In November 2024, ransomware operators breached Laborers' International Union of North America Local 1184. The data they exfiltrated included Social Security numbers, membership numbers, and member work dispatch records — the operational data that makes a local function. Notification letters went out the following March. The local handled it, but the incident is a useful reminder: ransomware crews don't care whether you run a Fortune 500 or a regional union local with three administrative staff. They care whether your data is exfiltrable and whether you'll pay.
The same logic applies to a fifteen-provider medical group, a Taft-Hartley health and welfare fund, a joint apprenticeship committee, a community clinic. If you hold member or patient data and you don't already have cyber insurance, you should. If you already have it, you're about to have a harder renewal than last year.
What changed
Cyber insurance used to be relatively easy to buy. A questionnaire, some attestations, a check, done. That model is gone.
Two things broke it. The first is claims data. Coalition's 2024 cyber claims analysis found that the vast majority of denied insurance claims — roughly 82% — involved organizations that hadn't actually implemented multi-factor authentication. Ransomware kept paying. FinCEN's most recent trend analysis covering Bank Secrecy Act data found roughly $734 million in ransomware-linked payments flowing through U.S. financial institutions in 2024. Insurers, like any other business, eventually responded to the math.
The second is verification. Carriers used to take your word for it. They no longer do. Industry reporting in 2025 and 2026 suggests roughly three of every four cyber carriers now run external attack-surface scans during underwriting — they look at your domain, exposed services, mail authentication records, and leaked credentials on the dark web, and they compare that picture to what you said on the application. S&P Global Ratings has projected 15 to 20 percent premium growth for the cyber market in 2026, even for organizations with no claims history.
For unions and healthcare practices, this matters in a specific way: the questionnaire is no longer a paperwork exercise. It's a technical audit, and the answers you give become the standard against which any future claim will be judged.
The five controls underwriters want to see
The current list of expectations is short and consistent across major carriers.
Enforced multi-factor authentication, everywhere. Email, VPN, remote desktop, every cloud console, every administrative account. The word "enforced" matters. MFA that's available but optional doesn't count. Phishing-resistant methods — hardware keys, FIDO2 — are increasingly preferred over SMS or app codes. Microsoft's own data puts MFA's ability to block account compromise attacks above 99 percent.
Endpoint detection and response on every endpoint. Legacy antivirus is no longer accepted as evidence. EDR — or its managed variant, MDR — watches behavior in real time and can isolate a compromised device automatically. Carriers want it on workstations *and* servers, and they want to see agent health reports, not just an installation count.
Immutable, tested backups. Three-two-one is the floor. Immutability — backups that can't be altered or deleted by an attacker who's already inside the environment — is the new floor above the floor. And the backups must be tested. A backup you've never restored from is not a backup; it's a hope.
A written incident response plan with a real tabletop on file. Carriers ask whether you have a plan. The harder question they ask next is whether you've ever practiced it. A tabletop exercise — a structured walkthrough where leadership, IT, and counsel work through a simulated incident — is what separates a real plan from a Word document nobody has opened.
A documented patch program. Critical patches within 15 days, high-severity within 30. Compensating controls when you can't patch — medical devices certified to specific firmware are the canonical example. The point isn't perfection. The point is that you can show your cadence.
New for 2026
A handful of items have been added to most applications in the last twelve months and are worth flagging.
AI tooling. Underwriters want to know what AI tools your organization uses, how you vet AI vendors, and what data flows through them. If your dispatch desk is piping member records through a third-party AI scheduling tool, or your front office is using an ambient scribe in patient rooms, your underwriter is going to ask.
Deepfake and voice-clone controls. Wire fraud powered by synthetic voice is now common enough that insurers ask about it explicitly. Out-of-band verification for any payment instruction above a defined dollar threshold is the floor — usually a callback to a known number, not the number on the request.
Third-party risk. The MOVEit and Change Healthcare incidents put supply chain breaches back on every underwriter's mind. Expect questions about your vendors, your business associate agreements, and what would happen if your billing service, IT MSP, or cloud EHR went dark for two weeks.
The trap most organizations miss
Here is the part that doesn't show up clearly until it's too late: carriers are now using their own forensic teams to deny claims when the controls a policyholder attested to weren't actually enforced at the time of the incident.
It works like this. An organization completes its application and answers honestly *based on what they believe is true*. MFA: yes. EDR: yes. Backups: yes. Six months later there's a business email compromise. The forensic team comes in and finds that MFA was enabled in the tenant but not enforced on one legacy VPN account. Or EDR was deployed on the laptops but not on the file server that got encrypted. Or backups ran nightly, but the immutability flag had been turned off six months ago when a vendor was troubleshooting something.
The claim doesn't get denied because the breach happened. It gets denied because the gap between what was attested and what was true is now documented.
The fix is unglamorous: before you fill out the application, build what underwriters call a proof packet. Screenshots of MFA enforcement policies, with scope visible. EDR coverage reports by device, with stale or unhealthy agents flagged and remediated. Backup logs with successful restore tests dated within the last 90 days. Your written IR plan with a recent tabletop walkthrough attached. Training completion records for the last twelve months. Short, written compensating-control memos for anything that doesn't meet the standard, with a remediation date.
A managed IT partner who can't produce these on request is itself a gap.
A 90-day prep cycle
If your renewal is more than three months out, the practical approach is straightforward.
In the first 30 days, do a gap inventory. Pull last year's questionnaire if you have one, or a sample from your broker if you don't. Score yourself honestly: green where you can prove it, yellow where you have it but can't prove it, red where it doesn't exist.
In days 30 to 60, close the highest-impact red items. MFA on every privileged account, EDR coverage on every endpoint including servers, and a backup immutability check are the three that move the needle most.
In days 60 to 90, assemble the proof packet and run a tabletop. If you've never done a tabletop exercise before, your incident response counsel or your IT MSP can usually facilitate one in an afternoon. The first one is awkward. The second one is useful. By the third, the organization actually knows what it would do.
Before your next renewal email
The cyber insurance market in 2026 is doing what other lines of insurance did to flood and earthquake coverage decades ago: pricing risk more precisely and walking away from risk it can't price. Organizations that can demonstrate their controls — not just claim them — will pay meaningfully less than organizations that can't. The gap between the two groups is widening, not narrowing.
The questionnaire is no longer a paperwork exercise. Treat it as a self-audit and do it before your broker calls. The gaps you find on your own are always cheaper to close than the gaps a forensic team finds for you.
