What do cyber insurance carriers require for 2026 renewals?

For 2026, carriers require documented proof of multi-factor authentication on all accounts, endpoint detection and response with 24/7 monitoring, encrypted offline backups with tested restoration, a written and tested incident response plan, and identity and access management controls. Carriers now demand screenshots, audit logs, and policy documents as evidence rather than accepting attestation alone.

Can a cyber insurance claim be denied if my organization lacks MFA or EDR?

Yes. Standard 2026 cyber insurance policies include exclusion clauses for unpatched or unsupported systems, lack of required security controls like MFA and EDR, compliance failures, and in some cases nation-state attacks. If your carrier's policy requires MFA and your organization suffers a breach through an account without MFA, the carrier can deny the claim.

How much cyber insurance does a senior living community need?

Healthcare organizations handling protected health information should carry $2 million to $5 million in cyber liability coverage under HIPAA guidelines. The specific amount depends on the volume of records managed, number of communities, and regulatory exposure. Your coverage should account for breach notification costs, legal defense, regulatory fines, and business interruption.

Back to Insights

Cyber Insurance Just Got Harder to Get. Here Is What Changed.

April 2, 2026 · Tech for Senior Living

Two years ago, most cyber insurance applications were a checkbox exercise. Answer a few questions about your security posture, sign the attestation, and the policy binds. That era is over.

For 2026 renewals, carriers are requiring documented proof of specific security controls before they will issue or renew a policy. Not self-reported answers on a questionnaire. Screenshots. Audit logs. Policy documents. Configuration exports. If you cannot produce the evidence, you face premium increases, reduced coverage limits, or outright denial.

What Carriers Now Require

The 2026 underwriting baseline across major cyber insurance carriers has converged on five requirements.

Multi-factor authentication (MFA) on all accounts. Not just administrative accounts. Every user account that accesses email, cloud applications, or remote systems. Carriers increasingly prefer phishing-resistant MFA methods like hardware keys or authenticator apps over SMS-based codes.
Endpoint detection and response (EDR) with 24/7 monitoring. Traditional antivirus is no longer sufficient. Carriers want EDR that detects behavioral anomalies, not just known malware signatures, with a managed detection and response (MDR) team monitoring alerts around the clock.
Encrypted offline backups with tested restoration. Carriers have learned from claims data that backups on the same network as production systems get encrypted during ransomware attacks. They now require backups that are encrypted, stored offline or in an air-gapped environment, and tested for successful restoration on a regular schedule.
A written and tested incident response plan. Not a generic template. A plan specific to your organization that names response roles, defines communication procedures, and has been tested through a tabletop exercise within the past 12 months.
Identity and access management (IAM) controls. Carriers want evidence that former employees are deprovisioned promptly, administrative access is limited to named individuals, and privileged accounts are monitored.

New Exclusion Clauses to Watch

Beyond tightening what they require, carriers are expanding what they exclude. Three new exclusion categories are appearing in 2026 policies.

Unpatched and unsupported systems. If your organization is running Windows 10 past its end-of-support date, or any system with known unpatched critical vulnerabilities, a breach originating from that system may not be covered. Carriers are explicitly naming end-of-life operating systems and unpatched software as coverage exclusions.

Compliance failures. If your organization is required to comply with HIPAA and a breach investigation reveals that you were not meeting basic HIPAA Security Rule requirements, the carrier may reduce or deny the claim. This is a new enforcement mechanism. Your cyber insurance carrier is now, in effect, auditing your HIPAA compliance.

Nation-state attacks. Some carriers are adding exclusions for attacks attributed to nation-state actors. This is relevant for healthcare: Iranian state-affiliated ransomware groups actively targeted U.S. healthcare organizations in February 2026. If your carrier's policy excludes nation-state attacks and the forensic investigation attributes the breach to a state-sponsored group, your claim may be denied regardless of your security posture.

Why This Matters for Senior Living

Healthcare organizations handling Protected Health Information (PHI) should carry $2 million to $5 million in cyber liability coverage under HIPAA guidelines. For portfolio operators managing multiple communities, the aggregate exposure across sites can be substantial.

Senior living communities face specific challenges with these new requirements.

Staff turnover complicates IAM. Senior living has among the highest employee turnover rates in any industry. If former staff accounts are not deprovisioned within days of departure, the community has an active IAM deficiency that a carrier can point to during a claim investigation.

Legacy systems are common. Many communities run clinical applications, building management systems, or nurse call platforms on older operating systems or hardware that no longer receives security updates. Each of these is a potential coverage exclusion trigger.

Documentation gaps are the norm. Most operators have some security controls in place but cannot produce the documentation that carriers now require. MFA may be enabled, but there is no export showing which accounts have it active. Backups may be running, but there is no log showing when the last test restoration was performed. The controls exist, but the evidence does not.

What Operators Should Do Before Their Next Renewal

Pull your policy renewal date and review your current coverage limits and exclusions. Many operators auto-renew without reading the updated terms. The 2026 policy you are about to renew may have new exclusions that did not exist in 2025.
Compile an evidence package now, not during the renewal process. Gather MFA enrollment reports, EDR deployment status, backup test logs, your written incident response plan, and access review documentation. If any of these do not exist, you have identified gaps that need to be closed before renewal.
Audit for unsupported systems. Identify any workstations, servers, or connected devices running operating systems or software past their end-of-support date. These are both security vulnerabilities and insurance coverage risks.
Ask your IT provider for a carrier-ready documentation package. A compliance-focused managed service provider should be able to produce the documentation your carrier requires from existing monitoring and management tools. If your provider cannot produce this evidence, that tells you something about the maturity of the security controls in place.
Review your coverage limits against actual exposure. A $1 million policy may have been adequate three years ago. With the average healthcare breach now costing $10 million and HIPAA penalties reaching $2.1 million per violation, your coverage may need to increase.

The Bottom Line

Cyber insurance is no longer a substitute for security. It is a verification mechanism. Carriers are using the underwriting process to enforce the same controls that HIPAA, OCR, and state regulators require. Organizations that cannot demonstrate these controls will pay more for less coverage, and they may discover at the worst possible moment that their policy does not cover the incident they are experiencing.

If your carrier asks for proof of MDR and you cannot produce it, they can deny your claim. That is the new reality for 2026.