A few years ago, a small business could get cyber liability insurance by answering a short questionnaire and paying a few hundred dollars a year. That era is over. In 2026, insurers are treating cyber underwriting the same way they treat commercial property underwriting: they want to inspect the building before they insure it.
The numbers tell the story. Over 73% of small businesses fail their cyber insurance assessments in 2026, walking away with either a flat denial or a premium increase that can exceed 300%. Only 38% of small businesses currently carry cyber insurance at all, compared to 78% of mid-market companies and 92% of enterprise organizations. That coverage gap has real consequences: when a breach happens to an uninsured small business, the average out-of-pocket cost now sits above $200,000 — enough to close most small operations permanently.
If you run a small business or childcare center in Southern California, this article will tell you exactly what insurers are looking for in 2026, what the most common denial triggers are, and what you need to put in place to qualify for coverage at a reasonable price.
Why Requirements Changed So Dramatically
Cyber insurance became popular in the early 2020s, but insurers initially misjudged the risk. Ransomware payments more than doubled between 2022 and 2025. Business email compromise losses hit $2.9 billion in the US alone in 2025. The insurance industry responded the only way it knows how: by raising premiums and tightening the technical controls required before a policy will be written.
The shift that matters most for small businesses is that insurers stopped trusting self-reported questionnaires. In 2026, major carriers are running automated scans of applicants' external-facing infrastructure during the underwriting process. They check whether MFA is actually enforced, whether your email domain has DMARC policies in place, whether your software is patched, and whether your remote access endpoints are protected. Saying you have controls is no longer sufficient. You have to actually have them.
The 6 Controls Insurers Now Require
While each carrier's questionnaire varies slightly, the industry has largely converged on six core technical requirements. Meeting all six dramatically improves your odds of coverage — and typically qualifies you for the better rates.
1. Multi-Factor Authentication (MFA) on All Critical Accounts
This is the single most important requirement. 96% of cyber insurers list MFA as a non-negotiable condition of coverage in 2026, and 82% of claim denials cite missing MFA as the primary reason for rejection.
The coverage requirement has also expanded. It's no longer enough to have MFA just on your main email login. Insurers now expect MFA on all email accounts, all remote access and VPN connections, all cloud applications that access business data, and all administrator or privileged accounts. If a staff member can log into your Microsoft 365 or Google Workspace from home without a second factor, that is a gap an underwriter will flag.
2. Endpoint Detection and Response (EDR)
88% of underwriters now mandate EDR on all managed devices. Traditional antivirus software detects known malware by signature. EDR goes further: it monitors device behavior continuously, flags suspicious processes in real time, and enables remote isolation of a compromised machine before an attack can spread across your network. In the current threat landscape, where ransomware groups use living-off-the-land techniques that look like normal Windows activity, signature-based antivirus catches only a fraction of actual threats. EDR catches the behavior, not just the file.
Popular EDR tools approved by most insurers include Microsoft Defender for Business (included with Microsoft 365 Business Premium), SentinelOne, and CrowdStrike Falcon Go. For most small businesses, Microsoft Defender for Business is the most cost-effective path since it's bundled with a subscription many organizations already pay for.
3. Documented Patch Management
Unpatched software is the entry point for a large share of breaches, and insurers know it. They want to see a documented process for deploying security updates across your operating systems, applications, and network equipment — and they want a defined remediation window. Most carriers expect critical patches to be applied within 14 to 30 days of release. "We update when we remember to" is not a patch management policy. A simple written procedure, a monitoring tool, and a log showing updates are applied on schedule satisfies this requirement.
4. Immutable, Tested Backups
Backups are the primary defense against ransomware, and insurers scrutinize them carefully. The questions on renewal applications in 2026 are much more specific than they were a few years ago. Carriers want to know whether your backups are immutable (meaning they cannot be altered or deleted, even by someone with admin access), whether they are stored separately from your production environment (air-gapped or in a separate cloud tenant), how often restore tests are conducted, and whether you have documented evidence of those test results.
5. A Written Incident Response Plan
An incident response plan (IRP) does not need to be a 50-page document. Insurers want to see that you have a documented process for what happens when a breach occurs: who is responsible for containment, who decides whether to notify law enforcement, how you communicate with affected customers, when you notify your insurer, and what documentation you preserve. Having a plan before an incident matters because it reduces the cost and duration of claims. Insurers reward that with better terms, and they penalize the absence of a plan with higher premiums or exclusions.
6. Employee Security Awareness Training
Human error is present in 95% of cyber incidents. Carriers expect documented training programs for all employees who handle business data, plus periodic phishing simulations to measure whether the training is working. Annual training with a certificate of completion is the minimum. Organizations that run quarterly phishing simulations and can show improvement trends in click rates get recognition from some underwriters in the form of better pricing. Platforms like KnowBe4 and Microsoft Defender's built-in attack simulation training cover both requirements.
What It Costs If You Qualify (vs. If You Don't)
For a small business with 10 to 30 employees, a $1 million cyber liability policy typically costs between $1,200 and $5,000 per year in 2026, depending on industry and security posture. Premium trends for this segment are running at 15 to 20% annual increases overall. But here's the practical split: businesses that implement all five core controls have seen premiums stabilize or fall 50 to 60% compared to businesses without those controls. The upfront cost of getting your controls in place typically pays for itself in premium savings within 12 to 18 months, on top of the actual security benefit.
For childcare centers specifically, premiums tend to run higher because of the sensitivity of the data involved. Centers that process payment information, maintain children's health records, and operate under California's CCPA and Title 22 rules represent elevated risk in an insurer's model. Centers that can demonstrate strong data access controls, encrypted storage of sensitive records, and documented breach response procedures stand the best chance of keeping those premiums manageable.
The Documentation Gap
One thing that surprises many small business owners during the insurance application process is how much documentation is expected. It's not enough to have controls deployed. Carriers want written policies that define the controls, evidence that the controls are actually in use, and often screenshots or logs to verify claims made on the application. The three documents that come up most frequently are a written information security policy (WISP), a patch management log, and backup test records.
Many small businesses have the underlying security controls in place but lack the documentation to prove it. This is one of the most common reasons applications stall. An organization with strong security practices but poor documentation will get worse terms than an organization with moderate security and excellent documentation. Insurers can only evaluate what they can see.
A Practical Checklist Before You Apply
Before submitting a cyber insurance application, work through this checklist. Every item you can answer "yes" to with documentation improves your outcome:
- MFA is enabled on all email accounts, admin accounts, and remote access connections. You have a screenshot or a configuration report proving it.
- EDR is deployed on every managed device — laptops, desktops, and any remote work machines that access business systems.
- You have a patch management policy that specifies how often patches are applied and who is responsible. Your most recent patch cycle is documented.
- Backups run daily, are stored in a separate location from production, and cannot be deleted by a compromised account. You have tested a restore within the last 90 days and have records of that test.
- You have a written incident response plan that names who does what in the first 24 hours after discovering a breach.
- All employees have completed security awareness training in the last 12 months. You have completion certificates or training logs.
- Your email domain has DMARC, DKIM, and SPF records configured to reduce the risk of domain spoofing. (This is now checked automatically by some carriers.)
- You have a written information security policy covering acceptable use, access controls, and data handling.
How EDCON Helps Small Businesses Get to Yes
The most common situation EDCON sees is a small business or childcare center that has some controls in place but can't pass an insurance assessment because of gaps in MFA coverage, missing documentation, or backups that have never been tested. The technical fixes are usually straightforward. The challenge is knowing what gaps exist before the insurer's automated scan finds them.
EDCON offers a cyber insurance readiness review designed specifically for small businesses and childcare centers in the Los Angeles, Ventura, and Oxnard areas. The review walks through each of the controls carriers require, identifies what's in place and what's missing, and produces a remediation plan with clear timelines and costs. We then handle the technical implementation: deploying MFA across your Microsoft 365 or Google Workspace environment, activating EDR through your existing endpoint licenses, configuring immutable backup policies in your cloud storage, and setting up the monitoring and documentation workflows that keep you audit-ready at renewal time.
We also help with the paperwork side. Many small business owners find the technical questionnaires on insurance applications genuinely confusing. What exactly counts as "air-gapped" backups? Does our Microsoft 365 backup qualify as immutable? Is our current endpoint protection considered EDR? These are questions that have specific answers in an insurance context, and getting them wrong on an application can create coverage disputes later. EDCON helps clients complete the technical sections of insurance questionnaires accurately, so the coverage you pay for is coverage you can actually use.
For childcare centers in particular, the readiness review also covers the data privacy controls that California's CCPA and Title 22 regulations require. These overlap significantly with what cyber insurers want to see, so addressing them together is more efficient than treating them as separate compliance tracks.
Frequently Asked Questions
Do I need cyber insurance if I'm a small childcare center with only one location?
Yes, arguably more so than a typical retail business. Childcare centers store children's records, medical information, parent financial data, and staff personal information all in one place. A breach triggers CCPA notification obligations, potential COPPA exposure, and regulatory scrutiny. Cyber liability insurance covers the notification costs, legal defense, and data recovery expenses that follow a breach. Many childcare center operators don't realize they're exposed until something goes wrong.
What's the difference between a cyber insurance denial and an exclusion?
A denial means you don't get coverage at all, typically because you failed the underwriting assessment. An exclusion means you get coverage but specific scenarios are carved out of the policy. Common exclusions include losses caused by unpatched software (if your patch management is documented as poor), social engineering attacks where an employee was tricked into transferring funds, and losses from previously-known vulnerabilities. Exclusions are sometimes negotiable. Reading your policy before a breach, not after, is what lets you catch them.
How long does it take to get a small business cyber insurance-ready?
For most small businesses with 5 to 30 employees, getting the core technical controls in place takes two to four weeks if you have an IT provider helping. MFA deployment and EDR activation can often happen in a day or two. Setting up immutable backups and documenting an incident response plan takes a bit longer but is not complex work. The documentation step — writing policies and capturing evidence of existing controls — is often underestimated and benefits most from outside help.
Get Your Business Cyber Insurance-Ready
EDCON works with small businesses and childcare centers across Southern California to implement the security controls that cyber insurers require, close the documentation gaps that cause applications to fail, and make sure the coverage you buy is coverage you can actually use. Start with a free consultation — we'll tell you exactly where you stand before you apply.
Book a Free Consultation