Cyber Insurance and DMARC: What Underwriters Actually Want to See
Cyber-insurance underwriters now read your DMARC policy tag, MFA scope, and EDR roster. Here is what a 2026 renewal questionnaire asks and how to prepare.
TL;DR
Cyber-insurance renewal questionnaires in 2026 ask for your DMARC policy tag, MFA scope, EDR roster, and encryption coverage. Underwriters want objective signals that you know what you’re doing, and DMARC is the cheapest one to verify from the outside. Below: the categories that matter, the answers that get rewarded, and the 60-day pre-renewal review we run for clients.
What’s on a 2026 application?
The 2020 questionnaire was a ten-line form. The 2026 version is six to twelve pages, because underwriters lost serious money on ransomware and BEC claims between 2020 and 2023.
DMARC posture. Record present, p= value, pct=, subdomains covered with sp=, where RUA reports go. “Yes we have DMARC” stopped being an answer in 2024.
MFA enforcement. Scope, not presence. Percentage of users enforced, admin accounts with phishing-resistant MFA, legacy authentication blocked.
EDR, not just AV. Product name, deployment percentage, who reads the alerts.
Full Disk Encryption. Every laptop, recovery keys escrowed centrally.
Backup posture. Frequency, retention, immutability, last-tested restore date.
Incident-response plan. Existence, last-rehearsed date, named roles.
Why DMARC is the checkbox underwriters can’t skip
Most answers are aspirational. “Yes we have an IR plan” can mean a quarterly tabletop exercise or a Word document from 2019. Underwriters can’t tell the difference without an audit.
DMARC is different. Verifiable from outside the organisation in 30 seconds. The underwriter reads the TXT record at _dmarc.yourdomain.co.za and sees the policy tag. p=reject is p=reject. No room for marketing language.
An organisation sitting at p=reject with managed reporting almost certainly patches endpoints, enforces MFA, and tests its restores. Underwriters use DMARC posture as a shorthand for whether you run a tight ship.
The flip side: p=none at renewal tells them you’ve known about email authentication for years and decided not to bother. Premium up. Deductible up. Some carriers decline outright on p=none for legal, accounting, and financial-advisory firms.
What MFA posture underwriters want
For Microsoft 365:
Business Premium minimum. Business Standard doesn’t include Conditional Access or Defender for Office 365 Plan 1. If the questionnaire asks about Conditional Access and you’re on Standard, you can’t honestly say yes.
Legacy auth blocked. Basic auth, IMAP, POP3, SMTP AUTH disabled at the tenant level.
MFA on 100% of users. 95% is no longer good enough.
Phishing-resistant MFA on admins. FIDO2 keys or Windows Hello for Business. Push-bombing attacks against authenticator-app push are routine. Admins on push-only MFA are flagged on most 2026 questionnaires.
What endpoint posture underwriters want
EDR, not AV. Microsoft Defender is acceptable on a 100% Windows fleet on Business Premium. Bitdefender GravityZone EDR, CrowdStrike Falcon, and SentinelOne are acceptable everywhere. Plain antivirus alone is not acceptable for any organisation above ten employees.
For mixed fleets, the underwriter-friendly answer is one EDR covering Windows, macOS, and Linux.
FDE on every laptop. BitLocker on Windows, FileVault on macOS. The questionnaire asks where recovery keys live and whether they’ve been tested. Default-enabled BitLocker without escrowed keys is marked “no.”
How the OSH stack holds up
DMARC at p=reject with managed reporting answers four lines on the questionnaire. Microsoft 365 Business Premium with Conditional Access, full MFA and Defender for Office 365 answers another four to six. Bitdefender GravityZone EDR across the fleet answers four to six more.
In 2024 and 2025 we watched renewal premiums hold flat or drop slightly for clients with documented p=reject and EDR coverage, while the rest of the market was eating double-digit increases.
What to do before renewal
Sixty days. Most gaps take 30 to 60 days to close cleanly. Walking DMARC from p=none to p=reject with a messy sender estate is an 8-to-12-week job. Nothing here is a 24-hour fix.
Our 60-day review walks the questionnaire line by line, collects the evidence where the answer is solid, and agrees a remediation plan where it isn’t. The client walks into renewal with documented proof. The underwriter prices accordingly.
The failure mode we see most often: the call the week before renewal asking what we can fix. The honest answer is “not much.”
Use the form on our contact page and ask for a pre-renewal posture review. Include your renewal date. Don’t walk into renewal with p=none and “we have antivirus.” That is the single most expensive answer in the room.
