.png?width=1275&height=425&name=BEYOND%20IT%20(1).png "BEYOND IT (1)")
Cyber Insurance - March 2026 Edition
2 Minutes Read
This follows up our February cyber insurance update and explains what is needed from underwriters and how to get better terms.
Small Business - (3-25 users)
The cyberinsurance market still offers good options for small businesses that show strong basics. Insurers look for multi‑factor authentication on email and remote access, endpoint detection, steady patching, and tested backups. Meeting these controls can keep pricing stable and help you qualify for better terms. Yet many small companies still don’t carry cyber insurance at all, which leaves them open to heavy costs after an attack.
Start by mapping your top risks and the data you hold. Ask your broker about first‑party coverages (incident response, data recovery, business interruption) and third‑party coverages (privacy liability, regulatory costs). Check sublimits for ransomware, fraud transfer, and system failure. If you rely on a few key vendors, make sure “dependent business interruption” is included.
Insurers now ask more questions about vendor risk and recovery plans. Keep short evidence packs ready: MFA screenshots, EDR deployment reports, backup test logs, and incident runbooks. This speeds up underwriting and can improve outcomes. If you are piloting AI, add a simple policy that limits what data staff can share and which tools they can use. A well chosen policy won’t stop an attack, but it will make it a lot easier to recover. Combine coverage with your basic security program to reduce both the chance of a breach and the damage if one happens.
Medium - (26-99 users)
Mid‑market buyers face tougher questions this year. Claim activity has been highest in this group, so underwriters want proof of controls and resilience before offering strong limits and prices. They’re focused on vendor management, backup integrity, and tested incident response especially where operations depend on cloud and SaaS.
Prepare a concise renewal package: network diagram, asset inventory, MFA and EDR status, backup test results, and tabletop outcomes. Show how quickly you can isolate, restore, and notify. If you use AI in operations, document guardrails like human approval for payments, data‑access limits, and prompt/agent testing. This shows maturity without blocking innovation.
Coverage clarity matters. Many leaders are unclear on what their policy covers. Close that gap now. Confirm how your policy handles ransomware, wire fraud, data restoration, dependent business interruption, and regulatory costs. Gallagher’s and other market outlooks highlight continued competition, with pockets of firmer stance where losses and systemic risk are high—so strong evidence pays off. Use analytics from your broker to right‑size limits based on revenue, downtime costs, and vendor concentration, rather than guessing.
Large - (99+ users)
For large enterprises, systemic risk now shapes coverage terms. Insurers are watching how cloud outages, vendor failures, or shared software issues can hit many customers at once. Expect closer review of your dependencies and how you would keep working during a major event.
Bring data to the table. Show failover designs, recovery time targets, and results from exercises that include vendor downtime. Document segmentation, least‑privilege access, and how you isolate crown‑jewel systems. These controls support broader system‑failure and dependent‑BI coverage. Market conditions remain generally supportive for well‑managed risks, but underwriting is firmer than a year ago. AI is another pressure point. As AI‑enabled attacks grow, some carriers are exploring special limits or exclusions for AI‑related losses. Strong governance, human checks, model and prompt testing, and data controls can help you keep broad terms.
Finally, review wording: how the policy defines “system failure,” “security failure,” and “dependent business.” Confirm coverage for regulatory investigations tied to data use, not just breaches. With better evidence and clearer language, large enterprises can secure stable, effective coverage that matches today’s risks while keeping room to innovate.