Cyber Insurance 2026: The IT Measures Insurers Now Require from SMBs

For a long time cyber insurance was just a box to tick: fill in the form, pay the premium, done. Those days are over. After years of expensive claims, insurers now look very closely at how well a company is actually protected — and they tie coverage to concrete technical minimum requirements. If you don't meet them, you either get no policy at all, a noticeably higher premium, or trouble when you try to claim.

Note: This article is not legal or insurance advice. It explains common practice. What ultimately applies is set out solely in your individual insurance contract and its terms.

Why insurers are suddenly looking so closely

The German Insurance Association (GDV) publishes model conditions for cyber-risk insurance — including a risk questionnaire aimed at companies with up to roughly €50 million in turnover. That questionnaire is the crux: it asks for the minimum IT-security level a business must demonstrate to be insurable at all. One important point: these are model conditions — every insurer deviates from them in practice, sometimes stricter, sometimes more lenient. What counts is your specific contract.

At the same time, the GDV documents that many mid-sized businesses fail to meet even basic IT-security criteria. That is precisely the gap insurers want closed before they sign a contract.

The typical requirements at a glance

The following six points appear in almost every application. They are not a legal checklist, but what insurers regularly ask for in questionnaires and policy terms.

1. Multi-factor authentication (MFA)

MFA has effectively become the entry ticket. The GDV explicitly recommends two- and multi-factor authentication, and in practice insurers require it for all external access (remote access, VPN, webmail) and especially for administrative accounts. Without MFA, many applications already fall down at this point. The good news: in Microsoft 365 or Google Workspace, MFA can be switched on at no extra cost.

2. Tested backups following the 3-2-1 principle

Backups alone are not enough — they have to be tested. The GDV questionnaire wants to know whether data backups are created regularly, kept separately, protected, and actually recoverable in an emergency. That matches the 3-2-1 rule: three copies, two media, one off-site and offline. The decisive factor is a documented restore test — a backup that has never been restored is a liability when disaster strikes.

3. Prompt patch and update management

Security updates are among the baseline requirements: apply them promptly, not weeks later. Insurers ask whether operating systems and software are kept up to date and whether there is a defined process for it. Outdated, unsupported systems are a classic reason for rejection.

4. Endpoint protection (from antivirus to EDR)

The GDV baseline names classic antivirus and firewalls. The market has moved on: modern insurers increasingly expect professional endpoint protection, up to EDR (Endpoint Detection and Response), which doesn't just block attacks but also detects and reports them. Treat this as a trend, not a fixed GDV requirement — but one that is increasingly becoming a condition for larger coverage sums.

5. Aware employees

The most common entry point for attackers is still people — phishing emails and fake invoices. Insurers reward regular training and awareness measures because they demonstrably lower the risk of a claim. Even short, recurring training sessions and clear reporting channels make a difference.

6. Email security: SPF, DKIM and DMARC

In May 2025 the BSI (Germany's Federal Office for Information Security) tightened its email-security recommendations and now advises every company that sends mail from its own domain to correctly implement the three methods SPF, DKIM and DMARC. They prevent criminals from sending deceptively genuine-looking emails in your company's name. This email authentication is exactly what insurers increasingly ask about — and it also protects your reputation with customers and suppliers.

How to tackle it

The application is no mystery if you go about it methodically:

1. An honest inventory: which of the six points do you already meet, and where are the gaps? Don't gloss over anything — false statements in the application can cost you your coverage when you claim.
2. Quick wins first: enable MFA, restore a backup and log it, write down your update process. That lowers your risk immediately and improves your negotiating position.
3. Document: make your measures provable. Insurers and auditors alike want evidence, not assurances.
4. Fill in the questionnaire carefully: when in doubt, with expert support — every entry is a contractual warranty.

The best part: almost all of these measures are sensible IT security anyway. Whoever passes the insurance questionnaire is also far better protected against ransomware and data loss in day-to-day operations. The policy thus turns from a cost item into a side effect of a solid security strategy.

Conclusion

Cyber insurance is no substitute for good IT security — it presupposes it. MFA, tested backups, a patch routine, endpoint protection, trained staff and clean email authentication are today's entry ticket. The effort pays off twice over: better terms with your insurer and a genuinely lower risk.

Want to know where your business stands before the insurance questionnaire lands on your desk? For companies in Recklinghausen and the Ruhr region, we assess your situation in a free initial consultation — straightforward, understandable and free of jargon.