tl;dr
The cyber insurance market in February 2026 is defined by a strategic stabilization of rates despite a sharp rise in complex claims and regulatory pressure. While general market conditions remain buyer-friendly with flat-to-softening pricing, underwriters are aggressively tightening technical requirements—specifically mandating phishing-resistant MFA and 24/7 active EDR—while simultaneously launching niche products like dedicated coverage for connected commercial fleets.
🗓️ Upcoming Events
PLUS Cyber Symposium
Gain valuable insights, foster connections, and stay informed about the latest developments and best practices in cyber insurance.
Dates: March 3-4, 2026
Location: New York, NY
Register: Event Info
Cyber Liability Insurance Summit
This high-impact, day-and-a-half event is designed to equip industry leaders with essential insights into the world of cyber liability and data risk.
Dates: March 12-13, 2026
Location: Uncasville, CT
Register: Event Info
Industry News & Product Launches
HSB Launches Cyber Insurance for Connected Commercial Vehicles: Hartford Steam Boiler has introduced a first-of-its-kind policy specifically designed to cover hacking risks, extortion, and business interruption for internet-connected commercial cars and trucks.
Armis Achieves DISA IL5 Status, Expanding Support for US Defense Cybersecurity: The authorization allows Armis to secure critical Department of Defense infrastructure, signaling a maturation of security standards that often dictate future insurance underwriting benchmarks.
Anthropic’s Claude Code Security Release Is Not Bad News for Cyber Companies: Analysts suggest that while new AI vulnerability-scanning tools are entering the market, they will supplement rather than replace traditional security and insurance-linked risk assessment frameworks.
Market Trends & Underwriting
Identity Cyber Scores: The New Metric Shaping Cyber Insurance in 2026: Insurers are shifting focus toward "identity posture" as a primary underwriting factor, penalizing organizations with poor password hygiene and inconsistent MFA coverage.
Cyber Insurance Requirements in 2026: What Carriers Actually Require: Carriers like Chubb and Beazley have moved beyond basic checklists to mandate phishing-resistant hardware keys and documented 12-month tabletop exercises for high-limit policyholders.
Cyber Insurance Market Update: Rates Decline Despite Rising Claims: Lockton reports a rare divergence where premiums fell by an average of 11% in the last year even as nationally significant cyber incidents surged by 129%.
Cyber Risk: A Look Ahead to 2026: WTW analysts observe a deceleration in market softening, with insurers pushing for flat primary renewals in high-risk sectors like healthcare and aviation.
Legal, Regulatory, and Claims
The Breach is Only the First Incident; The Claim is the Second: Recent court rulings are emphasizing that "computer fraud" clauses often cover spoofing, but the difficulty of the claims process itself is becoming a secondary "incident" for insureds.
Cyber Insurance Market: Why Demand, Regulation and Risk are Reshaping Coverage: The progression of the UK’s Cyber Security and Resilience Bill is expected to drive a 20-25% increase in demand for cover as MSPs and data centers face new statutory obligations.
Travelers’ James Standish on Technology Risks and Risk Transfer: Travelers’ leadership highlights that accelerating M&A activity is creating complex "coverage interplay" issues that brokers must navigate to avoid protection gaps during transitions.
📖 Deeper Dive
The Move to Phishing-Resistant MFA
In 2026, the transition from "standard" Multi-Factor Authentication (MFA) to phishing-resistant MFA has become a critical pivot point for cyber insurance eligibility and claims defensibility.
Based on the latest industry reports from Breach Craft and specialized carriers, here is a deeper look into the specific underwriting requirements and the technical benchmarks now being enforced:
1. The "Phishing-Resistant" Standard
Underwriters are increasingly distinguishing between legacy MFA (which is vulnerable to "adversary-in-the-middle" or MFA fatigue attacks) and phishing-resistant protocols. In 2026, to qualify for high-limit policies (typically $5M+), carriers generally mandate:
FIDO2/WebAuthn Hardware Keys: Physical devices (like YubiKeys) that use public-key cryptography to bind the authentication to the specific, legitimate domain of the service.
Passkeys & Biometrics: Cryptographic credentials built into devices (FaceID, TouchID, Windows Hello) that are "verifier-impersonation resistant," ensuring that even if a user is tricked into a fake site, the authentication will fail.
The "Legacy" Demotion: App-based TOTP (timed codes) and SMS are increasingly relegated to "low-limit" or "high-deductible" categories, as they can be easily intercepted or bypassed by modern AI-driven phishing kits.
2. The "Everywhere" Mandate (Universal Coverage)
A major trend for 2026 is the shift from sampling to universal enforcement. Carriers like Travelers and Coalition have cited "partial implementation" as a top reason for claim denials. Required coverage areas now include:
Remote Access: Every VPN and RDP entry point.
Cloud & SaaS: All administrative and standard user accounts in environments like M365, AWS, and Salesforce.
Internal Lateral Movement: MFA is increasingly required for accessing internal servers or sensitive databases, not just the initial login.
Service Accounts: Carriers are scrutinizing non-human accounts that often lack MFA, demanding they be protected by alternative "identity-bound" or "just-in-time" access controls.
3. Verification & Evidence (The Audit)
Applying for coverage no longer relies on a simple "Yes/No" checklist. Underwriters are now demanding:
Configuration Screenshots: Proof that MFA is "Enforced" rather than just "Enabled."
External Scanning: Carriers use automated tools to verify DMARC records and look for exposed login portals that lack MFA triggers.
User Adoption Metrics: Reports showing the percentage of the workforce successfully using phishing-resistant methods versus those on legacy bypass lists.
Rate Softening for Adopters: Organizations that can prove 100% phishing-resistant MFA coverage are seeing premium decreases of 10–15%, as they are statistically much less likely to suffer the credential-harvesting attacks that lead to ransomware.
The "Uninsurable" Threshold: In high-risk sectors like healthcare and financial services, lacking phishing-resistant MFA is increasingly becoming a "non-starter" for many Tier-1 carriers, regardless of price.
Did You Know? In 2026, the "Uninsured" are seeing losses grow nearly 4x faster than the "Insured"?
Till next time,