Cyber Insurance Requirements for MSPs in 2026: What Underwriters Actually Check
Cyber insurance used to feel like paperwork. Fill out the questionnaire, tell the broker you have MFA, send a few screenshots, wait for the quote.
That era is over. In 2026, cyber insurance requirements for MSPs are less about whether a tool exists somewhere and more about whether the control is enforced, monitored, and defensible when a claim happens.
That matters twice for MSPs. You need your own technology E&O and cyber liability coverage, because your RMM, PSA, email, and admin accounts are high-value targets. You also get pulled into your clients' cyber insurance process, because you manage the systems underwriters ask about.
If you guess, you create liability. If you document the truth, you create a billable security conversation.
Quick answer: what do MSPs need for cyber insurance in 2026?
Most MSP cyber insurance questionnaires now focus on five control areas: MFA on email, remote access, and admin accounts; EDR or MDR on endpoints; tested offline or immutable backups; a written incident response plan; and proof that users complete security awareness training. The exact requirements vary by carrier, limit, industry, revenue, and claims history.
The trick is not checking the box. The trick is proving the box was true on the day you signed it.
Why underwriters got less polite
Underwriters are reacting to how attacks actually happen.
Coalition's 2025 Cyber Threat Index found that 58% of ransomware claims in 2024 started with compromised perimeter security appliances, such as VPNs and firewalls. Remote desktop products were the second most common path at 18%. Across ransomware claims, Coalition cited stolen credentials at 47% and software exploits at 29% as the most common initial access vectors.
That is why the questionnaire asks about MFA, remote access, patching, and exposed services. It is not random compliance theater. It is a claims model with a form attached.
Coalition's 2025 Cyber Claims Report also found that 60% of 2024 claims came from business email compromise and funds transfer fraud. Ransomware still hurt badly: average ransom demands fell 22% year over year, but still landed at $1.1 million. IBM's 2025 Cost of a Data Breach Report put the global average breach cost at $4.4 million.
The insurance market is not asking MSPs to be perfect. It is asking a blunt question: can you show that the basic controls were in place before the incident?
The MSP's own policy: what carriers care about
MSPs are not normal small businesses to a cyber underwriter. A compromised MSP can become a delivery mechanism into dozens of client environments. That changes the risk math.
At minimum, most MSPs should expect to carry technology E&O and cyber liability. The underwriter will usually care about your own internal controls before they care about the cleverness of your service catalog.
Expect questions in these areas:
| Control | What the underwriter is really asking | Evidence you should have |
|---|---|---|
| MFA | Are email, VPN, RDP, admin portals, PSA, RMM, and backup consoles protected? | Entra, Okta, Duo, PSA, RMM, and backup admin screenshots or policy exports |
| EDR or MDR | Is endpoint protection installed and watched, or is it just legacy AV with a new name? | Deployment report, endpoint coverage percentage, alert review process |
| Backups | Could you restore without paying ransom if production and cloud admin accounts are burned? | Backup job reports, restore test logs, immutable or offline backup policy |
| Incident response | Who calls the carrier, counsel, IR firm, clients, and vendors when something breaks? | Signed IR plan, call tree, tabletop notes |
| Security training | Are staff trained on phishing, credential theft, and funds transfer fraud? | Completion records, phishing simulation results, onboarding checklist |
| Patch and exposure management | Do you know which internet-facing systems are exposed and how fast you patch them? | Vulnerability scan output, patch SLA, exception register |
CISA tells businesses to require MFA for email, file storage, remote access, and privileged access, with phishing-resistant MFA as the target. For ransomware preparation, CISA also recommends offline, encrypted backups that get tested, plus a written incident response and communications plan.
Those two CISA pages explain a lot of modern underwriting. If a control stops the claim type, it shows up on the application.
Client policy requirements: the part MSPs get dragged into
Client cyber insurance is where the risk gets messy.
A client receives a renewal questionnaire. They forward it to the MSP with a cheery, "Can you fill this out for us?" The questions look simple:
- Is MFA enabled for all email access?
- Is MFA required for remote access?
- Is EDR deployed on all workstations and servers?
- Are backups encrypted, tested, and protected from modification?
- Is there a written incident response plan?
- Are employees trained at least annually?
- Are privileged accounts separated from daily user accounts?
- Are critical patches applied within a defined window?
The wrong answer is expensive. The vague answer is worse.
"Yes, MFA is enabled" can mean five different things. It might mean all users have Microsoft Authenticator. It might mean only admins get prompted. It might mean Security Defaults is on, but service accounts, legacy auth, and a VPN appliance are quietly doing their own thing.
If you manage Microsoft 365, start with the identity layer. We covered the baseline in M365 Security Defaults Are Not Enough: The Conditional Access Baseline Every MSP Should Deploy. That post matters here because insurance language rarely says "Conditional Access." It asks whether MFA is enforced. Conditional Access is how you prove the enforcement.
For compliance-heavy clients, the same evidence overlaps with your risk register, remediation plan, and QBR. Our MSP compliance liability guide covers the parts of this conversation where the MSP can accidentally become the person everyone blames.
The misrepresentation trap
This is the uncomfortable part.
Cyber insurance applications are not marketing copy. If the client says a control exists and the forensic investigation later proves it did not, the carrier may fight the claim.
That is not a theoretical risk. Insurance Journal reported in 2022 that Travelers sued to rescind a cyber policy after alleging that International Control Services said MFA was used to protect its digital assets, but the post-incident investigation found MFA protected only the firewall and not the server involved in the ransomware event.
You do not need to memorize the legal details. The lesson is simple: never attest to a control you have not verified.
Use plain language in responses:
- "MFA is enforced for Microsoft 365 users and admin accounts. VPN MFA is not currently enforced. Remediation is scheduled for June."
- "EDR is deployed to 96 of 104 endpoints. The missing eight are offline laptops assigned to field staff."
- "Backups run nightly and are encrypted. The last full restore test was completed on March 12. Immutable retention is configured for 30 days."
That kind of answer may feel less tidy than a clean yes. It is much safer. Underwriters can price known gaps. They hate surprises after a claim.
The 2026 MSP cyber insurance checklist
Use this before you sign your own application or answer one for a client.
| Requirement | What to verify | Evidence to keep |
|---|---|---|
| MFA coverage | Email, VPN, RDP, PSA, RMM, documentation tools, backup consoles, and privileged accounts | Policy exports and screenshots from Entra, Duo, Okta, Google Admin, VPN, PSA, RMM, and backup admin portals |
| EDR or MDR | Endpoint count, agent health, last check-in, alert review, and unmanaged devices | Deployment report matched against PSA or RMM asset inventory |
| Backup resilience | Backup success, restore testing, immutable or offline retention, admin access, and deletion rights | Job reports, restore test logs, retention settings, and backup admin MFA proof |
| Incident response | Who calls the carrier, counsel, IR vendor, clients, and internal decision maker | Signed IR plan, call tree, tabletop notes, and offline copy |
| Training and payment controls | Annual training, phishing simulations, and call-back verification for banking changes | Completion records, phishing results, and finance process documentation |
| Exposure and patching | Public IPs, VPN and firewall firmware, remote access tools, known exceptions, and critical patch timing | External scan summary, patch report, exception register, and remediation tickets |
Do not stop at "we bought the tool." Underwriters care about enforcement and coverage. If the PSA says 112 endpoints and the EDR console says 87, you do not have an EDR answer yet. You have a gap.
Same with backups. CISA recommends offline, encrypted backups and regular restore testing because ransomware actors try to delete or encrypt accessible backups. "Backups run nightly" is not enough if nobody has restored one since 2023.
The incident response plan can be short. It cannot be imaginary. CISA recommends a basic plan and communications process with an offline copy. If your plan lives only in the compromised tenant, congratulations, you have a treasure map locked inside the burning building.
How Scopable fits the insurance conversation
Scopable is not an insurance broker. It does not decide coverage, pricing, or exclusions.
It does help MSPs run the assessment work that insurance conversations now require: audit the client environment, identify missing controls, turn gaps into a roadmap, assign budget, and scope the remediation work without rebuilding the same spreadsheet for every client.
That matters because cyber insurance readiness is not a once-a-year questionnaire anymore. It is the same evidence loop you need for vCIO work, compliance planning, and QBRs.
If you want a cleaner way to turn insurance-readiness findings into scoped remediation work, join Scopable early access. Bring the messy client. Those are the useful ones.
Make it billable without making it gross
The client does not want an "insurance readiness engagement." They want the policy approved and they do not want a claim denied later.
Package the work around that outcome: review the questionnaire, verify each control, produce an evidence packet, identify gaps, update the roadmap, and quote the remediation work. That fits cleanly into vCIO and compliance services.
If you need the pricing side, start with our MSP compliance pricing guide. Insurance readiness is not free pre-sales labor. It is risk assessment, documentation, and advisory work. Charge for it.
FAQ
Is MFA enough to qualify for cyber insurance?
No. MFA is one of the first controls underwriters ask about, but it is not the whole application. Expect questions about EDR, backups, incident response, training, patching, privileged access, and vendor risk. Email-only MFA is not the same as MFA across admin portals, VPN, RMM, PSA, and backup systems.
Can an MSP fill out a client's cyber insurance questionnaire?
An MSP can help verify technical facts, gather evidence, and explain gaps. The client should own the final representation to the carrier, ideally with broker and legal guidance when the answers are material. The MSP should avoid blanket yes answers unless the control has been verified.
The clean way to handle the questionnaire
Do not treat the cyber insurance form as paperwork. Treat it like a mini-assessment with legal consequences.
Verify the control. Capture evidence. Write down exceptions. Quote the fix. Then answer the question.
That habit protects the client, protects the MSP, and turns a renewal headache into useful roadmap work.
