Why cyber insurance carriers are denying claims and how to stay covered.

The cyber insurance market in 2026 is fundamentally different from the market that existed even three years ago. Cities and counties that renewed cyber policies in 2022 with simple questionnaires now face evidence-based underwriting that more closely resembles a security audit than an insurance application. Premiums are rising. Coverage is narrowing. Claims are being denied. And the cities most affected are often the ones that thought they were doing fine.

This briefing covers what changed, why it changed, the specific reasons claims are now denied, the control checklist underwriters expect in 2026, and how to prepare for your next renewal so the policy you pay for is actually there when you need it.

Section 01What Changed and Why

From 2017 through 2022, cyber insurance was a growth market. Premiums grew thirty percent or more annually. Underwriting was loose. Carriers competed on price. A questionnaire was often the entire underwriting process. If you checked yes to having anti-virus and a firewall, you got coverage. Multi-factor authentication was nice to have, not required.

Then ransomware happened at scale. Carriers paid out billions on claims they had not priced correctly. Cyber insurance industry payouts reached $7.8 billion in 2025 alone. Reinsurers, the companies that insure insurance companies, demanded higher security standards from the primary carriers. The primary carriers, in turn, tightened their requirements for the insureds.

Today, cyber insurance functions less as risk transfer and more as verification. The product still exists, the claims still pay out, but the carrier wants to verify, in detail, that the policyholder has the controls they claimed to have. The shift from questionnaire-based to evidence-based underwriting is the central fact of the 2026 market.

Section 02Why This Matters Specifically for Cities

Most American cities now carry cyber insurance, often through municipal insurance pools. The League of Minnesota Cities Insurance Trust (LMCIT) covers cyberrisk for Minnesota municipalities. Similar pools serve cities and counties in Wisconsin, Texas, California, and most other states. State-specific carriers and commercial insurers cover the rest.

Whatever the structure, the consequences of the tightened market hit municipal budgets the same way:

• Premium increases of 30 to 100 percent are now routine for cities that cannot demonstrate baseline controls. S&P Global Ratings forecasts a further 15 to 20 percent premium increase across the cyber insurance market in 2026.
• Coverage exclusions are expanding. Many policies now exclude ransomware coverage entirely if certain controls are missing, exclude AI-related incidents under broad language, and exclude state-attributed attacks more aggressively (the post-NotPetya war-exclusion litigation tightened these clauses).
• Surplus lines forced placement. Some cities cannot get coverage in the standard market and are forced into surplus lines markets where premiums are typically two to three times the standard rate.
• Carrier exit. Some carriers have exited the municipal cyber market entirely, reducing competition and further raising prices for the cities that remain.

The compound effect is that cities now spend significantly more for less coverage than they did three years ago. The smart municipal posture is to treat insurance and security investment as the same problem with two visible outputs (lower premium plus higher resilience), not as separate budget categories.

Section 03The Common Reasons Claims Get Denied

The denial reasons cluster into a small number of categories, and the patterns are consistent enough across carriers and incidents to be predictable.

1. MFA misrepresentation. The single largest category. The application asked whether MFA was enforced on remote access, the city checked yes because MFA was enabled on email, but the VPN account the attackers used did not have MFA. The carrier treats this as material misrepresentation and denies the claim. There is documented case law on this: in the recent International Control Services v. Travelers matter, Travelers denied coverage after discovering MFA was implemented on the firewall but not on the remote-access system the attackers actually used. A January 2026 case involved a mid-size accounting firm whose ransomware claim was denied for over $300,000 because the controls reported on the application were not actually enforced when the attack occurred.

2. EDR not actually deployed. The application asked whether EDR was deployed on all endpoints. The city checked yes because the IT director assumed everyone had it. The actual deployment covered managed laptops but not the dispatch consoles, the SCADA workstations, or the half-dozen older machines nobody had touched in two years. The carrier denies based on the gap between attestation and reality.

3. Backups not tested. The application asked whether backups were tested regularly. Backups existed. They had never actually been restored under realistic conditions. When the incident occurred, the restore failed for technical reasons that would have been obvious in a test. Carrier denies because untested backups are equivalent to no backups for underwriting purposes.

4. No incident response plan, or a plan that was not followed. The application asked whether a written IR plan existed. A document existed. Nobody followed it during the incident. Notifications were missed. Decisions were improvised. The carrier reviews the response and finds material deviations from the attested plan.

5. Privileged access management gaps. Domain administrator credentials were used by ordinary admin tasks, the privileged accounts had no MFA or were shared, and the attackers used these accounts for lateral movement. The application attested to PAM but the actual posture did not match.

6. Patch management failures. A known vulnerability with a published patch was the entry vector. The patch had been available for months. The application attested to a patch management policy. The reality did not match the attestation.

7. Late notification to the carrier. Most policies require notification within 24 to 72 hours of incident discovery. Cities that wait three or four days while trying to figure out what happened often discover that the late notification alone is grounds for denial.

Section 04Real Cases Worth Knowing

The denials below are documented matters. They are not isolated incidents. They represent the standard underwriting response to control gaps in 2025 and 2026.

Mid-market manufacturer, late 2025. Suffered a ransomware attack. Attacker gained access through a VPN account that did not have MFA enabled. Carrier denied a $2.3 million claim citing material misrepresentation: the application had attested that MFA was enforced on all remote access. One account was missed. One was enough.

Mid-size accounting firm, January 2026. Ransomware claim denied for over $300,000 because the controls reported on the application were not actually in place when the attack occurred. The firm faced full recovery costs from operating funds with no insurance recovery.

158-year-old company, 2024. Permanently closed after a ransomware attack traced to a single guessed password on an account that had no MFA. The business had insurance. The claim was disputed. The recovery costs were unmanageable. The company did not survive the dispute.

For cities specifically, the same patterns appear. The denials may take longer to surface publicly because municipalities frequently settle insurance disputes confidentially. But the underwriting patterns and denial reasons are identical.

Section 05The Control Checklist Underwriters Now Require

Across the major carriers, the controls expected in 2026 have converged. Not every carrier asks for every item, but the overlap is substantial enough to function as a single checklist.

1. MFA enforced on all accounts. Email, VPN, RDP, cloud platforms, administrative accounts. Phishing-resistant where possible. "Available" is not enough. "Enforced" is the standard, with documentation.
2. EDR or MDR on every endpoint. Not just managed laptops. Dispatch consoles. SCADA workstations. Networked printers if they run a real OS. The endpoint inventory must match the EDR coverage report.
3. Tested, isolated/immutable backups. Documented restore tests. Backup environments themselves with MFA. Air-gapped or immutable architecture so ransomware cannot reach the backups.
4. Written incident response plan. Names by title. Decision tree. Communication strategy. Vendor contacts. Federal notification procedures. Tabletop-exercised at least annually.
5. Annual penetration testing. External and ideally internal. Findings tracked to remediation. Some carriers now offer or require their approved penetration testing vendors.
6. Tabletop exercises. Documented after-action reports (AARs) with date, scenario, participants by title, key decisions, and improvement actions.
7. Privileged access management (PAM). Separation between everyday accounts and privileged accounts. MFA on privileged access. Just-in-time elevation where possible. Logging.
8. Documented patch management. Policy, cadence, exception tracking. Most carriers ask specifically about critical patches and how long they take to deploy.
9. Security awareness training. Annual at minimum, with phishing simulations and documented completion rates.
10. SIEM/SOC monitoring, ideally 24/7. Either in-house or managed. Log retention. Alert review. The "is it actually monitored" question is increasingly explicit.

Section 06How to Pass Your Next Renewal

The cities that get reasonable renewal terms in 2026 share a preparation pattern. The cities that get punished share a different one.

Start 90 to 120 days before renewal, not the week before. A penetration test takes 2 to 4 weeks to schedule. A tabletop exercise needs 3 weeks of planning lead time. Closing real control gaps takes longer than the renewal cycle if you start late.

Build a proof packet before answering the questionnaire. The packet should include MFA enrollment exports from your identity provider (Azure AD, Okta, Duo, or whatever you use), showing total accounts, accounts with MFA enrolled, accounts exempted, and the business justification for any exemptions. EDR deployment reports from the EDR console, showing every endpoint covered with agent version and last check-in time. The number of agents must match the device count in your environment. Backup restore test logs with dates and outcomes. Tabletop after-action reports. Patch management tickets with completion timestamps. The IR plan as a current document.

Answer the application honestly. The biggest single factor in claim denials is misrepresentation, almost always honest misrepresentation rather than fraud. The IT director believed MFA was enforced everywhere. The reality was different. Honest misrepresentation voids coverage just as effectively as deliberate misrepresentation. If you do not have a control, do not check the box for it. Disclose the gap and any compensating control. Underwriters work with disclosed gaps. They do not work with discovered ones.

Close gaps before submitting. If the proof-packet exercise reveals a gap, fix it before you submit the application. The cost of remediation is almost always less than the cost of a denied claim or a punitive premium increase.

Section 07The 2026 Wrinkles

Beyond the standard control checklist, several emerging issues are reshaping policies in 2026.

AI exclusions. Many 2026 policies include exclusions for incidents triggered by employee use of unauthorized AI tools, or for losses caused by an organization's own AI systems. Cities deploying AI tools (and most are) should review whether their policy requires governance documentation to maintain coverage.

Foreign-produced hardware exclusions. The FCC's Covered List of foreign-produced telecommunications equipment is increasingly referenced in cyber underwriting. Cities buying new network equipment should consider supply chain provenance not just for security reasons but for insurance reasons.

Nation-state attack exclusions. Following the Merck and Mondelez NotPetya litigation, war and nation-state exclusion language has tightened. Lloyd's of London market guidance requires explicit exclusion of losses from state-backed attacks in many forms. Cities should review their policy language for what is and is not excluded under "act of war" or "state-backed" definitions.

Vendor security scrutiny. Insurers increasingly evaluate not just the insured city's controls but the controls of critical third-party vendors. SOC 2 reports from cloud and SaaS vendors. Documentation of vendor remote-access controls. Diligence reports on managed service providers. The vendor's security gap can become the city's insurance problem.

Section 08Municipal-Specific Considerations

Cities operating through insurance pools (LMCIT, similar) have somewhat different dynamics. Pool requirements often track major commercial carrier requirements but the pool may have additional state-specific or sector-specific terms. Read the pool guidance carefully each year.

Cities receiving SLCGP grants for cybersecurity investments often satisfy multiple requirements at once. The grant funds the controls. The controls satisfy the insurance underwriter. The insurance posture supports the budget request for the next year's grant cycle. We cover this dynamic in Briefing 008.

Regulatory disclosure obligations interact with insurance claims. State attorney general notifications, federal CISA reporting, and FBI engagement all create paper trails the insurance carrier will reference. Cities that handle these well during incidents typically have smoother claims experiences.

Section 09How OneCyberShield Aligns with the 2026 Insurance Posture

The OneCyberShield product stack maps directly to controls 1 through 4, 6, 8, and 10 in the underwriter checklist above. Network Defense covers segmentation and supports the vendor remote-access controls. Endpoint Protection delivers EDR coverage that matches what carriers expect. Immutable Backup & Recovery delivers the air-gapped, tested backup architecture insurers now require. The Threat Intelligence and SOC Platform provides the 24/7 monitoring, audit-ready logging, and documentation that underwriters increasingly demand as evidence rather than attestation.

Each deployment includes the documentation packet your IT team needs for the proof-packet approach to renewal: MFA enrollment exports, EDR coverage reports, backup test logs, monitoring dashboards. The goal is for the renewal questionnaire to be a documentation exercise rather than a guessing exercise.

Section 10The Bottom Line

Cyber insurance in 2026 is no longer about transferring risk. It is about proving you have already reduced it. Cities that can produce documented controls get reasonable rates and clean coverage. Cities that cannot pay punitive premiums, accept exclusions, or go without coverage altogether.

The math is straightforward. The cost of implementing the underwriter checklist is generally a fraction of the premium difference between compliant and non-compliant postures, even before considering the actual claim outcomes. The question is not whether to invest in the controls. The question is whether to invest before or after the renewal letter arrives. Investing before is much cheaper.

For the underlying threat data driving these underwriting changes, see Briefing 006. For the operational controls themselves, see Briefing 007. For the federal funding to help close the gaps, see Briefing 008.