Cyber insurance renewals have changed.

Three years ago, most SMBs treated the application like a formality. Check a few boxes, sign the form, and move on. The broker handled the rest.

That is no longer how it works.

In 2026, carriers treat renewal questionnaires more like audits. They want documentation: configuration exports, backup test results, policy documents, and proof that the controls you attested to are deployed, monitored, and current. Some carriers now run mid-term audits triggered by external risk signals — not just at renewal, but any time their systems detect a change in your environment.

The result is a new category of work that sits between cybersecurity and insurance operations. That category is cyber insurance evidence — the organized, provenance-backed proof that your security controls meet what carriers require.

This guide covers what that evidence looks like, where it comes from, how it maps across carriers, and where organizations get it wrong.

Why evidence matters more than ever

The numbers tell the story clearly.

NAIC data from 2024 shows 28,555 cyber claims closed without payment versus 9,941 closed with payment. Not every closure without payment is a denial for misrepresentation — some are coverage disputes, exclusions, or withdrawn claims. But a significant portion trace back to the same root cause: the insured could not demonstrate that the controls they attested to were in place when the incident occurred.

The City of Hamilton, Ontario is the most visible recent example. After a February 2024 ransomware attack disabled 80% of the city's network, Hamilton's insurer denied the $5 million claim because MFA had not been fully deployed — despite the city knowing since 2022 that MFA was a policy requirement. The recovery cost reached $18.3 million. The full case study is covered in Hamilton, Ontario: What Incomplete MFA Deployment Cost One City.

Hamilton is not an outlier. Travelers sued International Control Services after discovering that MFA was only deployed on the firewall, not on the servers where the breach originated. Cottage Health faced claim complications after misrepresenting patching practices. These cases share a pattern: the controls existed in theory but the evidence did not hold up under scrutiny. For a deeper look at how attestation creates legal exposure for MSPs specifically, see MSP Liability in Cyber Insurance Attestation: What the Courts Say.

The market is responding by tightening requirements. Marsh identifies 12 key controls that insurers view as core cyber hygiene. But for most SMBs, the practical requirement is narrower: eight control families that recur across the major carrier applications.

The eight controls carriers keep asking about

The wording varies by carrier. The substance does not.

Coalition's agency application asks about encryption, backups, four separate MFA vectors, and funds-transfer controls. Travelers' short form covers firewalling, endpoint protection, patching, backups, incident response, business continuity, vendor security, MFA, and encryption. Hartford's underwriting application breaks out encryption, backups and recovery testing, MFA for remote access and email, endpoint protection, EDR/MDR, email security controls, and training cadence. Hartford's ransomware supplemental goes deeper still on phishing controls, remote access, RDP, privileged access, patching, logging, and disaster recovery.

The eight control families that recur across all of them are:

  1. Multi-factor authentication — email, remote access, VPN, RDP, privileged accounts, cloud administration
  2. Endpoint protection and EDR — antimalware on all devices, detection and response capability, coverage denominator
  3. Backup and recoverability — frequency, scope, isolation from production, tested restore capability
  4. Email security — SPF, DKIM, DMARC, inbound filtering, external sender tagging
  5. Encryption — at rest, in transit, on mobile and portable devices
  6. Privileged access controls — admin account inventory, least privilege, MFA on admin accounts, MSP access governance
  7. Incident response and business continuity — documented plan, named roles, tabletop exercises, recovery procedures
  8. Patch management — documented process, coverage across endpoints, critical-patch remediation cadence

For the full control-by-control breakdown with carrier-specific question mapping, see 8 Core Controls, 3 Real Applications: The Evidence Checklist for 2026 Cyber Insurance Renewals.

For Microsoft 365 environments specifically, the attestation challenges are more nuanced — Security Defaults, Conditional Access, per-user MFA, and sign-in logs all tell different stories about the same controls. That complexity is covered in Cyber Insurance for Microsoft 365 Tenants: The 2026 Attestation Checklist.

Three types of evidence

Not all evidence is created the same way.

Automated verification covers controls that can be checked externally or through system queries: email authentication records (SPF, DKIM, DMARC), TLS posture, subdomain exposure, internet-facing service discovery, and certificate transparency. These produce timestamped, machine-generated evidence that doesn't depend on someone's memory or a screenshot. The free readiness check covers the external layer of this.

For a technical deep dive on email security evidence specifically, see DMARC, SPF, and DKIM for Cyber Insurance.

Guided evidence covers controls that require human input: backup configurations, incident response plans, training records, vendor compliance reports, and attestations about internal practices. These can't be scanned — someone has to document them. But the process can be structured: clear guidance on what evidence to provide, which carrier questions it addresses, and who should own each item. If you have a carrier questionnaire and want to see which questions are scannable and which need manual evidence, upload it to the supplement parser.

Carrier-mapped readiness is where the evidence connects to the specific questions each carrier asks. The same backup configuration might answer one question on the Coalition application, a different question on the Travelers form, and two questions on Hartford's ransomware supplemental. Mapping evidence to carrier questions — and keeping that mapping current as carriers update their forms — is what makes evidence portable across renewals and across carriers. To track when carriers change their forms, see carrier form updates.

How evidence flows across the renewal lifecycle

The renewal evidence workflow has a natural rhythm, and it starts earlier than most organizations expect.

90-120 days before renewal: Run outside-in checks. Identify what's changed since the last renewal — new subdomains, expired certificates, DMARC policy changes, new internet-facing services. Surface any gaps that need remediation before the carrier questionnaire arrives.

60-90 days before renewal: Begin guided evidence collection. MFA coverage reports, backup test results, incident response plan updates, training completion records, privileged access reviews. Assign each evidence item to the person who can provide it — the MSP for technical controls, the business owner for operational attestations, the IT lead for configuration exports.

30-60 days before renewal: Assemble the carrier-ready output. Map each piece of evidence to the specific carrier questions it answers. Identify any remaining gaps. Generate the evidence packet for the broker's submission.

At renewal: Submit the evidence alongside the application. The broker has a documented package instead of a pile of screenshots and memory-based answers.

Between renewals: Keep evidence current. Carriers are increasingly running mid-term audits and continuous monitoring. A control that was verified at renewal but drifted six months later is a claims risk. For more on what carriers check between renewals, see Cyber Insurance Mid-Term Audits and Renewal Drift.

For brokers managing a book of clients through this cycle, the portfolio-level view is critical — knowing which clients are renewal-ready, which need evidence, and which need remediation before the carrier flags them. That's what the broker portfolio sweep is built for. For MSPs who need to produce this evidence during QBRs, the MSP readiness workflow integrates evidence collection into the quarterly review cycle.

The mistakes that get claims denied

The patterns are consistent across public cases and industry data.

Answering "yes" to controls that aren't fully deployed. The Hamilton case is the clearest example: MFA was required, partially deployed, and attested to — but the insurer found it wasn't complete. "We have MFA" is not the same as "MFA is enforced on every access path the carrier asked about." The MFA reporting problem is particularly acute in Microsoft 365 environments — see The M365 MFA Reporting Gap.

Not documenting controls that are in place. This is the quieter failure. An MSP may have deployed EDR on every endpoint, but if there's no coverage report or deployment dashboard export to prove it, the evidence doesn't exist for underwriting purposes. The carrier's forensic review after an incident will look for proof, not intentions.

Failing to update evidence between renewals. A backup test from 11 months ago doesn't prove current recoverability. A MFA coverage report from last renewal doesn't reflect the 15 new accounts created since then. Evidence has a shelf life. For guidance on what "proof" looks like for the hardest control, see How to Prove Backup Immutability for Cyber Insurance Renewals.

Not knowing what the carrier's form asks. Different carriers phrase the same control differently. Coalition breaks MFA into four separate vectors. Travelers compresses it into one question. Hartford asks it one way on the base application and another way on the ransomware supplemental. If you're answering based on what you think the question means rather than what it specifically asks, you're creating rescission risk. For carrier-specific guidance, see How to Answer the Coalition Cyber Insurance Application and Travelers CyberRisk Short Form: How to Prepare for Every Question.

Treating cyber insurance as separate from security operations. The controls carriers require are the same controls that reduce breach risk. The evidence workflow is not a compliance exercise bolted onto security — it's the documentation layer that makes security posture visible to everyone in the chain: the MSP who manages the controls, the business owner who attests to them, and the broker who submits them. When that chain breaks — when the MSP doesn't know what the broker submitted, or the business owner signs without understanding — everyone is exposed.

The soft market paradox

One of the most counterintuitive dynamics in 2026 is that cyber insurance rates have softened while renewal requirements have gotten harder. Rates declined through 2024-2025 as capacity expanded and competition increased. But carriers didn't relax their control expectations — they tightened them. The questionnaires got longer, the supplementals got more specific, and mid-term audits became more common.

The explanation is straightforward: carriers are competing on price but not on underwriting rigor. They can afford to offer better rates because they're more selective about who they cover. The winners are organizations that can prove their controls are in place. The losers are organizations that assumed cheap premiums meant easy renewals.

For the full analysis of this dynamic, see Cyber Insurance Is Softer Again — So Why Are Renewal Questions Still Getting Harder?.

Emerging risks that affect evidence requirements

The evidence landscape is not static. Several developments are changing what carriers ask about and what evidence organizations need to produce.

Remote access and session trust have become explicit underwriting questions. Hartford's ransomware supplemental asks about RDP, MSP access, and privileged session controls. Coalition's model evaluates external remote access exposure. The pandemic-era assumption that VPN plus MFA equals secure remote access is no longer sufficient for underwriting. See When Remote Access Becomes an Underwriting Question.

Business email compromise and funds transfer fraud are now distinct coverage areas with their own evidence requirements. Coalition asks about callback verification and dual-authorization procedures. The evidence for these controls is procedural, not technical — documented workflows, training records, and verification protocols. See Business Email Compromise and Funds Transfer Fraud: What Your Cyber Policy Needs.

Phishing-resistant MFA is emerging as a distinction carriers care about. A generic "yes, we have MFA" is becoming less defensible as carriers learn to distinguish between SMS-based MFA (vulnerable to SIM swapping), app-based MFA (better but still phishable), and phishing-resistant methods like passkeys and FIDO2 keys. See Passkeys and Phishing-Resistant MFA: Why 'We Have MFA' Is No Longer a Defensible Renewal Answer.

Tax season and seasonal phishing campaigns create spikes in social engineering risk that carriers are aware of. Evidence of security awareness training and phishing simulation programs is increasingly expected. See Tax Season Is Phishing Season.

Cyber policy documents as attack intelligence is an emerging operational concern. Attackers who gain access to policy details can calibrate ransom demands to policy limits. The evidence implication: policy documents should be protected with the same rigor as other sensitive operational data. See Treat Your Cyber Policy Like a Crown Jewel.

Who owns what in the evidence chain

Evidence doesn't come from one person. It comes from at least three roles, and often more.

The MSP or IT team owns the technical controls: MFA deployment and enforcement, EDR coverage, backup configuration and testing, patching cadence, email security configuration, encryption status, privileged access review. They produce the exports, the dashboards, and the configuration evidence.

The business owner or operations leader owns the organizational controls: incident response plan approval, business continuity planning, security awareness training program, vendor management decisions, and the final attestation on the application.

The broker owns the submission: assembling the evidence, mapping it to carrier questions, ensuring the application is accurate and complete, and submitting it to the right market at the right time.

When these three roles are disconnected — the MSP doesn't know what the broker submitted, the business owner signs without reviewing, the broker submits without evidence — that's when misrepresentation risk appears.

For brokers coordinating this process across a book of clients, the portfolio sweep provides visibility into which clients are ready and which need work. For MSPs who need to produce evidence across multiple clients, the MSP evidence workflow structures the collection process. For agency operations staff triaging which questions go to which person, the supplement parser maps each question to an owner.

If you're a vendor or supplier being asked to prove your controls to a customer or counterparty — not for insurance, but for a contract or regulatory requirement — the same evidence structure applies. See how vendors and suppliers use BindLedger.

Where to start

You don't need a giant compliance platform to improve renewal evidence. You need a repeatable way to verify the controls carriers keep asking about, document them with provenance, and map them to the questions on the form.

If you want to check your external posture now: Run the free readiness check. It covers email authentication, TLS posture, subdomain discovery, and internet exposure — the controls carriers can see from outside.

If you have a carrier questionnaire and want to see what's scannable vs. what needs manual evidence: Upload it to the supplement parser.

If you want to track when carriers change their application forms: See carrier form updates.

If you manage a book of clients and need to triage renewal readiness across the portfolio: See the broker portfolio sweep.

If you run QBRs and want to integrate renewal evidence into your quarterly review: See the MSP evidence workflow.

Verify your controls now

Free carrier-mapped readiness check. No signup required.

Run the free readiness check →

Sources

[1] NAIC, "2025 Cybersecurity Insurance Report": https://content.naic.org/sites/default/files/inline-files/2025_Cybersecurity_Insurance%20Report.pdf

[2] City of Hamilton cyber incident public disclosures and staff reports, 2024-2025.

[3] Travelers v. International Control Services, complaint filed 2022.

[4] Coalition Insurance Solutions, "Coalition Cyber Policy Application" (CYUSP-00NA-1022-01).

[5] Travelers, "CyberRisk Short Form Renewal Application" (CYB-14203 Rev. 03-19).

[6] The Hartford, "CyberChoice Underwriting Application" (CB 00 H027 03 0824).

[7] The Hartford, "CyberChoice Supplemental Ransomware Application."

[8] Marsh, "Cyber resilience: 12 key controls to strengthen your security."