Your Cyber Insurance Renewal Is Now a Security Audit: The 2026 Proof-of-Controls Gap

A small electronics manufacturer in Illinois bought a cyber insurance policy in April. A few weeks later it was hit with ransomware and filed a claim. The carrier did not pay. It went to federal court to rescind the policy outright, asking a judge to declare it null and void from inception, as if it had never been issued. The reason: the company had attested on its application that it required multi-factor authentication for employees and third parties to reach email and network systems, and the forensic review found MFA running only on the firewall, not on the servers the attackers actually reached.

That case, Travelers v. International Control Services, ended in 2022 with the policy voided by agreement and no coverage available for past, present, or future claims. It was one of the first court filings of its kind. Four years on, it reads less like an outlier and more like a template. The belief most owners still carry into a renewal is that paying the premium means being covered. In 2026 that belief is where claims go to die.

Here is who this is for, and who can stop reading. If you carry a cyber policy, are renewing one this year, or have a client contract, lender, or regulator that requires you to hold one, this is your problem and the gap is very likely sitting in your file right now. If you carry no policy and nobody requires you to, you can skip the attestation mechanics below, with one caveat: the controls a carrier grades are the same ones that decide whether the ransomware lands in the first place. The evidence is optional only if the coverage is.

The renewal stopped being a questionnaire

For most of the last decade, cyber underwriting ran on self-attestation. You answered yes or no to a page of questions, signed, and got a quote. That model is gone. Carriers now underwrite on evidence: screenshots, configuration exports, dated reports with your company name on them, and in many cases an outside scan of your perimeter before they will bind. The renewal is an audit, and you are the auditee.

Multi-factor authentication is the single most scrutinized control. Carriers expect it enforced on remote access, every VPN path, all privileged and administrative accounts, and email, and a growing number reject SMS-delivered codes in favor of authenticator apps or hardware keys. Behind MFA sits a short, predictable list: endpoint detection and response in place of legacy antivirus, backups that are tested and held offline or immutable, a written and exercised incident response plan, privileged access management, and email authentication. None of this is exotic. What changed is that the carrier now wants to see the artifact, not the checkbox.

The defensibility test underwriters apply is blunt: does the control export you can produce today match the control you attested to, across the entire policy period? A point-in-time screenshot from the week you applied does not answer that. A configuration that was correct in March and drifted in May does not answer it either. The question is continuity, and continuity has to be evidenced.

How a paid-up policy becomes worthless

The mechanism that sinks claims is material misrepresentation. When a forensic review after a breach finds a gap between what was attested and what was actually running, the carrier has grounds to rescind, and rescission is not the same as a denied line item. A denied claim refuses to pay for one event. Rescission unwinds the contract entirely and returns your premium, leaving every past and future claim uncovered.

Travelers v. ICS turned on exactly the distinction that trips up small teams. The application asked whether MFA protected email and network systems. The honest answer at most companies is "mostly." MFA was on the firewall and the email tenant, but a set of internal servers, a legacy RDP path, or a service account had it switched off for convenience. The attacker walks in through the one door that was not locked, and at claim time the gap between "we have MFA" and "MFA was enforced on the path the attacker used" becomes the carrier's exit. As the legal analysis of the case spelled out, a single inaccurate application answer can void the whole policy, not just the disputed claim.

This is the part owners underestimate. You are not insured for the controls you bought. You are insured for the controls you can prove were enforced, for everyone, at the moment the incident happened. Buying the EDR license and never confirming it was deployed on the bookkeeper's laptop is the kind of detail that surfaces in a forensic report and ends a claim.

What the 2026 claims data actually shows

The events that trigger claims are the ones your attested controls are supposed to stop, which is why underwriters grade them so hard. Coalition's 2026 Cyber Claims Report, drawn from more than 100,000 policyholders across 2025, lays out where the money goes:

• Ransomware is the expensive tail. Initial ransom demands surged 47% to an average above one million dollars, though a record 86% of businesses refused to pay. Seventy percent of ransomware events involved both encryption and data theft, which routinely doubles the cost of the incident.
• Email fraud is the common case. Business email compromise and funds transfer fraud together accounted for 58% of all claims. Of the funds-transfer claims, 71% came directly from social engineering, and over half started as a business email compromise, with an average loss of $112,000.
• Fast response pays. 64% of closed claims resolved with no out-of-pocket loss to the policyholder, and Coalition recovered $21.8 million in stolen funds. The orgs that came out whole were the ones whose controls and response plans worked as attested.

Read that list against the attestation list and the overlap is the whole point. MFA and phishing-resistant authentication are aimed at the credential theft behind ransomware and account takeover. Email authentication and security awareness are aimed at the BEC that drives the majority of claims. Tested backups are what let 86% of victims refuse to pay. The carrier is grading the exact controls that determine whether you become a claim, then grading them again to decide whether to honor it.

Produce the evidence before you need it

The artifact that wins a claim, and that shortens a renewal from weeks to days, is a dated export showing a control was on, for the whole population, across the period. You can generate most of it yourself. For an identity stack on Microsoft Entra ID, start by exporting every user's registered authentication methods and flagging privileged accounts that are not MFA-capable, then snapshot your Conditional Access policies as dated JSON:

# Microsoft Graph PowerShell — MFA registration + Conditional Access evidence
Connect-MgGraph -Scopes "AuditLog.Read.All","Policy.Read.All",`
  "UserAuthenticationMethod.Read.All"

# Per-user auth method registration; flag admins without a strong method
$stamp = Get-Date -Format yyyy-MM-dd
Get-MgReportAuthenticationMethodUserRegistrationDetail -All |
  Where-Object { $_.IsAdmin -eq $true -and $_.IsMfaCapable -eq $false } |
  Select-Object UserPrincipalName, IsAdmin, IsMfaRegistered, MethodsRegistered |
  Export-Csv ".\admins-without-mfa_$stamp.csv" -NoTypeInformation

# Dump every Conditional Access policy as dated JSON (state = enabled?)
Get-MgIdentityConditionalAccessPolicy -All |
  Select-Object DisplayName, State, Conditions, GrantControls |
  ConvertTo-Json -Depth 10 |
  Out-File ".\conditional-access_$stamp.json"

That CSV being empty is the evidence: it shows zero administrators without MFA on the date stamped in the filename. Pair it with a query against your sign-in logs that finds any member account that completed a sign-in without satisfying MFA in the trailing window, which is the gap a forensic reviewer would find first:

// KQL — members who signed in without MFA in the last 90 days
SigninLogs
| where TimeGenerated > ago(90d)
| where UserType == "Member"
| summarize total = count(),
            mfa = countif(AuthenticationRequirement == "multiFactorAuthentication")
        by UserPrincipalName
| where mfa < total
| order by (total - mfa) desc

The same pattern applies to the other attested controls. The point is to hold the receipts before a breach forces the question.

The control-evidence pack to keep on file

• Identity: the dated MFA registration export above, the Conditional Access JSON, and a list of any documented exceptions with an owner and an expiry date.
• Endpoint: an EDR console export of enrolled devices versus your asset inventory, so deployment coverage is a number, not an assumption.
• Backups: the most recent successful restore test, dated, with what was restored and how long it took. A backup nobody has restored is a claim risk, not a control.
• Response: the incident response plan with the date of the last tabletop exercise and who attended.
• Email: your SPF, DKIM, and DMARC records and the enforcement policy in place, since BEC drives most claims.

Assemble the control-evidence pack before you renew

Treat the renewal application the way you would treat testimony, because after a breach that is what it becomes. Before you sign the next one, walk every yes-or-no answer back to an artifact you can produce on demand, find the place where "mostly" is the honest answer, and either close that gap or disclose it in writing. The owner-level move is small and unglamorous: own the gap between the controls you paid for and the controls you can prove, on a dated page, for everyone, today rather than in a forensic report twelve months from now. The premium buys nothing if the attestation does not hold.