Cyber insurance
What insurers are asking in 2026: the cyber renewal questionnaire, decoded
A line-by-line look at the questions UK underwriters are sending mid-market regulated companies in 2026, what each one is really asking for, and what good evidence looks like.
The 2026 cyber insurance renewal questionnaire has stabilised into a roughly recognisable shape across the main UK underwriters: Beazley, AIG, CFC, Travelers, the Lloyd’s syndicates. This piece walks through the questions that actually move premium and coverage, what each one is asking for, and what good evidence looks like. Treating the questionnaire as a controls review rather than a chore is the single biggest swing factor in renewal outcomes for mid-market regulated companies.
What changed between 2024 and 2026?
The hard market that ran 2022–24 has stabilised. Premiums for mid-market regulated companies are no longer climbing at 20–40% per renewal. What replaced the price pressure is evidence pressure: underwriters now ask harder questions, expect documented evidence rather than attestations, and decline cover for companies that cannot demonstrate basic controls, at any price.
The questionnaire itself is shorter than the 2023 version (most underwriters are now in the 30–60 question range, down from 80–120) but each question demands a more specific answer. "Do you have MFA?" is no longer enough. "Where is MFA enforced, for which user populations, using which methods, with what fallback if MFA fails?" is the question now.
The other change is the role of evidence. Two years ago, a Yes answer was usually accepted. In 2026, underwriters increasingly ask for the policy document, the conditional access screenshot, the patch cadence record. Companies that cannot produce evidence at renewal are getting one of three responses: a sub-limit on the cover, a coinsurance percentage on ransomware specifically, or a 30-day window to provide evidence before binding.
The five questions that actually matter
Of the 30–60 questions on the typical questionnaire, five drive premium and retention more than the rest combined.
MFA coverage. Underwriters want to know MFA is enforced for all privileged accounts (admins, senior partners), all external access (VPN, RDP, web admin portals), and all email access. The strongest answers specify the method, phishing-resistant (passkeys, FIDO2) rather than SMS or push notification, and exception management. The weakest answers say "yes, where possible" without naming what is excluded and why.
EDR / managed XDR. Endpoint detection and response is now table stakes. Underwriters want to know which platform, what coverage (workstations + servers + mobile), who manages it (in-house, MSSP, vendor MDR), and how alerts are triaged. Companies with managed EDR from a credible provider have a much easier renewal than companies with traditional antivirus.
Immutable backup with documented restore testing. "Do you back up your data" is yesterday’s question. "Are your backups immutable, geographically separated, and recently restore-tested" is today’s. The ransomware focus drives this: underwriters need to know that you can recover without paying.
Incident response retainer or playbook. Either a contracted retainer with a named IR provider (with a contractual SLA), or a documented and tested playbook that names the first ten actions in the first hour. The middle ground, "we’d call our IT support", fails the question.
Supplier risk management. A documented supplier register, classified by criticality, with security controls evidence for the critical tier. This question has hardened materially in the wake of DORA: underwriters expect a register, not assertions about due diligence.
Strong answers to these five typically drive flat or down renewals for mid-market regulated companies. Weak answers in any one of them is usually enough to drive a 10–25% increase or a coverage exclusion.
The questions that get over-answered
A few questions tempt companies into over-claiming. Recognising them helps you stay honest.
"Do you have a written information security policy?" Most companies answer Yes. Underwriters increasingly ask for the document. An out-of-date policy or a generic template downloaded years ago is worse than no policy: it suggests the company cannot honestly assess what it actually has.
"Do you train your staff on security awareness?" Yes answers are universal. The follow-up, "how often, by whom, with what completion rates", separates real programmes from line-item lip service.
"Do you perform regular vulnerability scanning?" The honest answers are usually less than companies claim. Quarterly external scanning is the bare minimum; monthly internal authenticated scanning is the increasingly expected standard. "We run a scan when we remember" is not an answer that survives the follow-up.
"Do you have an incident response plan?" The questionnaire wants a document and a test history. A plan that has never been exercised is functionally not a plan.
The honesty principle matters here legally as well as commercially. Under the Insurance Act 2015, a material misrepresentation on the questionnaire can void cover at claim. The right answer to a question you cannot evidence is "in progress with target date X", not "yes" with crossed fingers.
What good evidence looks like
When an underwriter (or their auditor on renewal) asks for evidence on the five questions that matter, what they actually want to see:
MFA. A conditional access policy export showing which user populations require MFA, which methods are accepted, and how exceptions are managed. Ideally a screenshot of the policy logic, not a screenshot of the admin console showing "MFA enabled" with no context.
EDR. Deployment coverage report from the EDR console showing managed device count versus enrolled device count, and a sample of alerts from the prior quarter with disposition (false positive, contained, escalated). The latter answers the "is anyone watching" question that the deployment count does not.
Backup. A backup configuration showing immutability is enabled (or geographically immutable storage is used), a retention policy that survives ransomware dwell time (typically 14+ days of immutable retention), and a restore test record from the prior twelve months.
Incident response. Either a retainer contract with SLA, or a playbook document plus a tabletop exercise record from the prior twelve months. The tabletop record is increasingly the differentiator.
Supplier register. A spreadsheet or governance tool export showing supplier name, criticality classification, key controls evidence, and last review date. Five or six rows of a real register answer the question better than a 200-row register that has not been updated in eighteen months.
A well-organised evidence pack, five short documents, is worth far more than a long questionnaire response. Underwriters increasingly read the evidence pack first and the questionnaire second.
The renewal calendar that actually works
Most companies allow four weeks for renewal. That is the source of most preventable problems. The calendar that works:
T-minus 90 days. Start the questionnaire response. Read last year’s answers and identify what has changed (controls, vendors, headcount, regulatory posture). Pull the policy documents and check they are current.
T-minus 75 days. Gather evidence for the five questions that matter. This is the work, and the companies that do it thoroughly find at least one gap.
T-minus 60 days. Brief the broker. Confirm whether they are putting the renewal to incumbent only or to three markets. If shopping, the broker needs the evidence pack two weeks before they go to market.
T-minus 45 days. Markets quoting. This is when underwriter follow-up questions come in, usually two to four per market. Same-day responses keep the renewal on schedule.
T-minus 21 days. Initial quotes back. Decision on which market to commit to, with broker.
T-minus 14 days. Binding terms agreed. Final policy wording reviewed.
T-minus 0. Renewal effective.
Companies that compress this calendar to four weeks end up renewing at the incumbent’s terms by default: there is no time to shop, no time to gather evidence, no time to negotiate. Premium is usually 10–20% higher than the same company would have achieved with a 90-day window.
What to do with the questionnaire after renewal
The most valuable use of the questionnaire is post-renewal. Treat the gaps you identified as a 12-month controls roadmap. Almost every company we work with finds two or three real gaps during the questionnaire exercise. Closing them before next year’s renewal puts you in a stronger negotiating position and, more importantly, closes actual risk.
The cycle then becomes virtuous: each year’s questionnaire is faster, evidence is fresher, and the gaps are smaller. Most of our managed-security clients run an annual mock questionnaire eight weeks before their real one as a self-diagnostic. It catches the issues that would otherwise surface mid-renewal.
If you would like a copy of the 2026 mock questionnaire template we use, send a note and we will send it across. If you would like to talk through your specific renewal, book a 30-minute call, bring the questionnaire and we will read it with you.
Frequently asked
Questions readers ask before getting in touch.
- Five questions matter more than the rest: MFA coverage across privileged accounts, EDR or managed XDR deployment, immutable backup with documented restore testing, incident response retainer or playbook, and supplier risk management. A clean answer on those five typically drives premium and retention conversations more than every other answer combined.
- Yes, materially. UK insurance law (the Insurance Act 2015) requires fair presentation of risk. Mis-stating control coverage on a renewal questionnaire is a material misrepresentation and can void cover at the point you most need it, when claiming after an incident. The answer to any question you cannot evidence honestly is 'in progress' with a target date, not 'yes' with crossed fingers.
- It satisfies the technical control attestation portion for most underwriters in 2026. The questionnaire will still ask separate questions about backup, training, incident response and supplier management. A Plus certificate plus answers to those four areas typically covers the full questionnaire for limits up to £10m.
- Sixty to ninety days before expiry, not the four weeks most companies allow. Underwriters are taking longer to quote, controls evidence is harder to gather in a hurry, and renegotiating with three brokers needs a real buffer. Companies that start the renewal at week minus-four are the companies that end up renewing at the incumbent's terms because there is no time to shop.
- Treating the questionnaire as an annual chore rather than a controls review. The questionnaire is in fact the most useful annual security review most companies get. Answered honestly, it surfaces exactly where the gaps are. Answered as a chore, it produces a polished document that does not match the underlying reality and erodes cover.
- Mixed: the market has stabilised after the 2022–24 hard cycle. Mid-market regulated companies with strong control evidence are seeing flat or modestly down renewals. Companies with control gaps, incidents in the prior 24 months, or weak supplier management are still seeing increases of 10–25%. Evidence quality is the swing factor.
- Use a broker. Underwriters at the mid-market level expect broker presentation. A specialist cyber broker also adds material value in the questionnaire response, since they know how each underwriter reads each question, where the honest answers are accepted as a 'work in progress' and where they are not. We do not place insurance ourselves; we recommend three UK specialists by sector if asked.
Talk to us
Want to talk through how this applies to your company?
A 30-minute call with a senior advisor. No pitch. We will read your situation against what is in this piece and tell you the smallest sensible next step.