What Cyber Insurance Carriers Are Actually Looking For in 2026

The questionnaire got harder. Most firms are not ready.

A few years ago, cyber insurance applications asked whether you had antivirus and backups. Check two boxes, get a policy.

That era is over. Carriers have paid out enough claims to know exactly which controls were missing when breaches happened. The questionnaires now reflect that knowledge. They ask about specific Microsoft 365 settings. They ask about MFA enforcement methods. They ask about privileged account controls and email authentication records.

When I work with law firms and CPA practices around Austin, this is where the renewal conversation falls apart. The managing partner gets a 12-page questionnaire, sends it to their IT person, and nobody actually knows the answer to half the questions. They guess. Sometimes they guess wrong.

MFA is table stakes. But carriers want to know which kind.

Almost every questionnaire asks whether you have multi-factor authentication enabled. That is no longer sufficient as a question or as an answer.

What underwriters actually want to know now is whether you have MFA enforced for all users (not just enabled), whether that includes administrative accounts, and whether you are using phishing-resistant MFA such as Microsoft Authenticator with number matching, passkeys, or hardware tokens.

SMS-based MFA still counts, but several carriers are now explicitly distinguishing it from app-based or hardware-based methods when setting premiums. Some are beginning to exclude SMS from their definition of compliant MFA entirely.

What the right answer looks like

SPF, DKIM, and DMARC. Carriers now ask about all three.

Email authentication records are DNS settings that tell the world which servers are allowed to send email on your behalf. They also give receiving mail servers instructions on what to do with email that fails those checks.

Law firms and title companies are high-value targets for business email compromise. A criminal impersonates your domain, sends a wire transfer instruction to a client, and the client pays. Email authentication makes that significantly harder to pull off convincingly.

Carriers know this. Many questionnaires now ask specifically whether you have SPF, DKIM, and DMARC records configured, and what your DMARC policy is set to. The answers carriers want are as follows.

• SPF record exists and lists all authorized sending sources for your domain
• DKIM is enabled in Microsoft 365 for your domain (it is not on by default for custom domains)
• DMARC record exists with a policy of at minimum "quarantine," and ideally "reject"
• DMARC reporting is configured so you receive aggregate reports on authentication results

A DMARC policy set to "none" is better than nothing, but carriers distinguish between monitoring mode and enforcement mode. If you are still in "none" at renewal, expect questions.

Who has admin access, and do you actually know?

This is the question that exposes most small firms. Underwriters are asking about privileged access controls because compromised administrator accounts are responsible for the most expensive claims.

The specific questions vary by carrier, but the themes are consistent. How many accounts have Global Administrator rights in Microsoft 365? Are those admin accounts used for day-to-day work or only for administrative tasks? Are you using Privileged Identity Management to require just-in-time elevation for admin tasks?

When I run assessments, I routinely find firms where every person in IT (or their IT vendor) has standing Global Admin access. Sometimes the owner has a Global Admin account they use to check email. Both are problems that carriers are now looking for.

Microsoft 365 is not a backup. Carriers know this now.

This is still a common misconception. Microsoft 365 keeps your data available and provides some limited recovery options, but it does not replace a backup solution. Microsoft's own service agreement makes this clear.

Cyber insurance questionnaires now ask specifically whether you have a backup solution separate from your primary Microsoft 365 tenant, how frequently backups run, how long backups are retained, and whether you have tested restoration. The testing question catches most firms.

• Backup frequency: daily is the minimum carriers want to see; hourly or continuous is better
• Retention: 30 days is common, but some carriers want 90 days for ransomware scenarios where encryption goes undetected for weeks
• Immutability: can your backups be deleted or encrypted by a ransomware attack? Carriers are asking whether your backup storage is immutable or air-gapped
• Tested restoration: when was the last time you actually restored something from backup and confirmed it worked? If you cannot answer this, you cannot credibly answer yes to this question

Endpoint detection and legacy protocol questions.

Carriers are asking whether you have endpoint detection and response (EDR) on all devices, not just traditional antivirus. Microsoft Defender for Business, included in Microsoft 365 Business Premium, qualifies. Basic antivirus alone is increasingly insufficient for favorable terms.

The legacy authentication protocol question is one firms consistently struggle with. Legacy protocols such as Basic Authentication allow connections to Exchange Online without MFA, regardless of your Conditional Access policies. Microsoft disabled Basic Auth for most services in 2022, but legacy authentication can still be re-enabled or may be active in older tenant configurations. Carriers are asking whether legacy authentication is blocked. The correct answer is yes, and you should be able to verify it in your Conditional Access policies or through the Entra ID sign-in logs.

The documentation question is not about paperwork.

Several questionnaires now ask whether you have a written information security policy, an incident response plan, and a vendor management process. For a 10-person law firm, this sounds like enterprise overhead.

It is not. What carriers want to see is evidence that you have thought about these things before an incident. A one-page incident response plan that covers who to call, who is responsible for what, and what the first 24 hours look like is infinitely better than nothing.

Carriers are also asking about security awareness training. Did employees receive training in the past 12 months? Do you have records of it? Phishing simulation is not required but noted favorably.

What to do before your next renewal.

Do not wait for the questionnaire to arrive. Pull last year's questionnaire now and go through it with your IT provider. For every question you cannot confidently answer, you have identified a gap that needs to close before renewal.

The specific items to verify in your Microsoft 365 environment are as follows.

• Confirm MFA is enforced via Conditional Access for all users, including admins
• Verify SPF, DKIM, and DMARC records are configured with DMARC at quarantine or reject
• Audit Global Administrator accounts and confirm they are fewer than five and used only for admin tasks
• Confirm legacy authentication is blocked via Conditional Access policy
• Verify you have a third-party backup solution for Microsoft 365 with tested restoration
• Confirm EDR is deployed on all endpoints
• Locate or create an incident response document, even a basic one-pager
• Pull records of any security awareness training from the past 12 months

If your IT provider cannot help you verify these items or does not know the answers, that is useful information about both your security posture and your IT relationship.