Cyber Insurance 2026: MFA and Training Requirements

A few years ago, buying cyber insurance meant filling out a short questionnaire and writing a check. Those days are over. In 2026, the application is a detailed security audit, and getting the answers wrong, or worse, getting them wrong in a way a forensic investigator can later disprove, can mean a denied renewal or a denied claim. For the businesses you protect, and the managed service providers who advise them, the rules of the game have fundamentally changed.
The shift is straightforward to summarize: security awareness training and phishing simulation are now table stakes for cyber coverage, sitting right alongside multi-factor authentication as controls underwriters expect to see in place before they will bind or renew a policy. Understanding what carriers are looking for, and how to prove you have it, is now a core part of risk management.
No MFA, No Coverage
If there is one control that has become non-negotiable, it is multi-factor authentication. Underwriters have watched too many catastrophic claims trace back to a single password, and they have responded by drawing a hard line. In 2026, a lack of MFA is one of the most common reasons coverage is declined outright. The reasoning is simple: MFA neutralizes the vast majority of credential-based attacks, and an organization without it is, from an underwriter's perspective, an unmanaged risk.
Carriers do not just want MFA somewhere, they want it everywhere that matters. Expect to attest to MFA across:
- Remote access and VPN, the classic entry point for attackers.
- Email, especially cloud platforms like Microsoft 365 and Google Workspace.
- Administrative and privileged accounts, where compromise is most damaging.
- Cloud applications and management consoles that hold sensitive data.
For privileged users in particular, many carriers now expect phishing-resistant MFA, such as number-matching authenticator apps or hardware security keys, rather than easily-intercepted SMS codes. The U.S. Cybersecurity and Infrastructure Security Agency's guidance on multi-factor authentication is a useful reference point for the kind of implementation underwriters increasingly have in mind.
The question underwriters ask has changed. It is no longer "do you have MFA?" but "can you prove MFA was fully enforced everywhere it was required at the moment of the incident?" That distinction is where claims are won or lost.
Documented Training Is Now Expected
MFA blocks the stolen-credential attack. But the credential usually gets stolen because someone fell for a phish, which is why underwriters have turned their attention to the human layer. A documented security awareness training program is now a standard expectation on cyber insurance applications, not a bonus that earns a discount.
The baseline that carriers look for has crystallized into a recognizable shape:
- Training for all employees on a documented, recurring schedule.
- At least annual delivery as the floor, with quarterly or continuous training increasingly treated as the modern standard, especially for regulated industries.
- Content that reflects current threats, updated as attack techniques evolve rather than frozen in place year after year.
- Tracked completion, so the program is measurable and demonstrable rather than assumed.
The emphasis on a documented schedule is deliberate. An informal "we send security tips sometimes" answer does not satisfy an underwriter, and it will not hold up if a forensic review follows a breach. Carriers want a program they can see, with dates, rosters, and content they can point to.
These controls also do more than open the door to coverage, they shape what you pay and what is actually covered once you are inside. Organizations that can demonstrate a mature, well-evidenced security posture are in a far stronger position to negotiate premiums, while gaps tend to translate into higher rates or, increasingly, targeted exclusions that carve out exactly the kind of incident your missing control would have prevented. A policy that technically renews but excludes the most likely loss is a poor outcome, and it is often the direct result of a control the underwriter could not see evidence for. Treating training and MFA as premium-management levers, not just gatekeeping checkboxes, reframes them from a cost into an investment with a measurable return at renewal.
Phishing Simulations and the Proof Underwriters Want
Beyond training delivery, insurers increasingly expect periodic phishing simulations, controlled, safe phishing tests that measure how employees actually behave when a lure lands in their inbox. Training tells an underwriter you taught your people. Simulations tell them whether the teaching worked. That evidence of real behavioral resilience is exactly what carriers are looking to underwrite.
The deeper shift in 2026 is from attestation to proof. The most common reason claims are denied is material misrepresentation, when a forensic investigation after a breach reveals a gap between what the organization attested to and what was actually in place. An honest, well-documented control posture is therefore not just good security, it is the foundation of a payable claim. To stand on solid ground, be prepared to produce:
- Training completion records with dates, showing who was trained and when.
- Phishing simulation results, including click rates and report rates over time.
- Remedial training assigned to employees who failed simulations, demonstrating a closed feedback loop.
- Evidence of program updates tied to current threat trends, showing the program is living, not static.
- MFA enforcement evidence across the systems where you attested it was active.
This is exactly the documentation empowsec is designed to generate. Security awareness training produces dated completion certificates and rosters, phishing simulation produces the click-rate and report-rate metrics underwriters ask for, and the reporting ties it together into an evidence package you can hand to a broker at renewal, or to an investigator after an incident, with confidence.
What This Means for MSPs and the SMBs They Serve
For managed service providers, these requirements are both a challenge and an opportunity. Many small and mid-sized businesses simply cannot navigate a modern cyber insurance application on their own, they do not have the in-house expertise to deploy phishing-resistant MFA, stand up a recurring training program, or assemble the evidence a renewal now demands. That gap is precisely where an MSP delivers value.
By building MFA enforcement, security awareness training, and phishing simulation into a standard service offering, an MSP can position clients to obtain and renew coverage at better terms, and reduce the risk of a denied claim down the line. The same controls that satisfy underwriters also genuinely lower the likelihood of a breach, aligning the client's interests, the insurer's, and the provider's. Insurability becomes a concrete, sellable outcome rather than an abstract promise. Note that requirements vary between carriers and policies, so always confirm specifics with the relevant broker or underwriter and treat insurer documentation as the source of truth.
Key Takeaways
- MFA is mandatory. Lack of MFA across remote access, email, admin, and cloud is a leading reason coverage is denied in 2026, with phishing-resistant MFA expected for privileged accounts.
- Documented training is table stakes. Underwriters expect a recurring, tracked awareness program, annual at minimum and increasingly quarterly or continuous.
- Simulations prove it works. Periodic phishing simulations show real behavioral resilience, not just attendance.
- Proof beats attestation. Material misrepresentation is a top cause of denied claims, so keep dated records, simulation results, and MFA evidence ready.
- It is an MSP opportunity. Packaging MFA, training, and simulation helps SMB clients become insurable while genuinely reducing their risk.


