The MSP's Guide to Getting Clients Cyber Insurance Approved in 2026
Cyber insurers have shifted from checkboxes to verified evidence. Clients are getting denied or paying 40-100% surcharges. Here's the exact checklist of controls and evidence MSPs need to build for every client.
Your Clients Are Getting Denied Cyber Insurance. Here's How to Fix It.
Something has fundamentally changed in cyber insurance over the past 18 months. In 2024, your clients could check a box that said "we have MFA" and their renewal sailed through. In 2026, the underwriter wants proof — exports, screenshots, reports, and policy documentation showing every control is actually in place.
The result? Clients are getting denied renewals, hit with 40-100% premium increases, or forced into surplus lines markets where premiums are triple the standard rate. A mid-market manufacturer had a $2.3 million ransomware claim denied because a single VPN account didn't have MFA — even though they checked "yes" on the application.
This is a massive opportunity for MSPs. Your clients need help building the "evidence package" that gets them approved, and they'll pay you to do it. Here's exactly what carriers are requiring in 2026 and how to deliver it.
The 7 Controls Every Carrier Now Requires
Regardless of which carrier your client uses — Coalition, Corvus, Hartford, Travelers, Chubb — they've converged on the same core requirements. Think of these as the non-negotiable baseline:
1. MFA on Everything (Not Just Email)
What carriers require:
- MFA enforced on all email accounts (no exceptions)
- MFA on all remote access (VPN, RDP, RMM tools)
- MFA on all administrative/privileged accounts
- MFA on cloud platforms (M365, Google Workspace, AWS, Azure)
Evidence to prepare:
- Screenshot showing MFA is **enforced** (not optional) for all users
- List of applications covered by SSO/MFA
- For admin accounts: proof of phishing-resistant MFA (FIDO2, hardware keys) or step-up authentication
- Conditional access policies showing MFA is required, not just available
Common denial reason: "MFA is available but not enforced for all users." Available and enforced are not the same thing. Carriers know the difference.
2. EDR on Every Endpoint
What carriers require:
- Endpoint Detection and Response (not just antivirus) on every workstation, laptop, and server
- Tamper protection enabled
- 24/7 monitoring or automated response configured
- Coverage report showing 100% deployment
Evidence to prepare:
- EDR coverage report: device count + compliance percentage
- Screenshot of policies enabled (tamper protection, behavioral analysis)
- Proof of monitoring (SOC partnership or automated response rules)
- List of any exceptions with compensating controls documented
Common denial reason: "EDR deployed to 85% of endpoints." 85% means 15% of devices are unprotected. Carriers want 100%.
3. Immutable or Offline Backups
What carriers require:
- Backups that exist, are tested, and are stored offline or in an immutable format
- Proof of a successful restore within the last 12 months
- Backup data cannot be encrypted by ransomware
- Clear RPO (Recovery Point Objective) and RTO (Recovery Time Objective) documentation
Evidence to prepare:
- Backup configuration showing immutability or air-gap
- Test restore report with date, scope, and result
- RPO/RTO documentation per client
- Retention policy documentation
Common denial reason: "Backups exist but no evidence of successful restore test." Untested backups aren't backups — they're hope.
4. Documented Incident Response Plan
What carriers require:
- Written incident response plan covering detection, containment, eradication, recovery, and communication
- Named roles and responsibilities (who does what during an incident)
- Contact information for legal, forensics, and insurance carrier
- Annual tabletop exercise or simulation with documented results
Evidence to prepare:
- Current IRP document (dated within last 12 months)
- Tabletop exercise report with date, scenario, participants, and lessons learned
- Communication plan including regulatory notification requirements
- Retainer agreement with forensics firm (strongly preferred by carriers)
Common denial reason: "IR plan exists but hasn't been tested." An untested plan falls apart under pressure. Carriers know this from claim data.
5. Patch Management Program
What carriers require:
- Critical patches applied within 14 days of release
- Regular patching cadence for non-critical updates
- Coverage across OS, applications, and firmware
- Documented exceptions with compensating controls
Evidence to prepare:
- Patch compliance dashboard screenshot from your RMM
- Written patch management policy with defined SLAs
- Report showing critical patch deployment timeline
- List of end-of-life systems with migration or compensating control plan
Common denial reason: "Running Windows Server 2012 / Exchange 2016 / other EOL software." End-of-life systems are a hard no for most carriers.
6. Employee Security Awareness Training
What carriers require:
- Annual security awareness training for all employees
- Phishing simulation program with documented results
- Completion tracking (not just "we offered it")
- Evidence of remedial action for users who fail simulations
Evidence to prepare:
- Training completion report showing percentage and individual status
- Phishing simulation results: click rates, reporting rates, trends over time
- Documentation of follow-up for users who clicked (additional training, policy acknowledgment)
- Training content topics covered (social engineering, password hygiene, data handling)
Common denial reason: "Training is available but completion rate is 60%." If 40% of employees haven't been trained, you haven't trained your workforce.
7. Access Controls and Privilege Management
What carriers require:
- Principle of least privilege enforced
- Administrative accounts separated from daily-use accounts
- Regular access reviews (quarterly minimum)
- Terminated employee access removed within 24 hours
Evidence to prepare:
- Admin account inventory showing separation from standard accounts
- Access review log with date and reviewer
- Offboarding checklist showing access revocation process
- Privileged Access Management (PAM) tool deployment evidence
Common denial reason: "Domain admin credentials used for daily work." This is the single biggest red flag in carrier risk assessments.
The Evidence Package: What to Build for Each Client
Carriers have moved from "tell us" to "show us." Here's the evidence package you should prepare for each client's renewal:
Tier 1: Must-Have Documentation
| Control | Evidence Format | Update Frequency |
|---|---|---|
| MFA enforcement | Export from M365/Google admin showing policy | Quarterly |
| EDR coverage | Dashboard export showing 100% deployment | Monthly |
| Backup test results | Written report with date and outcome | Annually |
| Incident response plan | PDF document with version date | Annually |
| Patch compliance | RMM dashboard export | Monthly |
| Training completion | LMS report showing names and dates | Annually |
| Access review | Spreadsheet of admin accounts and last review date | Quarterly |
Tier 2: Differentiators (Reduce Premiums)
| Control | Evidence Format | Impact |
|---|---|---|
| Penetration test report | Third-party report with remediation status | 5-15% premium reduction |
| Network segmentation diagram | Architecture document showing isolation | Favorable risk classification |
| Vulnerability scan results | Quarterly scan reports with trending | Lower deductible options |
| Security awareness metrics | Phishing sim trends over 12 months | Premium credit with some carriers |
| PAM tool deployment | Configuration export showing vault and rotation | Favorable underwriting |
Tier 3: Emerging Requirements (2026-2027)
These aren't universally required yet, but leading carriers are starting to ask:
- **AI/ML security controls** — how is the organization governing AI usage?
- **Supply chain risk assessment** — vendor security questionnaires and monitoring
- **Cloud security posture** — configuration audit of AWS/Azure/GCP environments
- **Cyber risk quantification** — dollar-value risk estimates tied to specific threats
How to Sell This as a Service
This is where it gets interesting for MSPs. Building and maintaining the evidence package is a recurring, billable service that most clients will happily pay for — because the alternative is losing their insurance.
Service Model
| Service | What You Deliver | Pricing |
|---|---|---|
| **Insurance Readiness Assessment** | One-time gap analysis against carrier requirements | $2,000-$5,000 |
| **Evidence Package Build** | Collect and organize all Tier 1 evidence | $1,500-$3,000 |
| **Ongoing Compliance Monitoring** | Monthly evidence updates + drift detection | $300-$500/month |
| **Renewal Support** | Pre-fill application, coordinate with broker, provide evidence | $1,000-$2,000 |
| **Remediation Projects** | Fix gaps found in assessment (MFA deployment, EDR rollout, etc.) | Project-based |
The Email to Send Your Clients
> Subject: Your cyber insurance renewal — important changes for 2026
>
> Hi [Client Name],
>
> I wanted to give you a heads-up before your next cyber insurance renewal. Carriers have significantly tightened their requirements this year — they're now asking for documented evidence of security controls, not just yes/no answers on an application.
>
> We've been seeing clients get denied renewals or hit with major premium increases when they can't provide this evidence. I don't want that to happen to you.
>
> I'd like to run a quick assessment against what carriers are requiring in 2026 and build your evidence package ahead of your renewal. It's a straightforward process and we can have everything ready in a few weeks.
>
> When is your next renewal? I'd like to get started at least 60 days before.
Positioning to the Client
The pitch is simple: "If you can't prove your security controls are in place, your carrier can deny your claim — even if you actually had the controls."
The Travelers v. International Control Services case is your proof point. Carrier denied a $1M+ ransomware claim because MFA wasn't implemented as claimed on the application. This isn't theoretical — it's happening.
The MSP's Own Insurance Problem
Here's something most MSPs forget: you need cyber insurance too, and your carriers have the same requirements.
MSPs are classified as one of the highest-risk categories in cyber underwriting because of aggregation risk — one breach at your MSP can cascade to every client. That means:
- Your premiums are higher than your clients'
- Your underwriting is more scrutinized
- You need to demonstrate the same controls, plus:
- Per-client credential isolation
- Network segmentation between client environments
- Documented change management processes
- SOC or managed detection and response
If you're selling compliance to your clients but can't pass your own insurance underwriting, that's a credibility problem.
Timeline: When to Start for Each Client
| Months Before Renewal | Action |
|---|---|
| **90 days** | Run gap assessment against carrier requirements |
| **75 days** | Begin remediation of any gaps found |
| **60 days** | Build evidence package (Tier 1 documentation) |
| **45 days** | Review with client, fill gaps |
| **30 days** | Pre-fill carrier application with evidence references |
| **14 days** | Submit to broker with complete evidence package |
Starting 90 days out gives you time to fix problems. Starting 14 days out means you're scrambling and gaps become premium surcharges.
Key Takeaways
1. **Carriers want evidence, not checkboxes.** The days of self-attestation are over. If you can't prove it, you don't have it.
2. **7 controls are non-negotiable:** MFA, EDR, immutable backups, IR plan, patching, training, access controls. Missing any one can get a client denied.
3. **This is a revenue opportunity.** Insurance readiness assessments, evidence packages, and ongoing monitoring are high-margin, recurring services.
4. **Start 90 days before renewal.** Anything less and you're patching holes instead of building confidence.
5. **You need to pass too.** Your MSP is high-risk in carrier eyes. Get your own house in order.
The MSPs who figure this out first will own the relationship between their clients and their clients' insurance carriers. That's a stickiness moat no competitor can easily break.
*Need to automate the evidence collection process? Start your free trial of Nuronus — track MFA adoption, security scores, compliance status, and generate the audit-ready documentation carriers require, across all your clients from a single dashboard.*
#CyberInsurance #CyberInsuranceRequirements #CyberInsurance2026 #MSP #ManagedServiceProvider #InsuranceCompliance #CyberRisk #MFA #EDR #IncidentResponse #PatchManagement #SecurityAwareness #ComplianceForMSPs #InsuranceReadiness #RiskManagement #CyberInsuranceChecklist
Ready to Add Compliance Services to Your MSP?
Start your 14-day free trial and see how Nuronus makes compliance management simple.
Start Free TrialNuronus Team
MSP Compliance Experts