INDUSTRY ANALYSIS

Cyber Insurance Is Softer Again — So Why Are Renewal Questions Still Getting Harder?

Rates are down and capacity is stable, but renewal questions are still getting harder. A documented look at the 2026 paradox in cyber insurance underwriting.

BindLedgerMarch 22, 202610 min read

This is one of the most confusing things happening in cyber insurance right now.

On the one hand, the market is clearly softer.

Marsh says US cyber insurance rates fell 5% on average in Q4 2024, with conditions expected to remain favorable into 2025.[1] Its broader US insurance-rate tracker says cyber rates fell 3%, marking the 11th consecutive quarter of decreases, while capacity remained stable.[2] Marsh’s global index says cyber rates declined 7% globally in Q4 2025, with declines in every region.[3]

That sounds like a buyer-friendly market.

And it is — up to a point.

On the other hand, the underwriting language, renewal workflow, and evidence expectations are still getting sharper.

Marsh says reinsurers have intensified focus on technical underwriting because of the growing complexity of cyber risk.[2] It also says that increasing cyber-claim complexity calls for greater accuracy in cyber control posture, documentation, and compliance.[1] Coalition’s renewal process begins 90 days before expiration, includes updated risk assessments and year-over-year changes, and may reference security findings in renewal materials.[4] Coalition also says unresolved scan findings can lead to contingencies at renewal.[5]

So yes: the market is softer.

But the underwriting story is harder.

That is the paradox BindLedger is built for.

The old intuition — “soft market means easier renewal” — is wrong

In a traditional insurance line, softer pricing can sometimes feel like a lighter renewal process.

Cyber does not work that way anymore.

The modern cyber market has become more competitive and more technical at the same time.

Rates can decrease while scrutiny still increases.

That is not contradictory once you understand what is actually happening.

Insurers are competing more aggressively on price, capacity, and terms. But they are doing that in a market where:

  • ransomware remains severe,
  • privacy claims remain active,
  • third-party incidents still matter,
  • and attackers keep exploiting the same control failures with new tactics.

That means the pricing environment can get better for buyers without any corresponding relaxation in control expectations.

In fact, a softer market can make technical underwriting more important, because carriers and reinsurers need a cleaner way to separate good risks from bad ones while competing harder on price.

The documented market signal: rates down, technical underwriting up

Marsh’s current public material says this directly.

Its US insurance-rate tracker says cyber rates decreased 3%, but also says reinsurers intensified their focus on technical underwriting, and that policy features such as reinstatement of limits or renewal guarantees came with specific conditions.[2]

Its May 2025 US cyber market update says the market is favorable for insureds and that organizations investing in cybersecurity controls are looked upon favorably by underwriters.[1] But the same piece warns that claims handling is becoming more complex and that this calls for increased accuracy in:

  • cyber control posture,
  • documentation,
  • and compliance.[1]

That is the entire BindLedger thesis in one paragraph.

The market does not just want “better security.” It wants a more reliable way to understand and document what is actually true.

If you want the operational version of that gap, Cyber Insurance Mid-Term Audits and Renewal Drift is the year-round workflow companion to this market view.

The public carrier workflows show the same pattern

You do not have to infer this only from broker commentary. The carrier-side servicing workflows show it too.

Coalition’s public renewal documentation says the cyber renewal cycle starts 90 days prior to expiration. Automatic renewals include a quote, an updated cyber risk assessment, an updated loss run, and a year-over-year changes document that may include changes to application information, policy terms, premium, claims, or security findings.[4]

Standard renewals are even more direct. Coalition says it provides a pre-filled renewal application, a ransomware supplemental form if required, an updated cyber risk assessment, and an updated loss run 90 days before expiration.[4]

That is not a one-time annual questionnaire ritual. It is an ongoing data-and-documentation workflow.

Coalition’s scanning FAQs reinforce the point. Coalition says its platform scans policyholders’ external attack surfaces monthly, and that unresolved findings do not change current policy terms mid-period but can lead to contingencies at renewal time.[5]

That is not the same thing as saying every carrier runs universal “mid-term audits.” Public evidence does not support that broader claim.

But it is absolutely fair to say this:

Public carrier materials show a shift toward ongoing monitoring, updated risk assessments, and renewal-time underwriting that increasingly reflects the current control state rather than only the original application.

That is enough to change how MSPs should prepare.

Softer pricing did not make the form simpler

Read the public applications and supplementals and the trend becomes obvious.

The Hartford’s current underwriting application asks about backup frequency, backup isolation from production, restore testing, MFA for all remote access, MFA for email, incident-response or business-continuity planning, and dual-authentication protocols for funds transfers.[6]

Its ransomware supplemental asks even more pointed questions, including:

  • unsupported systems and applications,
  • open-port hygiene,
  • MSP access control,
  • patch-management procedure,
  • security monitoring and logging,
  • percentage recoverable from backup,
  • fail-over and recovery testing,
  • and disaster-recovery preparedness.[7]

Coalition’s application remains shorter, but it still drills into MFA across separate access paths, backup isolation, and secondary verification for funds transfer and banking-detail changes.[8]

Travelers’ forms library continues to offer a short form, a long form, an MFA supplement, and social-engineering supplements.[9]

So while the market is softer on rates, it is not reverting to vague underwriting.

It is getting more selective about how it asks, not less selective about what it wants to know.

Why this paradox exists

There are at least four forces driving it.

1. More competition does not eliminate the need for risk selection

When more capacity enters the market or pricing pressure increases, carriers still need a way to differentiate accounts.

Technical underwriting becomes one of the cleanest ways to do that.

2. Claims are not simple, even when counts fall

Marsh’s 2026 cyber claims report says the volume of reported claim notifications declined in 2025, but ransomware extortion payments remain significant and privacy breaches remain a top concern.[10]

Severity and complexity still matter even if notification counts move around.

3. Publicly visible risk can now be checked continuously

Monthly external scanning, updated cyber risk assessments, and renewal-time security findings mean the market has more ways to compare a stale application answer against a more current picture.[4][5]

4. Documentation matters more when claims are disputed or complex

The NAIC’s 2025 cyber report says claims closed without payment in 2024 totaled 28,555, versus 9,941 closed with payment.[11] That does not prove those outcomes were caused by misrepresentation, or that the unpaid claims were improper. But it does show that a large volume of cyber claims end without payment, which makes clear documentation and accurate attestation more valuable, not less.

This is where a lot of MSPs still underestimate the market.

They read “rates are down” and assume “paperwork is easier.”

But the real state of the market is closer to:

  • price competition up,
  • evidence expectations up,
  • technical differentiation up.

The operational risk is renewal drift

This is the part buyers feel most acutely.

The bind packet captured what was true at one point in time.

Then the year happened.

  • an exclusion group was added,
  • a temporary admin became permanent,
  • a domain got added,
  • a backup target changed,
  • an old RDP exposure returned,
  • a new SaaS app altered your SPF record,
  • a technician left but their access lingered.

By the time the renewal comes around, the organization is often answering from memory while the carrier is asking from current-state evidence.

That is renewal drift.

A softer market does not solve it. It can actually make the gap more dangerous because buyers become less emotionally prepared for underwriting friction.

What “harder questions” really means in practice

For MSPs and brokers, the hardening is usually visible in five places.

1. More path-specific MFA questions

Not “Do you have MFA?” but “Do you enforce MFA for email, remote access, and privileged accounts?”

2. Better recovery questions

Not “Do you back up data?” but “How often, where, how isolated, how much is recoverable, and when did you test?”

3. More attention to external posture

Not “What’s your website?” but “What does your current attack surface look like from the outside?”

4. More questions about operator trust

Not “Do you use an MSP?” but “How is MSP access controlled?”

5. More conditions around improvement and continuity

Not just “Can you bind?” but “Can you keep the control posture clean enough that the renewal remains straightforward?”

That is the practical meaning of technical underwriting in 2026.

What a smarter renewal motion looks like in a soft market

The mistake is to treat a favorable pricing environment as permission to prepare later.

The better play is the opposite.

When the market is more competitive, the accounts with the cleanest evidence often have the most room to negotiate:

  • better terms,
  • more stable retentions,
  • stronger renewal positioning,
  • and fewer unpleasant surprises late in the cycle.

That does not mean every clean account gets a cheaper policy. The market is more complex than that.

It means a good evidence posture gives the broker and insured more control over the conversation.

For the cross-carrier checklist that sits underneath that evidence posture, use 8 Core Controls, 3 Real Applications. If the client runs heavily on Microsoft 365, the more specific version is Cyber Insurance for Microsoft 365 Tenants: The 2026 Attestation Checklist.

The right message for clients

Do not tell clients “the market is softer, so don’t worry.”

Tell them this instead:

The market is more favorable on price, but insurers are getting more technical about what they want to confirm. The opportunity is to use that softer market to improve your terms while showing cleaner evidence.

That is both commercially useful and accurate.

How BindLedger fits the paradox

BindLedger is not built for a hard market only. It is built for the more interesting reality:

  • a market that rewards cleaner control evidence,
  • while still moving fast enough that people answer from memory,
  • and while scans, supplementals, and updated risk assessments make stale answers easier to spot.

That is why the right product framing is not “questionnaire automation.”

It is:

  • attestation defensibility,
  • renewal drift control,
  • and evidence you can hand to a broker before the cycle gets painful.

The 2026 takeaway

The cyber market can be soft on rates and hard on facts at the same time.

That is not a contradiction. It is the new normal.

The winners in that environment are not the organizations that merely wait for a cheaper quote. They are the ones that can show:

  • what was true at bind,
  • what changed during the year,
  • what is true now,
  • and what evidence supports the answer.

That is a much stronger place to renew from than hope.

What to do right now

Verify your email security posture now

Free carrier-mapped DNS scan. No signup required.

Scan your domain →

Sources

[1] Marsh, “US cyber insurance market update: Rates decrease, threats evolve” (May 22, 2025): https://www.marsh.com/en/services/cyber-risk/insights/cyber-insurance-market-update.html

[2] Marsh, “US Insurance Rates | Global Insurance Market Index”: https://www.marsh.com/en/services/international-placement-services/insights/us-insurance-rates.html

[3] Marsh, “Global Insurance Market Index 2025”: https://www.marsh.com/en/services/international-placement-services/insights/global-insurance-market-index.html

[4] Coalition, “How do Cyber renewals work at Coalition?”: https://help.coalitioninc.com/hc/en-us/articles/6959642379547-How-do-Cyber-renewals-work-at-Coalition

[5] Coalition, “Coalition Control Scans FAQs”: https://help.coalitioninc.com/hc/en-us/articles/10302632830363-Coalition-Control-Scans-FAQs

[6] The Hartford, “CyberChoice – Underwriting Application” (CB 00 H027 03 0824): https://assets.thehartford.com/image/upload/cyberchoice_cyber_new_business_application.pdf

[7] The Hartford, “CyberChoice Secure Supplemental Ransomware Application”: https://assets.thehartford.com/image/upload/ransomware_supplemental_application.pdf

[8] Coalition Cyber Policy Application, form CYUSP-00NA-1022-01: https://massagent.com/wp-content/uploads/2025/01/Cyber_Application_Agency.pdf

[9] Travelers, “CyberRisk Applications and Forms”: https://www.travelers.com/business-insurance/professional-liability-insurance/apps-forms/cyberrisk

[10] Marsh, “Cyber Claims 2025: Data privacy remains a challenge while ransomware lingers” (February 2, 2026): https://www.marsh.com/en/services/cyber-risk/insights/cyber-claims-2025-report.html

[11] NAIC, “Report on the Cybersecurity Insurance Market” (2025 report, using 2024 data): https://content.naic.org/sites/default/files/inline-files/2025_Cybersecurity_Insurance%20Report.pdf

Related articles