Cyber Insurance Will Not Pay If You Skipped the Basics: 2026 Small-Firm Edition

You renewed your cyber insurance, paid the premium, and filed the certificate. That feels like protection. For many small firms, it isn't — not because the policy was fake, but because the application contained attestations the insurer will use against you the moment you file a claim.

Carriers have tightened underwriting standards significantly. Today's applications require specific, verifiable controls. When a breach happens and those controls were missing, the insurer's position is straightforward: you attested they were in place. They were not. Claim denied. The amount recovered is zero.

What you signed when you applied

A cyber insurance application is a legal document. When you check "yes" to a question about MFA or backups, you are making a binding attestation. Insurers treat a false attestation as a material misrepresentation — enough, under most policy language, to void coverage entirely.

A 2026 application for a small firm is likely to include questions like these:

• Is multi-factor authentication required for all users accessing email and remote systems?
• Are backups stored separately from your production environment and tested for restoration?
• Do employees complete security awareness training at least once per year?
• Is endpoint protection software installed and active on every company device?
• Are operating systems and software patched on a regular schedule?
• Is administrative access limited to users who require it?

If you answered yes to any of those and cannot demonstrate it today, you have an exposure.

The controls carriers expect — and where small firms fall short

Multi-factor authentication

MFA is the most commonly cited missing control when insurers deny claims. The problem is usually not that MFA was never configured — it is that it was set up for most users but never enforced for all of them. A new hire onboarded in a hurry, a shared account nobody updated, a contractor login that bypassed the policy. One unprotected account is enough to void coverage.

In Microsoft 365 Business Premium, MFA can be required for every user through Security Defaults or Conditional Access policies. Required means a user cannot authenticate until MFA is registered. That configuration satisfies the attestation. A setting that merely prompts users does not.

Backups

OneDrive version history is not a backup in the insurance sense. It lives inside the same tenant that ransomware can reach. Carriers expect a backup that is isolated from the primary environment, runs automatically, and has been restored in an actual test.

A cloud backup solution that pulls copies outside your Microsoft tenant, retains versions for at least 30 days, and has a documented restore test on file is the standard. Log the test date and what was restored. That record matters when a claim is reviewed.

Security awareness training

Annual training is the floor. It does not need to be elaborate — a 30-minute online course completed by every employee, with a completion log you can show an adjuster, satisfies most carrier requirements. What does not satisfy them is a training that happened three years ago or a conversation you had at a staff meeting. Log completions by name and date, every year.

Endpoint protection

Microsoft 365 Business Premium includes Microsoft Defender for Business, a legitimate endpoint detection and response solution. It needs to be deployed to every device that touches company data. A personal laptop used to check work email that is not enrolled in the policy is an unprotected endpoint — and a documented gap in your attestation.

The attestation trap that catches small firms

The scenario repeats itself: the application was accurate when submitted. Then something changed. A new employee was added and never enrolled in MFA. A backup subscription lapsed during a billing dispute. Staff training was skipped last year because the office was short-handed. At claim time, the insurer examines the state of your controls on the date of the incident — not the date of the original application. If a control was absent that day, the claim is denied.

The fix is ongoing maintenance, not a one-time setup. Controls have to stay on. One lapsed subscription or one skipped onboarding step can undo the attestation.

What to do before your next renewal

1. Pull your current application and read it. Review every question you answered affirmatively.
2. Check each control today. Is MFA enforced for all users, including anyone added in the past year? When did staff last complete training? When was the last backup restore test?
3. Close gaps before you renew, not after a claim. Renewing with a known gap extends your exposure and compounds the misrepresentation.
4. Build a short documentation file. A training completion log, a screenshot of your MFA enforcement policy, a dated backup test record. You will need to produce these under pressure, not go looking for them.
5. Tell your broker about changes. If your security posture has shifted — better or worse — your broker needs to know before the renewal date.

Cyber insurance is worth carrying. It covers real costs — forensics, breach notification, legal fees, business interruption — that can end a small firm. But it pays only when the controls you attested to are the controls you actually ran. The application is a one-time task. Keeping the controls active is an ongoing one. Neither is optional.