Cyber Insurance 2026: What Companies Need to Know Before Taking Out a Policy
7 min Reading Time
The global cyber insurance market grew to $15.3 billion in 2024. At the same time, only 17 percent of small businesses in Germany have a policy. NIS2, DORA, and rising ransomware damages are making cyber insurance a strategic necessity by 2026. This practical guide reveals what insurers demand, which exclusions to watch out for, and how companies can successfully navigate the application process.
TL;DR
- 🔒 Global cyber insurance market in 2024: $15.3 billion, expected to double by 2030 (Munich Re, 2025).
- 📊 Only 17 percent of small businesses in Germany have cyber insurance coverage (Market Research Future, 2025).
- 🛡️ MFA, EDR, and a tested incident response plan are the three mandatory requirements imposed by insurers.
- ⚠️ State-sponsored attacks and systemic events are excluded from most policies (Lloyd’s, since 2023).
- 📋 NIS2 from October 2026 and DORA since January 2025 raise minimum cybersecurity hygiene standards – and thus insurability.
Why Cyber Insurance Is No Longer Optional in 2026
The math is simple: An average ransomware incident costs a mid-sized company between €250,000 and €2 million. Business interruption, forensic analysis, crisis communications, legal counsel, and potential GDPR fines add up quickly. A cyber insurance policy covers precisely these costs.
Yet coverage remains patchy. While large corporations long ago secured policies with coverage limits in the tens of millions, protection is nearly absent among small and medium-sized enterprises. According to Market Research Future, just 17 percent of German SMEs hold a cyber insurance policy. Germany’s total premium volume stood at roughly $500 million in 2023 and is projected to grow to $1.9 billion by 2035.
Regulatory pressure is intensifying the urgency: With NIS2 taking effect in October 2026 and DORA in force since January 2025, minimum cybersecurity requirements are rising across 18 sectors. Companies without demonstrable security measures pay significantly higher premiums – or receive no coverage at all, according to Munich Re.
What Insurers Scrutinize Before Issuing a Policy
The application process for cyber insurance resembles an IT security audit. Insurers now evaluate not just revenue and industry, but the actual security architecture. Three measures have become non-negotiable minimum requirements:
Multi-Factor Authentication (MFA): Ninety-five percent of insurers require MFA on email, VPN, remote access, cloud platforms, and administrative accounts. According to Coalition, missing MFA was identified as a contributing factor in 82 percent of denied claims in 2024. Phishing-resistant methods – like FIDO2 or hardware keys – are increasingly mandated.
Endpoint Detection and Response (EDR): Eighty-nine percent of insurers require EDR on all endpoints. Installation alone isn’t enough: Insurers ask about response times, monitoring processes, and documentation. Industry surveys show EDR reduces the impact of a security incident by an average of 65 percent.
Incident Response Plan: A written, tested emergency plan – with clearly defined roles and contact lists – is mandatory. Insurers verify when the plan was last exercised and whether remediation steps were documented and tracked.
Beyond these core requirements, many policies also mandate encrypted offline backups, regular vulnerability scans, and employee training against AI-generated phishing.
The Exclusions Companies Must Know
No cyber insurance policy covers everything. The most important exclusions:
State-sponsored attacks: Since March 2023, Lloyd’s of London has required that nation-state cyberattacks be excluded from policies. This applies even during peacetime if government involvement can be proven. Reason: The systemic risk is unsustainable for the insurance market.
Systemic catastrophe events: If a coordinated attack on a major cloud provider simultaneously impacts thousands of companies, so-called aggregate exposure limits apply. In such cases, the policy may pay only partial compensation – or nothing at all.
Breach of duty of care: Companies that fail to patch known vulnerabilities or demonstrably neglect security measures risk having damage claims denied.
The consequence: A policy alone does not provide protection. It must be embedded within a documented security framework that systematically addresses these exclusion criteria.
Premium Trends: Calming After the Hard Market
After drastic price increases between 2020 and 2022, the market has stabilized. The QCC Price Index declined from its peak of 340 points (2022) to 269 points by the end of 2024. In the U.S., premiums fell on average by 5 percent in the fourth quarter of 2024. At the same time, 48 percent of insurers expect moderate price increases again in 2025, according to industry surveys.
The reason: Large enterprises have significantly invested in cybersecurity. According to Allianz Commercial, claim severity dropped by over 50 percent, and major losses exceeding one million Euro decreased by around 30 percent. This improved risk profile is putting downward pressure on premiums.
For SMEs, this presents an opportunity: Companies meeting security requirements now can secure better terms than just two years ago.
NIS2 and DORA: Regulatory Tailwinds for Insurability
The EU regulation is fundamentally changing the landscape. NIS2 affects around 30,000 companies in Germany and mandates risk management measures, reporting obligations, and executive liability. DORA regulates the financial sector with specific requirements for ICT risk management and third-party oversight.
This has two effects on the insurance market: First, demand increases as companies seek to transfer residual risks after achieving compliance. Second, overall risk decreases because regulated companies are required to improve their cybersecurity hygiene.
In practice, this means: Companies able to demonstrate NIS2 compliance will be favored by insurers. Investing in compliance pays off twice – protecting against fines and serving as leverage for lower premiums.
Five Steps to the Right Cyber Policy
1. Conduct a risk inventory: Which systems, data, and processes are business-critical? What damages could result from an outage? This analysis forms the basis for determining coverage amounts.
2. Document security measures: MFA, EDR, backup strategy, patch management, and incident response plans must not only exist but be demonstrably documented. Insurers review these during the application process.
3. Understand exclusions: Every policy has blind spots. State-sponsored attacks, systemic events, and breaches of duty of care are the three most critical exclusion clauses.
4. Calculate coverage realistically: Average costs of a ransomware incident, daily business interruption costs, and regulatory fines should all be factored into the calculation.
5. Engage a specialist broker: The cyber insurance market is complex. Specialized brokers understand insurers’ requirement profiles and can significantly improve terms.
Conclusion
Cyber insurance is not a substitute for cybersecurity but its logical complement. Companies that can demonstrate MFA, EDR, and a tested incident response plan are receiving better terms than ever before. At the same time, exclusions are growing: State-sponsored attacks and systemic catastrophes remain uninsurable. Companies that view NIS2 and DORA regulatory requirements as an investment in their own insurability gain double – through compliance and lower premiums.
Frequently Asked Questions
How much does cyber insurance cost for an SME?
Annual premiums depend on industry, revenue, coverage amount, and security level. For a company with 50 to 250 employees, premiums typically range between €3,000 and €25,000 per year. Companies with verifiable security measures pay significantly less than those without MFA or EDR.
What damages does cyber insurance cover?
Typical coverage components include forensic investigation costs, legal counsel, crisis communication, ransom payments in ransomware cases, business interruption losses, and GDPR fines. Exact coverage varies by policy.
Can state-sponsored attacks be insured?
Generally, no. Since 2023, most insurers – following Lloyd’s of London’s lead – exclude nation-state cyberattacks from coverage. This includes attacks during peacetime if government involvement is proven. Affected companies must bear this residual risk themselves.
Do I need to be NIS2-compliant to obtain cyber insurance?
NIS2 compliance is not a formal prerequisite for obtaining a policy. In practice, however, insurers require measures that strongly overlap with NIS2 requirements: risk management, incident response, access control, and supply chain security. Companies meeting NIS2 standards typically fulfill most insurance requirements as well.
What happens if I report a claim and the insurer denies it?
The most common reasons for denial are missing security measures that were promised in the application, or exclusion clauses such as state-sponsored attacks. Companies should complete their applications truthfully and carefully review exclusions before signing. In disputed cases, a specialized insurance attorney can assist.
Further Reading
NIS2 in Germany: What Companies Need to Know and Implement Now (SecurityToday)
DORA and NIS2 Together: Compliance Double Pressure for Financial Institutions (SecurityToday)
Zero Trust for SMEs: Getting Started in 5 Steps (SecurityToday)
Disaster Recovery in the Cloud: 5 Steps to a Resilient Emergency Plan (cloudmagazin)
More from the MBF Media Network
SecurityToday – Cybersecurity, IT Security, Compliance
cloudmagazin – Cloud, SaaS, IT Infrastructure
MyBusinessFuture – Digitalization, AI, Business
Digital Chiefs – C-Level Thought Leadership
Header Image Source: Mikhail Nilov / Pexels (px:7734672)
