The era of "cyber policy €4,000 a year, covers €5 M" is over. Insurers saw dramatic loss ratios in 2023–2025 – ransomware mega-claims in the seven-figure range, BEC incidents with direct losses, business interruptions over weeks. The result: in 2026, cyber policies are either substantially more expensive, substantially narrower – or simply unavailable.
The New Minimum Requirements From Insurers
A typical risk questionnaire in 2026 no longer asks "do you have a backup?" but in very technical detail:
- Multi-factor authentication: for all privileged accounts, external access, mail webmail. "Rolled out to 80 %" doesn't suffice – the auditor wants 100 %.
- Endpoint detection and response (EDR/XDR): not "classic AV" but behavior-based detection with central telemetry backend.
- Backup strategy 3-2-1-1-0: three copies, two media, one off-site, one immutable, zero errors at last restore test. Restore test is evidence-required.
- SIEM with log retention ≥ 12 months: for forensics post-incident. Self-hosted Wazuh or similar accepted if logs are immutable.
- Patch management with SLA: critical CVEs patched or documented as compensated within 72 h.
- Phishing awareness with effectiveness measurement: annual training, simulations with click-rate trend.
- Incident Response Plan">Incident response plan, tested: annual tabletop exercise with management participation.
- Supplier risk assessment (TPRM): at least for the top 10 critical providers.
Failing any of these means surcharge or rejection. "Rejection" means: no policy from this insurer – and the next looks at your questionnaire skeptically.
The Most Dangerous Part: The Warranty Clauses
Even an existing policy doesn't protect if it's later proven that the asserted minimums weren't met at the time of loss. Standard 2026 wording:
"Coverage is forfeit insofar as the technical and organizational measures asserted in the risk questionnaire were not implemented as asserted at the time of the insured event."
Practical translation: if you confirmed 100 % MFA in the questionnaire but actually had 70 %, and the loss runs through a non-MFA account – the policy doesn't pay. This isn't a theoretical construct, it's standard 2025 practice.
How an Integrated Platform Saves the Policy
A platform like SecTepe.Comm + SecTepe.Core directly provides several insurer requirements – and above all the evidence:
- MFA coverage report: from Keycloak, automatic. "What percentage of our accounts have FIDO2 or TOTP active?" as a live number.
- SIEM logs: Wazuh as recognized SIEM, append-only storage, 12+ months retention configured.
- Backup audit trail: WORM archive for mail forensics, Borg/Restic for asset backups, restore test logs automatic.
- Phishing simulation: GoPhish integrated, click-rate trends without external tool.
- Awareness training: wiki module with quizzes and attendance quotas.
- TPRM module: supplier inventory, risk score, re-assessment cadence.
- Incident response runbooks: versioned in wiki, tabletop minutes in audit log.
The Insurance Math
Mid-market firm, 200 employees, old policy: €8,000 p. a., €25,000 deductible, "BEC" and "insider threats" excluded. New 2026 quote from four insurers: two decline, one wants €35,000 p. a. with €100,000 deductible, one offers €18,000 p. a. – but conditional on "SIEM, MFA, EDR, awareness as in the questionnaire, annual confirmation".
The avoided premium uplift (~€17,000 p. a.) funds the ISMS tooling over the term. Plus the certainty that the policy actually pays out in a loss event.
Questions Management Should Be Asking Now
- When was our cyber risk questionnaire last updated? Who signed it?
- Which asserted measures do we have – and are they provably effective?
- What's our actual MFA coverage? (not "we plan to" – the live number)
- How long are our logs currently retained? Are they immutable?
- When was the last successful restore test?
Conclusion
Cyber insurance in 2026 is no longer an add-on you tick off as an afterthought. It's a process that objectively probes your security maturity. An integrated security and GRC platform delivers exactly the evidence the insurer demands – and therefore the policy management needs in a loss event.