Cyber Insurance Renewal Checklist 2026: 90-Day Playbook

Cyber insurance underwriting in 2026 has split into two tracks. Operators who walk into renewal with a documented evidence binder are seeing flat-to-improved premiums. Operators who arrive with a half-completed questionnaire and “we’ll get you the documentation soon” are seeing 40–100% premium increases or non-renewal, then forced into surplus lines markets where premium is 2–3× standard rates with worse terms.

The variable that decides which track you’re on is 90 days of preparation.

This is the playbook we run with every client facing a cyber insurance renewal in the next quarter. Companion to the parent guide on 2026 cyber insurance requirements and the MFA-specific deep dive. The MFA post answers “which factor, on which account, with what evidence.” This post answers “in what order, on what timeline, with what binder.”

Key Takeaways

• Start 90 days out. Not 30. The gap between 30-day and 90-day prep is the entire spread between flat-renewal and 40–100% premium increase.
• The evidence binder is the asset. Two firms with identical security postures price 30–50% apart at renewal based purely on documentation quality. The binder pays for the labor that built it on the first cycle.
• 8 controls drive ~95% of the underwriting decision — MFA, EDR, backups, email security, patching, IR plan, training, vendor risk. The other questions matter less than they appear.
• The math on going without coverage doesn’t work. Mid-market incidents run $1M–$4M typical; surplus lines run 2–3× standard premium; the controls remediation sprint is 10–20% of one year of surplus premium and reopens the standard market.

The 90-Day-Out Reality

Cyber underwriters are not adversarial — they are pricing risk against the evidence in front of them. Without evidence, they assume worst-case. With evidence, they price residual risk.

The 90-day timeline exists because each of the 8 control areas requires real time to inventory, close gaps, and document. MFA coverage takes 2–3 weeks to bring from “mostly deployed” to “100% with documented exceptions.” Service account inventory + compensating controls take a similar window. Backup restore testing with verified evidence takes 1–2 weeks. IR plan tabletops require scheduling executives and key vendors. The training completion reports need historical data pulls.

The 30-day-out playbook — pull last year’s binder forward, fill in this year’s questionnaire, send to the broker — used to work. It doesn’t in 2026. The questionnaires changed. The verification process changed. The premium math changed. The carriers who came in soft on 2022–2023 renewals are using 2026 as the catch-up year, and operators who didn’t notice are absorbing the catch-up cost.

The remainder of this post is the day-by-day sequence we run inside that 90-day window.

90 Days Out — The Inventory Pass

The first 30 days are an inventory pass across all 8 control areas. Goal: produce a controls gap analysis showing where you stand on each control vs. where the renewal will require you to stand.

1. MFA inventory

Pull the MFA coverage report from your identity provider (Microsoft Entra ID, Okta, Google Workspace). Tag every account by category — workforce, executive, admin, service, guest, shared. Identify every gap. The MFA deep-dive post covers what each carrier accepts by account type; use that as your target state.

2. EDR coverage

Pull the deployment report from your EDR vendor. Verify coverage across both workstations AND servers. Underwriters increasingly ask for this report by name; the gap that catches operators is server coverage. Legacy antivirus on a file server doesn’t satisfy the EDR question.

3. Backup architecture

Document the backup tier: where backups live, whether they’re immutable (cannot be deleted or encrypted by an attacker), whether they’re isolated from production credentials, and the last restore test date. If the last restore test is more than 90 days old, schedule one immediately — the questionnaire will ask.

4. Email security

Verify SPF/DKIM/DMARC are at policy=reject (not p=none or p=quarantine). Document advanced phishing protection (Microsoft Defender for Office 365, Mimecast, Proofpoint). Write down the wire-transfer verification protocol if one exists; build one if not.

5. Patching

Pull the patch management tool’s compliance report. Targets: critical patches within 14 days for workstations, 7 days for internet-facing systems. Identify systems chronically out of compliance and document the reason.

6. IR plan

Locate the written IR plan. Verify it has been tabletop-tested in the last 12 months. If it hasn’t, schedule a tabletop — even an internal one — and capture the after-action notes.

7. Training

Pull the security awareness training completion report for the last 12 months. Flag the workforce members who haven’t completed.

8. Vendor risk

Pull the BAA inventory (for healthcare practices), the third-party access list, and any vendor security attestations on file. For each high-access vendor, verify the BAA reflects the 2026 HIPAA Final Rule’s 24-hour breach notification timeline (if relevant). See our HIPAA compliance checklist for the broader healthcare framework.

At the end of week 4, you have a written gap analysis. Some controls are at 100% with documented evidence. Others have gaps. The next 30 days closes them.

60 Days Out — Close the Gaps

Days 31–60 are remediation. The pattern matters: close gaps in order of risk-weighted priority, not in order of ease.

MFA gaps come first. A service account on a shared password is a higher-severity gap than a missing IR tabletop. Carriers will deny claims on the former; they’ll discount the renewal on the latter. Closure order:

1. Privileged accounts — admin, executive, finance, IT — all on FIDO2 hardware keys or equivalent phishing-resistant MFA, with no trusted-device exceptions.
2. Email + VPN + RDP universal MFA enforcement via conditional access policy with 100% coverage.
3. Service account compensating controls — vault for credentials, IP allowlisting, certificate-based auth where possible, documented rotation cadence.

EDR gaps next. If servers aren’t covered, deploy now. The 30-day window is enough time to roll out modern EDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint P2, Carbon Black) and get the deployment report to 100%. If 24/7 monitoring isn’t in place, contract an MDR provider — most can stand up coverage within 14 days.

Backups, then everything else. Restore-test the backups, document the test date and completeness, ensure immutability is configured at the storage layer (not just “we have backups, they’re somewhere”). Then work through the remaining controls in priority order: email security, patching, IR plan, training, vendor risk.

The deliverable at end of day 60: every control has a target state, evidence to demonstrate it, and any open gaps have written remediation plans with dates. This is the document you’ll show the broker.

30 Days Out — Document Everything

Days 61–90 are documentation. The binder.

Eight evidence sections, one per control:

1. MFA — coverage report, conditional access screenshots, service account inventory, exception register
2. EDR — deployment report, SOC/MDR contract or runbook, sample IR notes from last 12 months
3. Backups — immutability architecture diagram, last restore test date with completeness verification, ransomware-resistance documentation
4. Email security — SPF/DKIM/DMARC enforcement evidence, BEC controls, wire-transfer protocol
5. Patching — patch tool report showing SLA compliance, exception register
6. IR plan — written plan, last tabletop date with after-action notes, vendor escalation contacts
7. Training — completion reports, attestation records, phishing-simulation trend
8. Vendor risk — BAA inventory (healthcare), third-party access list, supplier security attestations

Each section is 3–10 pages. The full binder is typically 60–120 pages. That sounds heavy; in practice, most of the content is pulled from existing tooling — the work is collecting and labeling it, not creating it.

The binder is delivered to your broker, and through the broker to the underwriter when they request supporting evidence. Many carriers now invite operators to submit evidence proactively; do it.

Renewal Week — The Conversation With the Broker

By renewal week, the gap-closing work is done and the binder is built. The conversation with the broker is now about positioning — which carriers to target, which limits and retentions to negotiate, what the underwriting story sounds like.

Three positioning levers matter:

1. Lead with the binder. Brokers move faster and more confidently when they have evidence to hand the underwriter. “Documented controls program” is a phrase that opens doors.
2. Frame any remaining gaps as planned remediation, with dates. Underwriters discount future-state remediation if it’s specific and committed. Vague “we’re working on it” gets discounted hard.
3. Ask the broker to shop the program. A documented program is worth shopping; carriers will compete for it. An undocumented program is a take-it-or-leave-it situation with whatever carrier currently holds the policy.

If you’re switching brokers because the current one is reactive rather than strategic, renewal year is the moment to switch. The right broker translates underwriter language into operational requirements and brings premium-negotiation leverage that an inexperienced broker doesn’t have.

What Happens When You Skip the Work

Two paths, both expensive:

Surplus lines. Specialty markets (Lloyd’s syndicates, London-market carriers, U.S. surplus lines) will write the coverage standard carriers declined — at 2–3× standard premium, often with materially worse terms (higher retentions, ransomware exclusions, BEC sublimits). Most denied applicants end up here. The math: a $40K standard policy becomes a $100K–$130K surplus policy with worse coverage.

Going naked. Operating without cyber coverage and accepting the risk on the balance sheet. For mid-market businesses, a major incident typically runs $1M–$4M including forensics, breach notification, OCR fines, lost revenue, and operational disruption. A serious ransomware event runs higher. The math doesn’t favor going naked even for short windows.

The right answer when you arrive at renewal with gaps: a 90–120 day controls remediation sprint, then re-approach the standard market with evidence of improvement. Standard carriers will re-quote a previously-declined applicant who demonstrates concrete remediation. Cost: usually 10–20% of one year of surplus-lines premium. BASG runs these sprints as fixed-bid engagements — see cybersecurity services and industry compliance for the operational layer.

The Bottom Line

Cyber insurance renewal in 2026 is a documented audit. The evidence binder is the asset. The 90-day timeline is the minimum to produce one well. The premium spread between documented and undocumented programs is 30–50% on identical underlying security postures.

For mid-market businesses approaching renewal in the next 90 days, the playbook above is the engagement we run. The work is not technically complex — it’s operational rigor on a calendar — but doing it well requires either internal capacity or a partner who has run it before. If you want help running this 90-day playbook, our team can help. We work with healthcare, professional services, and construction firms across South Florida and nationally, and we have run the renewal-prep cycle for clients ranging from $1M to $25M policy limits.