The application became a control audit with legal consequences. The seven gates carriers test, the attestation gap that voids claims, and the limits question almost nobody quantifies.
Cyber insurance underwriting in 2026 is control-gated: MFA everywhere that matters, EDR coverage, tested and isolated backups, privileged access management, patching discipline, an exercised incident response plan, and email security are the table stakes — weak answers mean higher premiums, sub-limits, or no quote. Two things matter as much as the controls themselves: attestation accuracy (misstatements on the application are grounds for claim denial or rescission, and carriers check after incidents) and limits sizing (most organizations pick coverage limits by budget or peer gossip rather than quantified exposure — which is how companies end up confidently insured for half their actual risk).
The cyber insurance market has matured out of its chaos era: after years of premium spikes, the market has stabilized and grown more competitive — but underwriting rigor stayed. Applications that were once two pages of self-attestation are now control audits with consequences. Here's what carriers actually check, and the two failure modes that cost organizations more than any premium.
| Control domain | What underwriters look for |
|---|---|
| MFA | Remote access, email, privileged accounts, and increasingly all users — with quality scrutiny (phishing-resistant methods earn credit; SMS draws questions) |
| Endpoint detection | EDR/MDR deployed across the fleet, with someone actually watching it — 24/7 monitoring (in-house or managed) is the differentiator |
| Backups | Offline or immutable copies, segmented from production credentials, with documented restoration testing — "we have backups" without test evidence earns no credit |
| Privileged access | PAM tooling or compensating process, separation of admin accounts, removal of standing privileges |
| Patching & exposure | Cadence for critical vulnerabilities, external attack surface hygiene — carriers scan you before quoting, and findings show up in the conversation |
| Incident response | A written, exercised plan with defined roles — tabletop evidence increasingly requested |
| Email security | Filtering, anti-phishing controls, and awareness training — because BEC remains a top loss driver |
The application is a legal document. When a claim arrives, carriers compare the incident's forensics against what was attested — and "MFA: yes" that turns out to mean "MFA: mostly, except the legacy VPN the attacker used" is how claims get contested and policies rescinded. The defense isn't optimism; it's evidence: knowing, with documentation, exactly where each attested control is and isn't deployed before signing. An honest application with a documented exception negotiates better than a confident one that fails forensic review.
Ask most organizations why they carry $5M in cyber coverage and the honest answer is "it's what we could afford" or "it's what peers carry" — the same benchmark logic that fails for security budgets fails for insurance limits. Coverage sizing is an exposure question: what's your modeled loss distribution, what would the plausible bad scenarios actually cost, and where do deductibles, sub-limits (ransomware sub-limits are common and commonly missed), and exclusions leave you holding the bag? That's a quantification exercise — it's the insurance gap analysis Foundations performs, comparing your policy's real terms against your modeled Annual Loss Expectancy and Revenue at Risk, so the limit you carry is a derived number rather than a guess in either direction. Over-insuring is quieter than under-insuring, but it's the same error: spend uncalibrated to exposure.
The same evidence that satisfies underwriters satisfies everyone else interrogating your posture — customers, regulators, auditors. Organizations whose controls and evidence live in one mapped pool walk into renewals with documentation instead of recollection, answer carrier supplementals in hours, and — because quantified risk reduction is legible — can actually argue their premium. The renewal stops being an annual scramble and becomes a report from a system that already exists.
Foundations’ insurance gap analysis compares your policy’s real terms against your modeled loss distribution—so coverage is a derived number, not a guess.