claims payouts exploded. Insurers tightened coverage terms, added more exclusions, and started asking really hard questions during underwriting. Some businesses couldn't get coverage at any price.

Fast forward to 2024, and the market has stabilized. Premiums are dropping because insurers now have better data about what actually causes claims. They know that 82% of successful cyberattacks hit companies without multi-factor authentication. They know that businesses with endpoint detection and response (EDR) systems recover faster and cheaper. So they've turned those insights into strict requirements. Meet them, and you'll get competitive rates. Skip them, and you're out of luck.

What Insurers Actually Require (And Why You Can't Fake It)

Let's talk about the big three requirements that show up in nearly every cyber insurance application in 2026: multi-factor authentication, endpoint detection and response, and immutable backups. Think of these as the table stakes—without them, you're not even in the game.

Multi-factor authentication (MFA) means you need more than just a password to access your systems. About 80% of insurers now require MFA across all administrative accounts, email systems, and remote access points. And here's where it gets interesting: some insurers are starting to require "phishing-resistant" MFA, which rules out text-message codes that hackers can intercept. They want hardware keys or authenticator apps instead.

Endpoint detection and response (EDR) is your 24/7 security guard. Unlike old-school antivirus software that just blocks known threats, EDR actively monitors every computer and server in your network, looking for suspicious behavior. If ransomware tries to encrypt your files, EDR spots it and shuts it down in real-time. About 65% of insurers now require EDR from vendors like CrowdStrike, SentinelOne, or Microsoft Defender. Traditional antivirus? Doesn't count.

Immutable backups are backups that hackers can't delete or encrypt, even if they take over your entire network. This is critical because modern ransomware doesn't just lock your files—it actively hunts for your backups and destroys them first. Insurers want to see that you're backing up data regularly and storing those backups somewhere they can't be touched.

What's Actually Driving Claims in 2026

You might think ransomware is the biggest threat, and you'd be half right. While ransomware accounted for 44% of all data breaches in 2024 and remains the most expensive type of attack, it's actually business email compromise (BEC) that's causing the most claims. In 2024, 60% of cyber insurance claims originated from BEC and funds transfer fraud.

Here's how BEC typically works: A hacker compromises someone's email account—maybe your CFO or a vendor—and sends what looks like a legitimate payment request. Your accounting team wires $50,000 to what they think is a contractor, but it's actually a criminal's bank account. By the time anyone realizes what happened, the money's gone. Unlike ransomware, where you might negotiate or have backups, wire fraud is often unrecoverable.

Ransomware is still a major concern, but the dynamics have shifted. Average ransom demands dropped 22% to about $1.1 million in 2024, and here's the really interesting part: 63% of victims now refuse to pay, up from 59% the previous year. Why? Because paying doesn't guarantee you'll get your data back, it funds criminal enterprises, and in some cases, it might violate sanctions laws. Plus, businesses with good backups and incident response plans are finding they can recover faster by just rebuilding their systems.

The global average cost of a data breach hit an all-time high of $4.88 million in 2024, according to IBM. Business interruption—the revenue you lose when systems are down—often exceeds the direct costs of the attack itself. That's why cyber policies now typically cover both the immediate incident response costs and the business income you lose while you're offline.

The European Compliance Factor: DORA and NIS2

Even if you're not based in Europe, you need to understand DORA and NIS2, because they're influencing cyber insurance requirements globally. DORA (Digital Operational Resilience Act) went into effect in January 2025 for financial institutions, requiring them to report major cyber incidents within four hours. Four hours. That's barely enough time to figure out what happened, let alone fix it.

NIS2 (Network and Information Security Directive) took effect in October 2024 and applies to a much broader range of critical infrastructure and essential services. It requires breach reporting within 24 hours and holds senior executives personally accountable for cybersecurity. Non-compliance can trigger fines up to €10 million or 2% of global annual revenue, whichever is higher.

Why does this matter for cyber insurance? Because insurers are embedding these regulatory expectations into their policies, even for non-European companies. They're asking about incident response plans, testing protocols, and third-party risk management—all core components of DORA and NIS2 compliance. If European businesses need these controls to avoid regulatory penalties, insurers figure everyone should have them to avoid claims.

The Systemic Risk Wild Card

Here's the thing that worries insurers more than anything: a major systemic cyber event that affects thousands of companies simultaneously. Think of it like this—if a hurricane hits Miami, insurance companies know roughly how many claims to expect. But what if hackers found a critical vulnerability in Microsoft Windows or a major cloud provider and exploited it worldwide on the same day?

We got a taste of this in July 2024 when a faulty CrowdStrike update crashed millions of Windows computers globally, disrupting airlines, hospitals, and businesses. That was an accident, not an attack, but it demonstrated how interconnected our systems are. A well-coordinated attack exploiting a zero-day vulnerability in widely used software could trigger simultaneous claims from hundreds or thousands of policyholders.

This systemic risk is why the current market stability comes with an asterisk. Rates are down and capacity is up, but that could change overnight if we see a catastrophic event. It's also why insurers are building more sophisticated models to understand aggregation risk—how many of their policyholders might be affected by a single attack.

How to Actually Get Cyber Insurance in 2026

If you're shopping for cyber insurance, start with the technical requirements. Before you even fill out an application, make sure you have MFA enabled everywhere, EDR deployed on all endpoints, and a solid backup strategy with offline or immutable copies. Most insurers will verify these controls, and some will even scan your external-facing systems for vulnerabilities as part of underwriting.

Next, document your incident response plan. You don't need a 100-page document, but you should be able to explain who does what when you discover a breach, how quickly you can isolate infected systems, and who you'll call for help (forensics firm, legal counsel, PR support). Insurers want to know you won't panic and make the situation worse.

Consider working with a specialized cyber insurance broker who understands the technical requirements and can match you with insurers that cover your specific industry and risk profile. The cyber insurance market is competitive right now, which means rates and terms can vary significantly between carriers. A good broker can help you leverage that competition.

The bottom line: cyber insurance in 2026 rewards preparation. Businesses that invest in strong security controls are seeing better coverage at lower prices than ever before. But if you're cutting corners on basic protections, expect insurers to either charge you a premium or decline coverage entirely. The market has matured enough to tell the difference—and to price it accordingly.

Share this guide

Pass these insights along to coworkers or clients that need answers.

Questions?

Frequently Asked Questions

How much does cyber insurance cost for a small business in 2026?

+

Premiums vary widely based on your industry, revenue, and security controls, but small businesses typically pay between $1,000 and $7,500 annually for $1 million in coverage. Companies with strong cybersecurity practices—including MFA, EDR, and regular backups—can often secure rates at the lower end of that range, while those with weaker controls may pay significantly more or struggle to get coverage at all. The good news is that rates dropped about 5-6% in late 2024, making this a relatively favorable time to buy.

Will cyber insurance cover ransomware payments?

+

Most cyber insurance policies do cover ransom payments, but with significant caveats. Insurers typically require you to work with their approved incident response team and negotiate through approved channels. Coverage may be excluded if paying the ransom would violate sanctions laws (for example, if the hackers are on a government blacklist). Increasingly, policies also cover the business interruption costs and recovery expenses, which often exceed the ransom itself, making the ransom payment decision less critical if you have good backups.

What's the difference between cyber insurance and general liability insurance?

+

Your general liability policy covers physical injuries and property damage, but it won't help if a hacker steals your customer database or locks you out of your systems. Cyber insurance specifically covers digital risks: data breaches, ransomware attacks, business interruption from cyber incidents, legal costs from privacy violations, and notification costs when customer data is compromised. Even if you have business owner's policy (BOP) or commercial general liability (CGL), you need separate cyber coverage for digital threats.

Can I get cyber insurance if I've already been hacked?

+

It's difficult but not impossible. Insurers will want to see proof that you've addressed the vulnerabilities that led to the breach and implemented stronger security controls. You'll likely face a waiting period (often 90-180 days) before coverage takes effect for similar incidents, higher premiums, and potentially lower coverage limits. The best approach is to get cyber insurance before you need it—once you're dealing with an active incident, it's too late for that claim.

What does multi-factor authentication actually protect against?

+

Multi-factor authentication (MFA) prevents hackers from accessing your systems even if they steal your password. Since 82% of successful cyberattacks in 2024 targeted organizations without MFA, it's the single most effective control you can implement. MFA requires at least two forms of verification—something you know (password), something you have (phone or hardware key), or something you are (fingerprint). Even if hackers phish your password or buy it on the dark web, they still can't get in without that second factor.

How do DORA and NIS2 regulations affect cyber insurance requirements?

+

DORA and NIS2 are European regulations that set strict cybersecurity standards and rapid incident reporting timelines (as short as four hours under DORA). Even if you're not in Europe, these regulations are influencing global cyber insurance standards because insurers are incorporating similar requirements into their policies worldwide. Expect insurers to ask about incident response capabilities, third-party risk management, and regular security testing—all core elements of DORA and NIS2 compliance—regardless of where your business is located.

We provide this content to help you make informed insurance decisions. Just keep in mind: this isn't insurance, financial, or legal advice. Insurance products and costs vary by state, carrier, and your individual circumstances, subject to availability.

Need Help?

Have questions about your coverage?

Our licensed insurance agents can help you understand your options, explain confusing terms, and find the right policy for your needs.

  • Free personalized guidance
  • No obligation quotes
  • Compare multiple options
  • Plain English explanations
Call 1-800-INSURANCEGet a Quote Online

Ready to Get Protected?

Our licensed agents are ready to help you find the right coverage at the best price.

Call 1-800-INSURANCEGet Quotes Online