Your cyber insurance renewal is no longer a paperwork exercise. It is a security audit — and a significant number of Illinois small businesses are failing it without ever knowing why until the premium arrives with a number they did not expect, or the carrier comes back with a decline. If your renewal is coming up in the next six to twelve months, this is worth reading now, not after you have already submitted the application.
Why Cyber Insurance Became This Complicated
Carriers did not tighten their requirements because they felt like it. They did it because the losses forced them to. The global cyber insurance market reached an estimated $16.3 billion in premiums in 2025 — nearly triple what it was five years ago. That growth came with a wave of claims that taught insurers something important: the businesses that got hit hardest were almost always the ones with the same few security gaps. Missing multi-factor authentication. Untested backups. No written incident response plan. Employees who had never seen a phishing simulation.
So, underwriters stopped taking your word for it. According to Marsh McLennan’s 2025 Cyber Insurance Market Report, 99% of cyber insurance applications now include specific questions about MFA implementation. Coalition’s 2024 Cyber Claims data found that 82% of denied claims involved organizations that lacked properly implemented MFA across their environment. Meanwhile, 41% of applications are denied on first submission — with missing MFA and inadequate endpoint protection as the top two reasons.
That is not a niche problem. That is nearly half of all applicants walking in underprepared.
The Controls Carriers Now Require — And What "Proof" Actually Means
Here is where most business owners get tripped up. The questionnaire does not ask whether you have a control. It asks whether you can prove you have it, that it is enforced everywhere it should be, and that it was working at the time of any incident. Those are three very different things.
Multi-Factor Authentication (MFA) is the single most scrutinized control on any application. Carriers expect MFA enforced on email, VPN connections, remote desktop access, cloud platforms, and all administrative accounts — not just available as an option for employees who choose to use it. A manufacturing company in Elk Grove Village that has MFA turned on for email but not for the VPN their engineers use to access the production floor network has a gap that will matter enormously if something goes wrong. Carriers are specifically asking about remote access MFA, and it is the most overlooked piece.
Endpoint Detection and Response (EDR) has fully replaced traditional antivirus as the baseline expectation. Legacy antivirus matches files against known signatures. EDR monitors behavior in real time and can isolate a compromised device automatically before an attacker moves laterally. Ransomware was linked to 75% of system-intrusion breaches in 2025 — and most of those attacks rely on lateral movement that EDR is specifically designed to catch and stop. Carriers want to know your EDR is deployed on every endpoint, not just managed machines.
What counts as an endpoint is also broader than most business owners realize. Networked devices that most IT companies never touch — IP cameras, building access control readers, smart locks — are part of your attack surface and increasingly part of how underwriters think about your environment. A keycard reader running unpatched firmware on your business network is an endpoint. If an attacker uses it to get onto your network, the question of whether your “endpoint protection” covered it becomes very relevant very fast. We wrote about this specific risk in detail here: Why Your Building Access System Is Now a Cybersecurity Risk.
Immutable, Tested Backups are required because attackers know backups are their biggest obstacle. Research found that 94% of organizations hit by ransomware saw threat actors attempt to target their backups first. Insurers now ask whether your backups are immutable or air-gapped, how often restore tests are conducted, and whether you have documentation of those tests. Saying “yes, we have backups” and producing a log of the last successful restore test are two entirely different answers to the same question.
A Written, Tested Incident Response Plan is no longer optional for most policies. Carriers want a document that identifies who does what in the first hour of an incident, who calls the insurer, who calls legal counsel, and how the business communicates with clients and staff. They increasingly ask whether the plan has been tested through a tabletop exercise in the past 12 months. A non-profit in Schaumburg managing donor records and beneficiary data that has never walked through a breach scenario is not just underprepared for an actual incident — it is also underprepared for a renewal conversation.
Employee Security Awareness Training with documented completion records is now a standard line item on carrier questionnaires. Human error was a factor in 68% of breaches globally in 2024, according to Verizon’s Data Breach Investigations Report. Insurers want to see that your staff has been trained in the past year, that training includes phishing simulation, and that you can produce records showing who completed it.
The most important shift in cyber insurance underwriting is this: carriers no longer ask “do you have these controls?” They ask “can you prove these controls were fully enforced at the time of the incident?” Those are not the same question — and the gap between them is where most claims get denied.
The Scenario That Plays Out More Often Than It Should
A professional services firm — the kind that handles client financial information, drafts contracts, manages sensitive personnel files — comes up for cyber insurance renewal. Their IT situation is typical: someone set up Microsoft 365 a few years ago, there is an antivirus product on the computers, and backups run automatically to a cloud folder. They answer the carrier’s questionnaire honestly based on what they believe is true. MFA: yes. Backups: yes. Endpoint protection: yes.
Six months later they have a business email compromise incident. An employee’s credentials were stolen through a phishing email. The attacker spent three weeks in the environment before anyone noticed. The claim goes to the insurer.
The investigation reveals that MFA was enabled for email but not for the SharePoint environment where client documents were stored. The “backups” were synced folders that the attacker had already accessed and modified. The antivirus product had not been updated in four months. The claim is denied based on misrepresentation of security controls.
This is not a hypothetical. A significant portion of claim denials involve honest misrepresentation — businesses that believed they had controls in place and answered accordingly, only to find out after a breach that implementation did not match attestation. The International Control Services v. Travelers case is a documented real-world example: Travelers denied coverage after discovering MFA was implemented on the firewall but not on the remote access system the attackers used.
How to Get Ahead of Your Next Renewal
Start 60 to 90 days before your renewal date, not the week before. That is the window underwriters identify as necessary for businesses that discover gaps and need time to close them before applying. Rushing a renewal means either answering inaccurately or walking in with known gaps.
Build what underwriters call a proof packet before you touch the questionnaire. This means MFA enforcement screenshots showing which accounts and systems are covered, EDR deployment reports showing coverage percentage across endpoints, backup logs with restore test results and dates, training completion records for the past 12 months, and a dated incident response plan with any tabletop exercise notes attached.
If you are working with a managed IT provider, they should be able to produce all of this documentation on your behalf. If they cannot — if the question “can you show me our MFA enforcement coverage report?” produces a blank look — that is a gap worth addressing before your renewal, not after.
S&P Global Ratings has forecast a 15 to 20% premium increase in 2026 following two years of declining rates, driven by a 126% increase in ransomware incidents in Q1 2025 and an 800% surge in credential theft. Businesses with documented, enforced controls in place have seen premiums stabilize or drop significantly compared to those without. The math on getting this right before renewal is not complicated.
Frequently Asked Questions
Why did my cyber insurance renewal get denied?
The most common reasons are missing or inadequately enforced MFA, lack of EDR on all endpoints, and untested backups. Coalition’s 2024 data found that 82% of denied claims involved organizations without fully implemented MFA. A close second is misrepresentation — answering “yes” to a control that was only partially in place.
Does my business actually need cyber insurance?
If you store client data, process payments, rely on networked systems to operate, or hold any personally identifiable information — yes. The average cost of a data breach globally was $4.88 million in 2024, and for businesses under 500 employees that figure was $3.31 million. Cyber risk insurance coverage is one part of a broader risk strategy, not a replacement for controls.
What is the difference between cyber insurance and general liability for a cyberattack?
General liability policies do not cover cyber incidents. Cyber risk insurance covers costs specific to data breaches and network attacks — forensic investigation, legal fees, client notification, regulatory fines, ransomware response, and business interruption. They are separate products and one does not substitute for the other.
How do I know if my current IT setup meets cyber insurance requirements?
The most reliable way is a pre-renewal gap assessment conducted against your specific carrier’s questionnaire. Your IT provider should be able to map your current controls to what the application asks and identify anything that is missing or underdocumented before you submit. If you are unsure where to start, a cybersecurity risk assessment is the right first step.
Your Next Step
If you want to know exactly where your business stands before your next cyber insurance renewal, contact BSGtech for a straightforward consultation — we will review your current environment against what carriers are requiring in 2026 and tell you honestly what is in place and what is not.
