Cyber insurance isn't optional anymore for most small businesses. If you process customer data, accept credit cards, store health records, or work with enterprise clients, your carrier is almost certainly asking about your security. And the questions have gotten a lot more specific in 2026.
Here's what carriers are requiring now, what's changed from previous years, and how to meet the bar without a massive IT budget.
What Carriers Require in 2026
Cyber insurance underwriters now evaluate applicants against a checklist of security controls. The specific requirements vary by carrier and policy size, but the most common requirements for policies over $1 million include:
Multi-Factor Authentication (MFA): This is now nearly universal. Carriers want to see MFA on email, VPN access, remote desktop, and administrative accounts. If you don't have MFA enabled, most carriers won't even quote you. This is the single most common reason applications get denied.
Endpoint Detection and Response (EDR): Traditional antivirus is no longer sufficient. Carriers expect endpoint detection tools that can identify and respond to behavioral threats, not just signature-based malware. Solutions like CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint meet this requirement.
Penetration Testing: An increasing number of carriers now require annual penetration testing for policies above certain thresholds. This has accelerated sharply. Where three years ago only a handful of carriers asked for pentesting, the majority of policies over $1 million now include it as a requirement or strong recommendation.
Backup and Recovery: Carriers want to see that you have regular, tested backups stored offline or in a separate environment. The emphasis is on "tested." Having backups that you've never verified is almost as bad as having none.
Security Awareness Training: Annual security training for employees, particularly around phishing. Some carriers ask for documentation proving training was completed.
Patch Management: A documented process for applying security patches within 30 days of release. Critical patches should be applied within 14 days.
Why Penetration Testing Is Becoming Mandatory
The trend toward mandatory pentesting is driven by data. Carriers have seen that businesses with recent security assessments file fewer claims and recover faster when incidents occur. A penetration test gives the underwriter confidence that you've identified your most critical vulnerabilities and have a plan to address them.
What carriers specifically look for in a penetration testing report:
- Testing was conducted by a credentialed professional (OSCP, GPEN, or equivalent)
- Testing covered external network, internal network, and web applications (where applicable)
- The report includes risk ratings and remediation guidance
- Critical and high-severity findings have been addressed or have a remediation plan
- An attestation letter confirming the testing was completed
Trident Shell includes an attestation letter formatted for underwriters with every cyber insurance engagement. It's designed to give carriers exactly what they're looking for.
Need a pentest for your insurance renewal? Trident Shell delivers carrier-ready reports with an attestation letter in 5 business days. Learn about our cyber insurance assessments
What's Changed from Previous Years
The biggest shift is that "recommended" has become mandatory. Three years ago, a small business could get a policy by answering a questionnaire honestly. Now carriers want documentation. Configuration screenshots, training records, testing reports.
The other big change is pricing. Businesses with strong security controls are seeing premium discounts of 15 to 25 percent. Businesses without them are seeing increases of 30 to 50 percent, or outright denials. A penetration test that costs a few thousand dollars can save you significantly more in premiums.
How to Meet Requirements on an SMB Budget
You don't need an enterprise security budget to satisfy your carrier. Here's a practical approach:
Start with MFA. If you do nothing else, enable multi-factor authentication on all critical systems. Microsoft 365 and Google Workspace include MFA at no additional cost. This is free and addresses the number one reason for policy denials.
Deploy EDR. Microsoft Defender for Endpoint is included in many Microsoft 365 Business Premium subscriptions. If you're already paying for Microsoft 365, you may already have access. For non-Microsoft environments, CrowdStrike Falcon Go starts at roughly $5 per endpoint per month.
Get a penetration test. This is where most SMBs stall, because they see enterprise pricing ($15,000 to $50,000) and assume it's out of reach. It doesn't have to be. Trident Shell delivers compliance-ready assessments with fast turnaround with a 5-day turnaround. The report satisfies what your underwriter needs, and the premium discount typically covers the cost.
Document everything. Carriers want evidence. Keep records of MFA configuration, EDR deployment, backup test results, training completion, and penetration test reports. A simple shared folder with dates and screenshots goes a long way.
What Happens If You Don't Comply
The consequences of failing to meet carrier requirements have gotten more severe. At the mild end, your premiums increase at renewal. At the more serious end, your carrier may decline to renew your policy, and finding replacement coverage at a reasonable rate becomes difficult.
The worst scenario happens after an incident. If you file a claim and the carrier discovers that you misrepresented your security posture on the application, they can deny the claim. This means you've been paying premiums for coverage that won't be there when you need it.
Getting Started
The most efficient approach is to tackle requirements in the order that carriers prioritize them: MFA first, then EDR, then penetration testing. If your renewal is coming up in the next 90 days, start with the penetration test since it takes the most lead time.
If your renewal is coming up and you need a pentest to satisfy your carrier, Trident Shell can deliver a cyber insurance assessment with the attestation letter your underwriter needs in 5 business days. Reach out for a free 15-minute scoping call to talk through your timeline.