There's a version of this article you've already read. It's the one where someone tells you MFA is important, backups matter, and you should talk to your broker before renewal. That version is useless to you. Here's the version that isn't.

In 2024, according to the National Association of Insurance Commissioners, nearly three times as many cyber insurance claims were closed without payment as those that were paid out. That's 28,555 claims denied versus 9,941 paid. For excess cyber policies, the ratio was worse: unpaid claims outnumbered paid ones by more than 20 to 1.

The insurance industry collected $16.3 billion in cyber premiums in 2025. That's nearly triple what it was five years ago. And they still lost money. Claims payouts reached $7.8 billion, ransomware incidents jumped 126% in Q1 2025 alone, and supply chain breaches now account for nearly 30% of all incidents.

Carriers responded the way you'd expect: they stopped trusting anyone.

The Questionnaire Is Now an Audit

If you renewed a cyber policy before 2024, you probably remember the application as a formality: a few pages, some yes/no checkboxes, maybe even a conversation with your broker. The carrier took you at your word.

That's over. According to Marsh McLennan's 2025 Cyber Insurance Market Report, 99% of cyber insurance applications now include specific questions about MFA implementation. Not "do you have MFA," but "is MFA enforced across email, VPN, RDP, cloud applications, and all admin accounts, and can you provide documentation."

Some carriers are running technical scans of your external network before they'll even issue a quote. They're checking for exposed ports, unpatched systems, misconfigured DNS, and known vulnerabilities. This happens before you've signed anything.

The questionnaire is now an audit. And if your answers don't match what they find, you either don't get coverage, or you get coverage that won't pay when you need it.

What's worse, given the data reported by NAIC, unless you shore up and document everything to fit the requirements, even if you get renewed, your claim will be denied should you file one.

The Five Controls That Actually Matter

Every carrier's requirements are slightly different. But after looking at what's showing up consistently across major underwriters in 2026, there are five controls that appear on virtually every application.

1. Phishing-Resistant MFA, Not Just MFA

This is the biggest change from even a year ago. Standard MFA, the kind that sends a push notification to your phone or a code via SMS, is no longer considered sufficient by many carriers. The reason: Adversary-in-the-Middle attacks have gotten good enough to intercept and replay MFA tokens in real time. An employee clicks a convincing phishing link, enters their credentials, approves the push notification, and the attacker captures the session token before it expires. MFA was technically in place. It still failed.

Carriers are now asking specifically about phishing-resistant MFA, which means FIDO2 security keys or passkeys. These use cryptographic authentication that can't be intercepted because the authentication happens between the physical key and the service, not through a channel an attacker can sit in the middle of.

For manufacturing environments, this is a significant lift. You likely have employees who don't sit at desks, who share workstations, who access systems from the plant floor. Rolling out FIDO2 keys to that population takes planning. Start now if your renewal is in the next six months.

Coalition's 2024 Cyber Claims data found that 82% of denied claims involved organizations without fully implemented MFA. That single statistic should inform how you prioritize your next 30 days.

2. EDR on Every Endpoint, Not Just the Office Machines

Endpoint Detection and Response EDR) is the successor to traditional antivirus, and carriers now distinguish between the two explicitly. Antivirus looks for known bad files. EDR monitors behavior, detects anomalies, and can isolate a compromised machine before the attacker moves laterally through your network.

The key word carriers use is "every endpoint." Not just the laptops and desktops in the front office. Every server, every remote machine, every device that touches your network. For manufacturers, this includes machines in the shop that might be running older operating systems that don't support modern EDR agents, which creates a documentation challenge: you need to show the carrier either that EDR is installed or that you have a documented exception with compensating controls.

If a breach occurs and the carrier finds that the endpoint where the attacker gained initial access didn't have EDR, your claim is in trouble.

3. Immutable, Tested Backups

This one has evolved the most. Two years ago, carriers wanted to know if you had backups. Last year, they wanted to know if you tested them. This year, they want to know if your backups are immutable, meaning they can't be modified or deleted by an attacker who has gained access to your network.

The reason for the shift: 94% of ransomware attackers now attempt to destroy or encrypt backups as part of the attack first. If your backup infrastructure is connected to the same network and accessible with the same credentials as your production environment, the attacker takes it out along with everything else. Your "backup" was sitting in the blast radius the whole time.

Carriers want to see air-gapped or immutable backups stored off-network, with documented restore tests completed within the last 90 days. Yes, actual restore tests, with screenshots and timestamps, proving you pulled data back and it was intact.

For a manufacturer running 24/7 production, testing a full restore is operationally disruptive. Do it anyway. Do it on a weekend. Document it thoroughly. That documentation is what stands between you and a denied claim.

4. Written Incident Response Plan

Not "our IT guy knows what to do." A written plan. With named roles, contact information, escalation procedures, communication templates, and a decision tree for whether to pay a ransom or attempt recovery.

Carriers want to see that you've thought about this before it happens, because the data overwhelmingly shows that organizations without written IR plans take longer to contain breaches, lose more data, and incur higher costs. The plan doesn't need to be 50 pages. It needs to exist, it needs to be current, and your team needs to know where it is.

5. Vendor Risk Documentation

This is the newest addition to the standard underwriting checklist, and it catches a lot of manufacturers off guard. Carriers are now asking whether you've evaluated the security posture of third-party vendors who connect to your systems. Your ERP provider, your MES vendor, your managed print service, your third-party IT support, your payroll processor: anyone with network access or access to sensitive data.

The logic is straightforward. Third-party vendor incidents now account for roughly 20% of all cyber claims. An attacker who compromises your vendor gets a trusted connection into your network. If you can't show that you've assessed those vendors and documented their security controls, you're carrying a risk that carriers are increasingly unwilling to cover.

What "Denied" Actually Looks Like

The denial statistics are alarming, but they don't tell the full story of how denial happens. It's rarely a carrier saying "no" at renewal. More often, it plays out like this:

You have a policy. You've been paying premiums for years. An incident occurs. You file a claim. The carrier sends an investigator. The investigator finds that MFA was enabled on email but not on the VPN. Or that backups existed but hadn't been restore-tested in eight months. Or that EDR was on the office machines but not on the server where the attacker gained access.

The carrier points to the application where you attested that these controls were in place. They call it material misrepresentation. The claim is denied.

This isn't hypothetical. In the International Control Services v. Travelers case, coverage was denied after Travelers discovered that MFA was implemented on the firewall but not on the remote access system the attackers actually used. The business thought they had MFA. They did, technically. Just not where it mattered.

S&P Global Ratings has forecast a 15 to 20% premium increase in 2026 following two years of declining rates, driven by the ransomware surge and the credential theft explosion. The carriers who were competing on price two years ago are now competing on selectivity. They want fewer, better-prepared clients, and they're willing to let the rest go.

What This Means for Manufacturers Specifically

Manufacturing sits in a uniquely difficult position on cyber insurance. It is, according to IBM's X-Force Threat Intelligence Index, the most attacked industry in the world for the fifth consecutive year. Manufacturing production environments run legacy systems that can't always support modern security tools. Your OT networks often share infrastructure with your IT networks. Your downtime costs are immediate, measurable, and significant.

Carriers know all of this and they price it accordingly. Average cyber insurance premiums for mid-size manufacturers ($10M to $50M revenue) now run $3,500 to $10,000 per year, with larger operations paying $10,000 to $30,000 or more. And those are the premiums for manufacturers who can demonstrate the five controls above. For those who can't, the number goes up fast, or the application comes back declined.

The average ransomware payment in manufacturing exceeded $400,000 in 2026, with total event costs (including recovery, business interruption, and legal exposure) commonly reaching $1 million to $5 million for mid-size operations. Your carrier knows this number because they've paid it. They don't want to pay it again for a business that couldn't prove MFA was enforced.

There's also a CMMC angle here that's worth mentioning. If you're a manufacturer in the defense supply chain, CMMC 2.0 enforcement begins in November 2026. Many of the controls CMMC requires overlap directly with what carriers are asking for. Getting your cyber insurance documentation right is essentially doing double duty: it positions you for both renewal and compliance.

The 2026 Coverage Exclusion Problem

Here's the development that should genuinely concern every business owner reading this: carriers are now adding explicit coverage exclusion clauses for incidents that could have been prevented with basic controls.

This goes beyond denying claims after investigation. This is language written into the policy itself that says: if the incident was caused by a failure to maintain the controls you attested to, the policy does not apply.

The practical effect is that your premium buys you less than it used to. You're paying for a policy that only covers you if you were already doing everything right. If you weren't, you're self-insured whether you know it or not.

What to Do in the Next 30 Days

If your renewal is in the next six months, here's the sequence that matters:

Week 1: MFA Audit Document everywhere MFA is currently enforced. Every system, every access point. Identify gaps. If you're still on SMS or push-only MFA for privileged accounts, start the migration to phishing-resistant MFA now. Order FIDO2 keys this week if you don't have them.

Week 2: EDR Inventory Pull a report from your EDR vendor showing every device covered. Cross-reference it with your full device inventory. Identify any machines that don't have EDR and determine whether they can support it. For those that can't, write a documented exception with compensating controls.

Week 3: Backup Restore Test Schedule and execute a full restore test. Not a backup verification, a restore. Pull the data back, confirm it's intact, screenshot the result, timestamp it. Store the documentation somewhere your IT team and your broker can access it.

Week 4: Documentation Package Compile your incident response plan (write one if you don't have one), your vendor access list with security assessments, your MFA coverage map, your EDR deployment report, and your backup test results into a single folder. This is your evidence package. When the carrier asks, you hand them this.

The Uncomfortable Bottom Line

Cyber insurance in 2026 is not a safety net. It's a qualification process. The carrier is not your advocate, your partner, or your advisor. They are a business that has lost billions on claims from businesses that weren't prepared, and they have restructured their entire underwriting model to make sure they don't lose that money again.

The businesses that will maintain affordable coverage are the ones that can prove, with documentation, that they had the right controls in place before the incident occurred. Not after. Not during. Before.

Everything else is a policy that looks good in a drawer and fails when you need it.

If you're a manufacturer in Southeast Wisconsin and you'd rather have someone walk through this with you than figure it out from a blog post, we can do a free 20-minute cyber insurance readiness review. We'll tell you where you stand and what to fix first, and if everything checks out, we'll tell you that too.

---

Sources

• National Association of Insurance Commissioners, 2024 Cyber Insurance Claims Data (cited via KY3, Feb 2026)
• Marsh McLennan, 2025 Cyber Insurance Market Report
• Coalition, 2024 Cyber Claims Report
• S&P Global Ratings, 2026 Cyber Insurance Premium Forecast
• IBM X-Force Threat Intelligence Index 2026
• SentinelOne, 30 Cyber Insurance Statistics for 2026
• Verizon 2024 Data Breach Investigations Report
• Founder Shield, "Looking Ahead: Cyber Insurance in 2026"
• ProInsGrp, "Cyber Insurance for Manufacturers in 2026: Cost and Coverage Guide"
• BSGtech, "Cyber Insurance Requirements for Businesses in 2026"
• International Control Services v. Travelers (case reference via BSGtech)
• Meriplex, "Why Cyber Insurance Is Turning Against Traditional Network Access"