Why 73% of Small Businesses Fail Their Cyber Insurance Assessment

Seventy-three percent of small businesses are failing their cyber insurance assessments in 2026, according to recent carrier analyses. The consequences are coverage denial, non-renewal, or premium increases exceeding 300%. The gap is not that these businesses lack security tools entirely. It’s that they can’t prove their controls work when an underwriter asks for evidence.

Carriers paid out $7.8 billion in cyber claims in 2025, and the average ransomware attack on a small business exceeded $250,000 in total cost. That loss ratio forced a correction. Checkbox questionnaires are dead. Your next renewal will require documentation, screenshots, logs, and test results for every control you claim to have.

Why “Yes” on a Form No Longer Counts

Two years ago, a cyber insurance renewal asked “Do you use multi-factor authentication?” and accepted “Yes” as a complete answer. Carriers bound policies on those self-attestations and then paid out claims from businesses whose “yes” meant “we turned it on for email but not for remote access or admin accounts.”

That model broke. Underwriters now verify answers before binding coverage. According to BSG Tech and MIS Solutions, carriers cross-reference your application with technical documentation and reject submissions that don’t hold up to scrutiny. If your broker submits a form that says “MFA: Yes” but you can’t produce an enrollment report showing 100% coverage within 48 hours, the carrier treats it as a failed control.

This shift explains the 73% failure rate. Most SMBs do have some security controls in place. What they lack is the documentation, test results, and configuration evidence that carriers now require. A policy that covers a $250,000 ransomware claim needs more than a verbal assurance that backups exist somewhere.

For a closer look at how the application process changed and what denial costs your business, we covered the financial consequences in detail previously.

The 7 Controls That Determine Your Premium

Carriers evaluate more than seven controls during underwriting. Our 12-control renewal checklist covers the full list. But seven controls drive the majority of assessment failures. These are the areas where the gap between “we have it” and “we can prove it” costs businesses the most.

1. MFA on every access point, not just email. Carriers require multi-factor authentication on email, VPN, remote desktop, cloud applications, and all administrative accounts. Partial deployment counts as a failure. The proof they accept is an enrollment report from your identity provider (Entra ID, Duo, or similar) showing 100% user coverage, plus conditional access policies that block authentication without a second factor.

Implementation runs free to low cost with Microsoft 365 Business Premium or an existing identity platform. Full deployment takes 1 to 2 weeks, including policy enforcement across all access points.

2. EDR/XDR instead of antivirus. Traditional antivirus no longer satisfies any major carrier. Underwriters require endpoint detection and response with behavioral analysis on every endpoint, including servers. They also check whether someone monitors the alerts. An EDR platform generating notifications that nobody reviews is a gap carriers flag consistently.

A managed EDR platform costs $5 to $15 per user per month. Deployment and tuning across a 50- to 200-person environment takes 1 to 2 weeks.

3. Immutable, tested backups. Ninety-four percent of ransomware operators target backups before encrypting production systems. Carriers require proof that your backup and disaster recovery strategy includes copies that an attacker cannot modify or delete, even with network access. They also require evidence of recovery testing: quarterly test results showing full restoration of critical systems, with time-to-recovery documented. Backup job completion logs alone are not sufficient.

Immutable cloud backup with regular testing costs $50 to $200 per month. Initial configuration takes 1 to 2 weeks, followed by ongoing quarterly test cycles.

4. Security awareness training with phishing simulations. Annual compliance videos no longer satisfy underwriters. Carriers require continuous security awareness training with regular phishing simulations and documented results. They want completion rates above 90% and a trend line showing phishing click rates improving over at least 12 months.

Training platforms cost $2 to $5 per user per month. Deployment takes a day, followed by ongoing monthly simulation campaigns. The catch is that 12 months of trend data cannot be produced in 90 days, so starting sooner gives you a stronger evidence package.

5. Patch management with defined SLAs. Carriers expect critical vulnerabilities (CVSS 9.0+) patched within 48 to 72 hours and all other patches deployed within 30 days. They check how fast you patch and whether you can prove the timeline. Three to six months of patch compliance reports telling a consistent story is stronger than a single snapshot pulled the week before renewal.

Automated patching is included with most managed IT agreements. If managing internally, expect $2 to $5 per endpoint per month for patching tools, with 2 to 4 weeks needed for initial setup and policy configuration.

6. Written security policies, including a tested incident response plan. Carriers require documented policies covering acceptable use, incident response, vendor risk management, and data handling. The incident response plan must name specific people, include current contact information for your carrier and legal counsel, address ransomware explicitly, and have been tested through a tabletop exercise within the past 12 months. A plan that lives in a shared drive untested since 2023 does not count.

Professional policy development costs $2,000 to $5,000. Using templates and internal resources brings the cost to near zero, though the quality gap is significant. Allow 2 to 4 weeks for drafting and review, plus time to schedule the tabletop exercise.

7. Privileged access management (PAM). Carriers check whether accounts with elevated permissions have additional protections beyond standard MFA. Domain admin accounts, Microsoft 365 global admin roles, and firewall management credentials should use dedicated accounts separate from daily-use accounts, with access granted on a least-privilege basis and reviewed quarterly.

Implementation is free to low cost using built-in tools like Entra ID Privileged Identity Management. Initial inventory, account separation, and access review setup takes 1 to 2 weeks.

The Premium Math: What Compliance Saves

The financial case for closing these gaps extends beyond avoiding denial. The spread between compliant and non-compliant businesses is widening every renewal cycle.

According to carrier data compiled by Velocity Technology and Boston MIT, businesses that meet all seven controls are seeing 15% to 25% premium discounts relative to their prior-year rates. Businesses that fail assessments face 50% to 300% increases, or outright non-renewal.

For a 100-person company paying $15,000 annually for cyber insurance (a common baseline for that size), the numbers work out clearly:

• Compliant: Premium drops to $11,250 to $12,750 (a savings of $2,250 to $3,750 per year)
• Non-compliant: Premium rises to $22,500 to $60,000 (an additional $7,500 to $45,000 per year)
• Total cost of implementing all 7 controls: Roughly $15,000 to $30,000 per year for a 100-person company, depending on what is already in place

The controls pay for themselves in premium savings within the first year for most businesses. They also reduce your actual breach risk, which is the point. A company with enforced MFA, monitored EDR, tested backups, and trained employees is harder to compromise. Fewer breaches means fewer claims, and that is exactly what carriers incentivize through lower premiums.

The same controls also satisfy requirements under HIPAA, CMMC, and PCI DSS. Businesses in regulated industries cover both compliance and insurance obligations with a single investment. We covered the overlap between enterprise-grade security and mid-sized company budgets in a recent post.

What to Do Before Your Next Renewal

Start 90 days before your renewal date. That gives your IT team or managed IT provider enough time to close gaps, build the documentation package carriers expect, and give your broker a complete application.

Days 1 through 7: Run a gap assessment. Ask your IT provider one question for each of the seven controls above: can you produce the required documentation within 24 hours? MFA enrollment reports, EDR deployment status, backup recovery test results, training completion records, patch compliance history, current security policies, and a privileged access inventory. Any “no” tells you exactly where to focus.

Days 8 through 45: Close gaps and build evidence. Deploy missing controls, starting with the lowest-cost, highest-impact items (MFA enforcement and training platform rollout). Begin generating the documentation trail carriers expect. Some evidence, like 12 months of phishing simulation results, takes time to accumulate. Starting now gives you a stronger package for your next renewal even if you can’t complete the full trend line this cycle.

Days 46 through 75: Compile the evidence package. Gather every document, report, and log into a single package your broker can submit with the application. MFA enrollment reports, EDR deployment status, backup test results with recovery times, training completion and simulation reports, patch compliance history, security policies with tabletop exercise documentation, and privileged access review records.

Days 76 through 90: Submit and negotiate. A broker who presents a fully documented application to multiple carriers gets you better terms than one who submits a bare form. The documentation package is the difference between competing quotes and a take-it-or-leave-it offer from the only carrier willing to bind coverage.

The difference between a 25% discount and a 300% increase comes down to proof. Every control on this list is implementable for a 50- to 500-person company, and most pay for themselves in premium savings within the first year. Businesses that treat renewal preparation as a quarterly discipline are the ones keeping their premiums stable and their coverage intact.