Cyber insurance is the policy that transfers part of the financial impact of a security incident to an insurer: business downtime, the technical response, breach notification and third-party claims. In 2026 the market looks very different from three years ago. Premiums have stabilised after the 2022 and 2023 peak, but insurers no longer write policies for anyone. Before issuing a quote they require minimum technical controls and, increasingly, evidence that those controls actually work. This guide explains what a cyber insurance policy covers for businesses, the exclusions hidden in the fine print, the requirements insurers now demand, and how a recent pentest or audit directly shapes the cyber insurance price you end up paying.
What Cyber Insurance Is
Cyber insurance covers risks that traditional liability or property policies exclude by design: business interruption from a ransomware encryption event, the forensic cost of a breach, customer claims after a data leak, or digital extortion. It is not a homogeneous product. Each insurer defines its own wording, sublimits and specific conditions, so two policies with the same headline limit can protect you very differently.
Think of it as one more piece of your risk management programme, not a substitute for controls. Risk transfer (the insurance) comes after you have identified, treated and mitigated the risk with technical measures. That is exactly the order that methodologies such as Magerit prescribe: first you value the asset and the threat, then you apply safeguards, and only the residual risk is transferred to a third party.
What Cyber Insurance Covers in 2026
Coverages fall into two broad blocks: first-party losses (your own damage) and third-party liability.
First-Party Coverages
- Business interruption: lost profit and extraordinary expenses while systems are down. There is usually a time deductible (the first 8 or 12 hours do not count, for example) and a maximum indemnity period.
- Incident response and DFIR: fees for the response team, forensic analysis, containment and recovery. Many policies require you to use providers from the insurer's closed panel.
- Data and system restoration: the cost of rebuilding information and applications from backups.
- Cyber extortion: managing the negotiation and, in some policies, the ransom payment itself, almost always with a sublimit far below the aggregate limit.
- Notification and crisis management costs: communication to affected parties, PR, and credit monitoring for those impacted.
Third-Party Coverages
- Data breach liability: claims from customers, employees or suppliers whose data was compromised.
- Legal defence against proceedings arising from the incident.
- Administrative fines only where they are legally insurable. This point is delicate: GDPR fines may be uninsurable on public-policy grounds in some jurisdictions, and the policy usually limits cover to defence costs, not the fine amount.
Sublimits and Deductibles You Must Read
The headline limit is misleading. What really determines how much you collect is the sublimit on each specific coverage (extortion, social engineering or BEC fraud, systemic events) and the deductible or retention you carry per claim. A policy with a 2,000,000 euro limit may carry a 250,000 euro extortion sublimit and a 25,000 euro deductible per incident. Reading these figures before signing avoids surprises when they matter most.
Common Cyber Insurance Exclusions
Exclusions are where most claims are lost. The most frequent in 2026 are:
- Known, unpatched vulnerabilities: if the incident is exploited through a public CVE that has had a patch available for months, the insurer can deny the claim on grounds of negligence.
- War and nation-state clauses: following the Lloyd's market war exclusion clauses (LMA5564 and its successors), attacks attributed to a state or a state-backed actor can fall outside cover.
- Failure to maintain declared controls: if you declared MFA on all remote access in the questionnaire and the attacker enters through an access point without MFA, the insurer can invoke misrepresentation and void the policy.
- International sanctions: payments to groups listed by OFAC or the EU are excluded, just as they weigh on the decision to pay a ransomware ransom.
- Betterment and upgrades: the policy pays to restore the system to its prior state, not to improve it.
Minimum Requirements Insurers Demand in 2026
No serious insurer quotes today without a thorough technical questionnaire. These are the controls that have become a condition to be insured and, above all, to be paid:
MFA at the Perimeter and on Privileged Access
Multi-factor authentication on VPN, email, remote access (RDP), exposed applications and administrator accounts is the number-one requirement. Its absence is now a direct reason to decline a quote.
EDR or XDR Deployed
An endpoint detection and response solution with genuine containment capability is no longer optional for the mid and high range of sums insured.
Tested, Offline Backups
Having backups is not enough. Insurers ask for immutable or disconnected copies (the 3-2-1 rule) and, increasingly, evidence of tested restores. A backup that has never been recovered does not reduce interruption risk.
A Recent Pentest or Audit
The most significant change of 2025 and 2026 is that insurers value (and in higher tiers require) a recent penetration test or cybersecurity audit, with evidence that critical findings have been remediated. Vulnerability management and awareness training complete the list.
How a Pentest or Audit Lowers the Premium
The underwriter's logic is simple: less perceived risk, lower premium. A pentest or audit influences the cyber insurance price through several concrete channels:
- An honest, verifiable questionnaire: you can answer the underwriting form with data backed by a technical report rather than estimates. This reduces the risk of a claim being voided for misrepresentation.
- Evidence of remediation: showing that critical and high findings have been fixed demonstrates maturity and lowers the premium or improves terms at renewal.
- Segmentation and exposed surface: an external penetration test documents what is exposed and confirms there are no forgotten services, a factor underwriters value.
- Renewal condition: many mid-tier policies now make renewal contingent on an annual pentest. Without it, cover does not continue.
In practice, aligning your testing programme with what the insurer requires is the most direct way to make cyber insurance stop being a rigid expense and start reflecting your real security posture.
How Much Cyber Insurance Costs
The cyber insurance price depends on revenue, sector, the sum insured, the deductible and, above all, the controls in place. As a rough guide, in Spain an SME with basic controls and modest limits (between 250,000 and 1,000,000 euros) may pay annual premiums from several hundred to a few thousand euros. From there, regulated or critical sectors, higher limits and prior claims raise the figure quickly. Two companies of the same size can pay very different premiums if one has MFA, EDR, tested backups and a recent pentest and the other does not. The control is, quite literally, the price.
Cyber Insurance for SMEs
Cyber insurance for SMEs deserves its own mention because small and mid-sized businesses tend to underestimate their exposure. An SME is rarely a targeted objective, but it is a frequent victim of opportunistic ransomware campaigns and email fraud. For this profile, the recommendation is to start with the minimum controls any insurer requires (MFA, EDR, offline backups) and take out a limit proportional to the cost of a multi-day outage. The policy does not replace basic hygiene: if you cannot answer the questionnaire honestly with a yes, you probably will not withstand the incident the insurance is meant to cover either. The same effort that lets you insure at a good price is the one that reduces the probability of ever having to claim.
Frequently asked questions
What does cyber insurance cover?
It covers first-party losses (business interruption, DFIR incident response and forensics, data restoration, cyber extortion with a sublimit, and notification costs) and third-party liability (data breach claims and legal defence). The real scope depends on each policy's sublimits, deductibles and exclusions, so two policies with the same sum insured can protect very differently.
How much does cyber insurance cost for a business?
There is no single price. It depends on revenue, sector, the sum insured, the deductible and the controls in place. An SME with basic controls and modest limits typically pays premiums from several hundred to a few thousand euros a year. Having MFA, EDR, tested backups and a recent pentest lowers the premium directly compared with an equivalent company without those controls.
What requirements do insurers ask for?
The usual 2026 minimums are MFA at the perimeter and on privileged access, EDR or XDR deployed, offline or immutable backups with tested restores, vulnerability management, awareness training and, in mid and high tiers, a recent pentest or audit with evidence of remediation. Declaring controls that do not exist can void cover for misrepresentation.
Does an SME need cyber insurance?
For most SMEs it makes sense, but only after implementing the basic controls. An SME without MFA, EDR and tested backups will struggle to obtain a reasonable quote and, if it does, risks having a claim rejected for failing to maintain the declared controls. Insurance is the last layer, not the first.
Does cyber insurance cover GDPR or NIS2 fines?
In general it does not cover the amount of administrative fines when they are uninsurable on public-policy grounds, which is often the case with GDPR. What it usually does cover is the legal defence cost of the proceeding. Notification obligations under NIS2 and DORA remain yours regardless of the policy.
Insure Your Organisation With the Right Security Posture
At Secra we help your security programme meet the requirements insurers demand and document it with solid technical evidence. An infrastructure pentest or an audit aligned with the underwriting questionnaire is the most direct route to renew cover and improve the price.
→ Explore our infrastructure audit and pentesting
→ Request an initial conversation with no commitment
Related Reading
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

