Cyber Insurance for SMEs: What Insurers Technically Require in 2026

A cyber insurance policy used to be a tick-box in the insurance folder: fill in the form, pay the premium, done. Those days are over. In our IT security audits we regularly support SMEs across the Berchtesgaden and Traunstein region who have an application or renewal coming up — and in 2026 the insurers' questionnaires are a technical audit in their own right. If you fall short of the minimum requirements, you either get no policy, a premium that stings, or a reduced payout when you actually file a claim. That gap between "we have a policy" and "the policy actually pays" is the one we see most often in practice.

This article sets out what insurers require technically, what a policy covers and what it does not, which exclusions regularly cause disputes — and how to lower your premium without kidding yourself.

Why the requirements have become so strict

The reason is simple: insurers lost money during the ransomware years. The result is a market that looks closely before it underwrites a risk. Regulatory pressure adds to this. Germany's NIS2 implementation act came into force on 6 December 2025; affected entities have been registering via the German Federal Office for Information Security (BSI) reporting portal since January 2026, with particularly important entities required to do so by 6 March 2026 at the latest. Many SMEs that formally sit below the thresholds are pulled into these requirements by their larger clients — and insurers increasingly align their questionnaires with exactly this security level. We cover this in detail in our article on NIS2 for the Bavarian Mittelstand.

The five technical requirements almost every insurer checks

The questionnaires differ in detail, but five points appear almost everywhere. They are the same controls we examine in an IT security audit anyway — the insurer is simply formalising what makes technical sense regardless.

1. Multi-factor authentication (MFA) — everywhere. MFA is the hard entry threshold in 2026. It is required for all external access (VPN, remote desktop), for every email account, and for all privileged and administrative accounts. For ordinary user accounts many insurers still accept SMS-based methods; for admin access they increasingly do not, expecting an app- or hardware-token solution instead. Crucially, what counts is the lived state. If you tick "MFA enabled" on the application but exempt the admin mailbox "for convenience" and that is exactly where you are compromised, you risk a complete denial of the claim.

2. Backups — separated, tested, immutable. Insurers typically expect adherence to the 3-2-1 rule, increasingly in the 3-2-1-1 variant: three copies, two different media types, one copy off-site and one in an immutable or air-gapped state. The point where things fail at claim time is almost never the backup itself, but the restore test that was never run. A backup you cannot actually restore is not a backup. Cleanly separating the backup infrastructure from the production network is a question of sound network and infrastructure architecture.

3. Patch management with defined deadlines. Insurers want evidence that critical security updates are not applied "eventually" but within fixed windows — critical vulnerabilities usually within a few days. That requires an overview of which systems exist in the first place. A forgotten, outdated system is the weak spot, both in the audit and in a real incident.

4. EDR/XDR instead of classic antivirus. Classic signature-based antivirus no longer satisfies insurers. They expect Endpoint Detection and Response (EDR) or XDR — a solution that detects suspicious behaviour, can isolate a compromised device, and documents response capability, ideally connected to round-the-clock monitoring.

5. Incident response and recovery plan. Insurers ask for a documented incident response plan: who decides in an emergency, who is informed and when, how reporting works (NIS2 and the GDPR each have their own deadlines), and how operations resume. In addition, many insurers check for a clean access-rights concept, email security (SPF, DKIM, DMARC), and staff anti-phishing training.

What is covered — and what regularly is not

A good cyber policy typically covers three areas: first-party losses (forensics, data recovery, business interruption, crisis communication, and in many cases ransom payments), third-party losses (liability towards customers and partners whose data is affected), and emergency services (access to forensic specialists, lawyers, crisis providers). For an SME without its own security team, that last point is often the most valuable part.

What regularly does not apply, or only with limits:

• Breach of obligations. This is the most common point of dispute. If you warrant security measures on the application that are not consistently maintained, you risk a reduced or denied payout. Missing MFA in a single place is enough.
• War and state-sponsored attacks. Since their 2024 revision, the model terms of the German Insurance Association (GDV) include a war and state-attack clause that explicitly covers digital warfare without physical weapons. Losses resulting from a successful state attack on critical infrastructure are regularly excluded. These clauses are contested in the industry and worded differently from insurer to insurer — a section worth reading carefully.
• Known, unpatched vulnerabilities. An incident traced back to a vulnerability that was known and left unpatched for months is readily classified as gross negligence.
• Pure financial losses without a security incident, regulatory fines, subcontractor arrangements — handled very differently depending on the terms.

A practical note: the German cyber insurance market remains poorly standardised. Most providers orient themselves on the GDV model terms but deviate, sometimes considerably, in the detail. Two policies with a similar premium can pay out completely differently when it matters.

How to lower the premium — honestly

The most effective levers are precisely the five technical measures above. Every demonstrable improvement — comprehensive MFA, EDR, tested immutable backups, a documented incident response plan — improves your risk rating and with it the premium. And there is a bonus: genuinely raising your security level lowers not only the premium but also the probability of a loss occurring. That is the only lever that works in both directions.

Two further legitimate adjustments: an appropriate deductible (it lowers the premium and instils internal discipline) and an independent security audit as proof. When an external report shows that the warranted measures are actually in place, it helps twice over — in the premium negotiation and at claim time, when the insurer examines whether obligations were met. What we advise managing directors against is filling in the application "optimistically". Every embellished answer is a built-in breaking point for the day the policy is supposed to pay.

Why the policy is no substitute for IT security

This is the core point, and we put it to our clients in the Berchtesgaden region very directly: cyber insurance is financial risk protection for the case where, despite all measures, something happens. It is not protection. It prevents not a single attack, it restores no data that was never backed up, and it does not replace staff who can spot a phishing email. On the contrary: the policy presupposes that you have done your security homework — and checks it more strictly than most managing directors expect.

The sensible order is therefore the reverse of what many do. First raise the security level to a state that holds up against the requirements — then layer the policy on top as residual-risk protection. Do it the other way round and you may be buying a piece of paper that, in a real emergency, is denied with reference to the obligations.

We approach this with clients as an IT security audit: we take the five insurer criteria as the minimum benchmark, check the real state — MFA, backup restoration, patch levels, endpoint protection, network separation, incident response — and prioritise what needs doing before the next application or renewal. The outcome is not a report for the drawer but a list you can use both to answer the insurance questionnaire cleanly and to actually become more secure. If you have a policy in front of you or are about to renew, that is a far better moment than the day after the incident.

---