9 min Reading Time<\/p>\n
Over 40 percent of companies filing a cyber claim receive no payout. 72 percent of small and medium-sized enterprises are completely uninsured. And after two years of decline, premiums are rising again by 15 to 20 percent. At the same time, underwriting is becoming more technical than ever: insurers no longer check whether MFA exists, but whether it is enforced across the board. The difference between coverage and rejection comes down to five specific controls.<\/strong><\/p>\n Five years ago, cyber underwriting consisted of a questionnaire with 20 yes\/no questions. Today, it\u2019s a technical assessment. Insurers like Munich Re<\/a>, Allianz and Zurich work with specialized service providers that scan the actual security posture – not just the claimed one.<\/p>\n Specifically, insurers check: How many accounts have MFA enabled (not 80 percent, but 100 percent)? Are all endpoints covered by EDR (not just managed devices, but also BYOD)? Are backups regularly tested for recoverability (not just created)? Is there an incident response plan that has been tested in a tabletop exercise within the last 12 months?<\/p>\n The consequence: Companies that state controls are in place during the application process but fail to enforce them in practice risk having their claims denied in the event of a loss. The insurer verifies after an incident whether the stated controls were actually active at the time of the attack. If they weren\u2019t, the policy is void.<\/p>\n 1. MFA on all accounts and systems.<\/strong> Not just for admins, not just for VPN access. For every user, on every identity system. The distinction between “MFA exists” and “MFA is consistently enforced” is the decisive factor in underwriting. Phishing-resistant MFA (FIDO2, hardware tokens) is increasingly preferred over SMS or app-based MFA.<\/p>\n 2. EDR on all endpoints.<\/strong> Continuous monitoring across all endpoints, with active response capabilities. Not just detection, but isolation and remediation. CrowdStrike Falcon, Microsoft Defender for Endpoint and SentinelOne are the most commonly accepted solutions. Antivirus alone is no longer sufficient.<\/p>\n 3. Immutable backups with documented restore tests.<\/strong> Backups that cannot be encrypted or deleted by ransomware<\/a>. Air-gapped or cloud-isolated. And proof that recovery is tested regularly. A backup without a restore test is not a backup.<\/p>\n 4. Tested incident response plan.<\/strong> A paper IR plan isn\u2019t enough. Insurers require evidence of a tabletop exercise within the last 12 months. Who is responsible? How is escalation handled? When is the insurer notified? Most policies require notification within 24 to 72 hours of discovering an incident.<\/p>\n 5. Documented patch management<\/a>.<\/strong> Critical patches within 14 days. Documented exceptions with risk acceptance. Automated vulnerability scanning as proof. Insurers are increasingly reviewing Mean Time to Patch (MTTP) as a KPI.<\/p>\n \n“Insurers have evolved from blanket actuarial models to technical underwriting that evaluates how controls actually function. The question is no longer whether MFA exists, but whether it is consistently enforced.” The European cyber insurance market was valued at $1.51 billion in 2025 and is expected to grow to $5.47 billion by 2034 (17 percent CAGR). The German market alone is projected to reach 2 billion euros, driven by NIS2 compliance requirements<\/a> and growing awareness following high-profile attacks on German companies.<\/p>\n But the coverage rate is alarmingly low. Over 70 percent of companies in Germany, France, Italy, and Spain are uninsured. The situation is even worse among SMEs. Many companies shy away from premiums or fail underwriting: without MFA, EDR, and backups, there\u2019s no policy.<\/p>\n The DACH market has a unique feature: regulatory density (NIS2, DORA, KRITIS-Dachgesetz) is driving demand. Companies subject to NIS2 already need the controls that insurers require. Cyber insurance thus becomes a byproduct of NIS2 compliance<\/a>: those who are compliant also get insurance. Those who aren\u2019t compliant get neither.<\/p>\n In 2026, new exclusions are emerging that CISOs must be aware of. Insurers are increasingly introducing AI-specific clauses: damages caused by Shadow AI<\/a> (unauthorized use of AI tools) may be classified as gross negligence if no AI usage policy exists. AI-generated deepfake attacks are explicitly excluded by some policies.<\/p>\n Other common exclusions in 2026: war and state-sponsored attacks (the boundary is contentious), systemic cloud outages of a hyperscaler (“systemic risk”), known and unpatched vulnerabilities (excluded after the patch deadline in the insurance terms), and voluntary ransom payments without prior consultation with the insurer.<\/p>\n For CISOs, this means: read the policy carefully. Not just the coverage amount, but the exclusions. A common mistake: companies take out a cyber policy assuming ransomware payments are covered. In many policies, they are – but only if the insurer is involved before payment and explicitly approves it.<\/p>\n The five mandatory controls aren\u2019t just prerequisites for coverage – they also determine the premium. Companies that can prove they\u2019ve implemented all five measures pay 50 to 60 percent less than those without these controls.<\/p>\n Additional premium reducers: network segmentation<\/a> (limits the blast radius of an attack), DNS-layer protection (filters threats before they reach the network), regular penetration tests (at least annually, documented), and a SOC or Managed Detection and Response (MDR) service.<\/p>\n The most cost-effective strategy: establish NIS2 compliance as a baseline (the controls overlap 80 percent with insurance requirements), then take out the policy. Those who secure insurance first and implement controls afterward pay high premiums and risk claim denials.<\/p>\n Cyber insurance isn\u2019t a substitute for security. It\u2019s a safety net for when security fails. But this net has holes: 40 percent of claims are rejected, and requirements are rising every year. For DACH companies, the combination of NIS2 compliance and cyber insurance is the most pragmatic path: the same controls meet both requirements. The five mandatory measures (MFA, EDR, immutable backups, tested IR plan, and patch management) are non-negotiable. Without them, there\u2019s neither coverage<\/a> nor compliance in 2026. With them, premiums drop by up to 60 percent. The math is simple.<\/p>\n For a company with 50 to 500 employees: annual premiums range from 3,000 to 25,000 euros for coverage of 1 to 5 million euros. The exact premium depends on industry, revenue, IT security level, and claims history. Companies with demonstrably strong controls pay at the lower end of the range.<\/p>\n Yes. If controls stated during underwriting (e.g., MFA fully implemented) were not active at the time of the attack, the insurer can deny the claim. This also applies if known vulnerabilities weren\u2019t patched within the agreed timeframe. The policy isn\u2019t a blank check – it\u2019s tied to conditions.<\/p>\n In many policies, yes – but only under conditions: the insurer must be involved before payment and approve it. Independent payments without consultation can void coverage. Some insurers exclude ransom payments entirely. The clause must be reviewed before signing.<\/p>\n Healthcare, financial services, and critical infrastructure face the highest premiums because they\u2019re the most attractive targets for attackers and subject to the strictest regulatory requirements. Manufacturing and logistics are also increasingly affected in 2026 due to rising OT security incidents.<\/p>\n No. Insurance is a financial risk transfer, not a technical safeguard. It covers costs after an incident (forensics, legal fees, notifications, business interruption). It doesn\u2019t prevent the incident. Without the technical controls (MFA, EDR, backups), there\u2019s no policy to begin with. Security is the prerequisite for insurance, not the other way around.<\/p>\n PAM: Why Admin Accounts Are the Biggest Entry Point<\/a><\/p>\n NIS2 in Germany: What Companies Need to Know<\/a><\/p>\n Shadow AI: When Employees Use ChatGPT<\/a><\/p>\n Digital Chiefs: CEO Burnout as a Corporate Risk<\/a><\/p>\nTL;DR<\/h2>\n
\n
From Questionnaire to Technical Assessment: How Underwriting Works in 2026<\/h2>\n
The 5 Controls That Determine Coverage or Rejection<\/h2>\n
\nSecureAIT, Cyber Insurance Requirements 2026<\/cite>\n<\/p><\/blockquote>\nDACH Market: Underinsured and in Transition<\/h2>\n
AI Exclusions and New Coverage Gaps<\/h2>\n
Premium Optimization: What Really Reduces Costs<\/h2>\n
Conclusion<\/h2>\n
Frequently Asked Questions<\/h2>\n
How much does cyber insurance cost for SMEs?<\/h3>\n
Can the insurer retroactively deny coverage in the event of a claim?<\/h3>\n
Is ransomware ransom covered?<\/h3>\n
Which industries pay the highest premiums?<\/h3>\n
Is cyber insurance sufficient as a security strategy?<\/h3>\n
Further Reading<\/h2>\n
More from the MBF Media Network<\/h2>\n