Your cyber insurance renewal is coming up — or you’re applying for coverage for the first time — and the questionnaire looks nothing like last year’s. Carriers are now asking detailed questions about multi-factor authentication, endpoint detection, backup testing, and incident response documentation. For many Chicagoland small businesses, this is the first time they’ve realized that having “some antivirus and a firewall” no longer qualifies. If you can’t answer “yes” and prove it, your application is heading toward denial — or a premium that’s tripled.
This guide walks you through every control that underwriters actually require in 2026, explains what documentation they want to see, and shows you where Chicagoland businesses most often fail. Work through this checklist before your next application, and you’ll stop the denial before it happens.
What’s in this article
Why Cyber Insurance Got So Much Harder to Get
Until around 2022, cyber insurance for small businesses was essentially a checkbox exercise. Answer a few broad questions, pay a modest premium, and you were covered. That era is gone. Carriers absorbed billions in ransomware payouts — claims from businesses that had minimal security controls but were fully insured — and completely overhauled their underwriting models.
Today, insurers behave less like insurance companies and more like security auditors. They want specific technical controls in place and documented proof that those controls are actively enforced. The shift affects every business in DuPage, Cook, Will, and Kane counties, whether you’re a 12-person accounting firm in Naperville or a 150-person manufacturer in Joliet.
The controls below represent the current baseline underwriters expect in 2026. Think of each one as a gate. Miss a gate, and you either don’t get through the application or you pay a significantly higher premium for limited coverage.
The 2026 Qualifying Controls — The Master Checklist
Five controls appear on virtually every carrier’s application in 2026. If you can’t answer “yes — and here’s the proof” to all five, address them before submitting. Below each control, we explain exactly what qualifies, what doesn’t, and what documentation carriers expect.
Multi-Factor Authentication (MFA)
MFA is the single most common reason for application denial. Missing MFA on even one category of account — remote access, admin accounts, email, cloud apps — is enough to trigger a declination or exclusion. Carriers don’t accept “we’re planning to implement it.” It must be active now.
What qualifies: Authenticator-app or hardware-key MFA enforced on all remote access (VPN, RDP), all email accounts, all admin and privileged accounts, and all cloud services including Microsoft 365 and any SaaS platforms. Conditional-access policies that prevent bypass.
What no longer qualifies: SMS text codes are increasingly flagged as insufficient by major carriers due to SIM-swapping vulnerabilities. If you’re still SMS-only, upgrade before your next renewal.
Application answer: “MFA is enforced via [authenticator app/hardware key] on all remote access, email, admin accounts, and cloud services. Conditional access policies prevent bypass. Evidence available: Entra ID / M365 policy screenshots, admin reports.”
Endpoint Detection & Response (EDR) — Not Antivirus
Legacy antivirus that runs signature scans is no longer accepted as a qualifying control by most carriers. EDR is behaviorally based — it watches what processes are actually doing in memory rather than matching known malware signatures — which means it catches novel ransomware and zero-day attacks that bypass antivirus entirely.
What qualifies: A managed EDR solution (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Sophos Intercept X, or equivalent) deployed on 100% of endpoints — desktops, laptops, and servers. Unmanaged devices are a gap that carriers specifically look for.
What no longer qualifies: Windows Defender on its basic, unmanaged settings. Traditional antivirus products like Symantec Endpoint Protection (legacy version), McAfee VirusScan, and similar signature-only tools.
Application answer: “EDR deployed on 100% of endpoints via [product name]. Managed by [internal team / ANC Systems]. Evidence: deployment report showing all device coverage.”
Encrypted, Tested, Immutable Backups
Backups are your last line of defense after a ransomware attack. Carriers have seen too many claims where the backup existed but was also encrypted by the attacker (because it was accessible on the same network), or where the restore failed because it had never been tested. Both scenarios mean a full ransom payment — or a total data loss.
What qualifies: Automated backups running at minimum daily, stored in at least two locations (one offsite or cloud), encrypted at rest, and protected from ransomware overwrite (immutable storage, where files cannot be modified or deleted for a set period). Documented recovery tests — not just the assumption that backups work, but actual restore verification at least quarterly.
What no longer qualifies: Backups stored only on a local NAS or server that is accessible from the same network. Untested backups. Backups with no documented recovery time objective (RTO).
Our Data Backup Service and Disaster Recovery Services are built specifically to these carrier requirements, with immutable offsite storage and documented quarterly restore tests you can include in your insurance submission.
Application answer: “Daily automated backups. Stored in [offsite location + cloud]. Immutable storage enforced — files cannot be modified for [X] days. Restore tests conducted quarterly with documented results. RTO: [X hours].”
Formal Patch Management Process
Unpatched systems are the most exploited attack vector in ransomware and data breach cases. Carriers want to see that patches are applied systematically — not left to individual users or remembered when something breaks.
What qualifies: A documented, automated patch management process that applies OS patches and critical application patches within 14 days of release (some carriers require 30 days; the tighter window is preferred by underwriters). Coverage across all endpoints, servers, and network devices. Reporting that shows patch compliance rates.
What no longer qualifies: Relying on users to manually update their own machines. “We patch when we remember.” No documented process or compliance reporting.
This is a core component of ANC Systems’ Network Management — automated patching across all devices, with monthly compliance reports you can attach directly to your application.
Application answer: “Automated patch management via [RMM tool]. Critical patches deployed within 14 days. Patch compliance reports available showing [X%] compliance across [N] endpoints and [N] servers.”
Documented Incident Response Plan
An incident response plan (IRP) tells your team — and your insurer — exactly what happens in the first 24 hours after a breach: who is notified, who makes decisions, who calls the insurer, and how systems are isolated. Without a documented plan, the post-breach chaos that follows is more expensive for everyone.
What qualifies: A written IRP that defines roles and responsibilities, contact lists (internal team, IT provider, legal, insurer, law enforcement), communication protocols, system isolation procedures, and regulatory notification timelines. Evidence that the plan has been tested via a tabletop exercise.
What no longer qualifies: “We’d figure it out.” A plan that exists as someone’s memory. A plan that was written two years ago and never reviewed.
Application answer: “Documented IRP last reviewed [date]. Roles and responsibilities assigned. Tabletop exercise conducted [date]. Plan includes insurer notification protocol, system isolation procedures, and HIPAA/state breach notification timelines [if applicable].”
The Complete 2026 Carrier Checklist
Use this table to self-audit before submitting your application. “Required” means a missing control typically causes denial or a significant exclusion. “Preferred” means it affects your premium and coverage limits.
| Control | Status | Evidence Carriers Want |
|---|---|---|
| MFA on all remote access (VPN, RDP) | Required | Policy screenshot; access logs showing MFA enforcement |
| MFA on all email accounts (including shared mailboxes) | Required | M365/Google Workspace admin report showing MFA enabled for all users |
| MFA on all admin/privileged accounts | Required | Identity platform report; conditional access policies |
| EDR on 100% of endpoints (not legacy AV) | Required | EDR console deployment report; vendor certification |
| Automated, immutable backups with offsite/cloud copy | Required | Backup solution dashboard; storage policy documentation |
| Tested backup restores (documented, quarterly minimum) | Required | Signed restore test records with date, scope, and result |
| Formal patch management with compliance reporting | Required | RMM patch compliance report; documented patch SLA |
| Written Incident Response Plan | Required | IRP document with named roles, contacts, and review date |
| Privileged Access Management (least-privilege, no shared admin) | Preferred/Required (larger carriers) | AD/Entra role assignments; no shared admin password evidence |
| Email filtering + anti-phishing (DMARC, anti-spoof) | Preferred | Email gateway config; DMARC policy record |
| DNS/Web filtering | Preferred | Filtering solution name and deployment scope |
| Security awareness training (annual minimum, phishing simulations) | Preferred / Required for higher limits | Training platform completion report; phishing sim results |
| Network segmentation (separate guest/IoT/server VLANs) | Preferred / Required for manufacturing/healthcare | Network diagram showing segmentation |
| Vulnerability scanning (internal and external) | Preferred | Scan reports; remediation tracking |
| Written cybersecurity policy | Required for government/compliance-regulated industries | Signed policy document with last review date |
The Documentation Insurers Demand — and Most Businesses Can’t Produce
Here is where most Chicagoland SMBs actually fail. Not because the controls aren’t in place, but because they can’t prove they’re in place. Having MFA enabled means nothing to an underwriter if you can’t show a screenshot of the conditional access policy, a user report showing 100% enrollment, and a log demonstrating it’s being enforced on every login. Implementation and documentation are different things — and insurers require both.
“Documentation is as critical as implementation. Most cyber insurance failures come from a lack of proof, not a lack of tools.”
What a Complete Documentation Packet Looks Like
When you submit your application — or when a carrier requests verification — you should be able to provide the following without scrambling:
- Network diagram — current topology showing all segments, firewall placement, and cloud connections. Should be updated whenever your network changes.
- MFA enrollment report — exported from your identity platform (Entra ID, Okta, Google Workspace) showing every user account and MFA status. No exceptions, no “pending.”
- EDR deployment report — from your EDR console showing device count, coverage percentage, and last check-in time for every endpoint.
- Patch compliance report — from your RMM tool showing patch status across all managed devices, with a documented SLA for critical patches.
- Backup logs and restore test records — automated backup success/failure logs for the past 90 days, plus signed records of each quarterly restore test with date, data set tested, and result.
- Incident Response Plan — signed, dated, with named contacts. Include the date of the last tabletop exercise and who participated.
- Security awareness training completion records — exported from your training platform showing employee completion rates and phishing simulation results by date.
- Written cybersecurity policies — acceptable use, password/credential management, remote work, and data handling policies, all signed and dated within the last 12 months.
The Chicagoland SMB Failure Points
After reviewing the landscape of what Illinois small businesses are experiencing with cyber insurance applications in 2026, the same failure patterns repeat across DuPage, Cook, Will, and Kane counties. If your business fits any of these profiles, address it before your next submission.
Failure Point 1 — Microsoft 365 with MFA Set to “Optional”
This is the most common gap we see in Chicagoland businesses. Microsoft 365 was deployed (often by a previous IT provider or in-house), MFA was turned on for some accounts, and it was never enforced by policy. Users were given the option to set it up and a third said no. The admin account was excluded because “it was easier.” Carriers check for this, and a single admin account without MFA can sink an entire application.
Failure Point 2 — Legacy Antivirus Mistaken for EDR
Many businesses are running Windows Defender in its default, unmanaged configuration — or a traditional antivirus product bought years ago — and believe it qualifies as EDR. It doesn’t. The distinction matters significantly to underwriters: managed EDR with behavioral detection is fundamentally different from signature-based antivirus, and carriers know the difference. Our cybersecurity services include managed EDR deployment that explicitly qualifies for carrier requirements.
Failure Point 3 — Backups That Have Never Been Tested
A backup system that runs every night but has never had a restore tested is a false sense of security. Carriers are now asking for documented restore test records, and businesses that can’t produce them — or worse, discover during testing that their backups have been silently failing — face both an insurance problem and a real disaster risk. If you aren’t sure your backups work, our backup services include scheduled restore testing with written records built for exactly this purpose.
Failure Point 4 — No Incident Response Plan
An IRP sounds like a large-enterprise requirement, but carriers now expect it from businesses with as few as 10 employees. The plan doesn’t need to be 50 pages — it needs to answer: who does what in the first two hours after an attack? Who notifies the insurer? Who isolates affected systems? Who calls law enforcement if required? Who handles customer notification under Illinois breach law? Without documented answers, you’re in the “no” column.
Failure Point 5 — Outdated Network with No Segmentation
Many growing Chicagoland businesses have the same flat network they set up in 2015 — everything on the same subnet, including servers, workstations, IoT devices, and guest Wi-Fi. When ransomware gets into one device on a flat network, it spreads everywhere. Carriers are increasingly requiring at least basic segmentation (separate guest/IoT VLANs, server isolation) for businesses with higher coverage amounts or in regulated industries. Our network management services include segmentation reviews and implementation as part of ongoing management.
How Managed IT Dramatically Improves Your Approval Odds
The businesses that sail through cyber insurance applications in 2026 share one characteristic: they have a managed IT provider who treats insurance qualification as part of the ongoing relationship — not a one-time scramble before renewal. Here’s why the difference is so significant.
Continuous Compliance vs. Point-in-Time Scramble
Every control on the checklist above requires ongoing maintenance, not just initial setup. MFA must be enforced as new users are added. Patches must be applied within the required windows every month. Backup restores must be tested and recorded quarterly. Security awareness training must be completed annually with phishing simulations tracked. A managed IT partner maintains all of this continuously — which means when your renewal comes, you already have the evidence package, not a two-month project to build one.
This is what ANC Systems’ cybersecurity services, network management, and data backup services deliver as part of our managed model — not as separate line items to be added when you think of them, but as integrated components of how we run your environment every day.
Documentation That’s Already Ready
One of the biggest advantages of working with a professional MSP is that the reports your carrier wants already exist. Our RMM platform generates patch compliance reports automatically. Our EDR console shows device coverage in real time. Our backup system logs every job and every restore test. When renewal time comes, we produce your evidence packet — not you searching through email threads and screenshots trying to remember when you last ran a restore test.
The vCIO Lens: Keeping You Insurably Compliant Year-Round
Through our IT consulting and vCIO services, we track where cyber insurance requirements are heading and advise you before a control becomes a hard requirement — not after your application comes back denied. We’ll flag when a carrier starts downgrading SMS MFA, when EDR standards shift, or when your industry begins seeing new compliance overlays on insurance requirements. This is the difference between reacting to insurance changes and planning for them.
“The businesses that pass cyber insurance applications in 2026 aren’t doing anything exotic. They have documented, maintained, tested controls — and someone who keeps those controls current all year, not just at renewal.”
Your Step-by-Step Path to Qualifying
- Run a gap assessment now — not 30 days before renewal. Use this checklist or book ANC Systems’ $499 Security and Network Risk Assessment to get a documented, insurer-ready gap report.
- Address MFA, EDR, and backups first. These three gates determine whether you’re approved or denied. Everything else affects your premium.
- Write the Incident Response Plan. Even a two-page document with named contacts and clear procedures satisfies most carriers. Your MSP can help draft it.
- Build the documentation packet. Collect the reports and screenshots listed in Section 3. If you can’t produce them, that’s a gap to fix before submitting.
- Review and maintain quarterly. Cyber insurance qualification is not an annual event. Schedule quarterly reviews of your controls, test your backups, update training records, and re-validate MFA enforcement every time staff changes.
- Submit 60–90 days early. Give yourself runway for underwriter questions and any last-minute documentation requests.
Ready to Qualify — and Stay Qualified?
ANC Systems works with small and mid-sized businesses across Naperville and greater Chicagoland to build and maintain the exact security posture that cyber insurance carriers require. Start with our $499 Security and Network Risk Assessment — a documented, insurer-ready gap analysis with a risk-free guarantee — or book a no-obligation consultation to talk through where you stand.
Frequently Asked Questions
What are the main reasons small businesses get denied cyber insurance in 2026?
The two most common reasons for outright denial are missing MFA on remote access or email accounts, and inadequate endpoint protection (still running legacy antivirus instead of managed EDR). Beyond those, untested backups, no incident response plan, and unpatched systems are the next most frequent triggers. Carriers have made these requirements explicit in their 2026 underwriting guidelines, and a “no” or “we’re planning to” answer on any of them will result in either a denial or a major exclusion on the policy.
Does my current antivirus qualify as EDR?
Almost certainly not, unless it was specifically purchased and configured as a managed EDR product. Traditional antivirus — including the default, unmanaged version of Windows Defender — uses signature-based detection that misses novel ransomware and zero-day attacks. Managed EDR tools like CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint (in managed configuration), or Sophos Intercept X use behavioral detection and are what carriers require. If you’re unsure whether your current product qualifies, our cybersecurity team can review your current stack against carrier requirements.
How much does cyber insurance cost for a Chicagoland small business?
Premiums vary widely by industry, revenue, data volume, and — most importantly — your security posture. A business with all qualifying controls in place and documentation to prove it typically pays significantly less than one with gaps. As a rough benchmark, small businesses (under 50 employees) with solid security controls often pay $1,500–$5,000 per year for $1M–$2M in coverage. Businesses with missing controls or prior incidents can pay multiples of that, or find themselves with significant exclusions that make the policy far less valuable. Getting your controls in order before applying — rather than after — is the highest-return investment you can make in your coverage cost.
What’s the difference between cyber insurance and IT support — doesn’t my IT company handle all of this?
This is one of the most important distinctions for Chicagoland business owners to understand. Your IT provider keeps your systems running — patching, backups, help desk, network management. But cybersecurity is a distinct discipline, and most standard IT arrangements don’t include the full stack that cyber insurance carriers require: managed EDR, security awareness training with phishing simulations, incident response planning, vulnerability scanning, and compliance documentation. At ANC Systems, we deliberately integrate cybersecurity into our managed IT model so you’re not buying a patchwork of separate services or discovering gaps at renewal time.
Does my business need an incident response plan if we’re fewer than 25 people?
Yes. Carriers require a documented IRP regardless of company size, and Illinois state law has its own breach notification requirements that your IRP should address. The good news is that a plan for a small business doesn’t need to be elaborate — a clear, two-to-four-page document with named contacts, an isolation checklist, and defined notification timelines satisfies most carriers. The important thing is that it exists, it’s been reviewed in the last 12 months, and your team knows about it. ANC Systems can help draft and maintain this as part of our IT consulting services.
How often should we test our backups to satisfy carrier requirements?
Most carriers require documented restore tests at least quarterly, with signed records showing the date, which data set was restored, and whether the restore succeeded. Annual testing — once common — is no longer considered sufficient. This is an area where working with a managed IT provider pays off directly: your MSP should be conducting and documenting these tests as a standard part of your backup service, not waiting for you to remember to ask.
What is a Security and Network Risk Assessment, and how does it help with cyber insurance?
A Security and Network Risk Assessment is a structured audit of your current environment against the controls that insurers, regulators, and security frameworks require. It identifies every gap — missing MFA, uncovered endpoints, untested backups, network vulnerabilities — and produces a documented report you can use both to prioritize remediation and to show your insurance broker the steps you’ve taken. ANC Systems offers this assessment for $499 with a risk-free guarantee. Most Chicagoland businesses find that the gaps it uncovers — and the premium savings from fixing them before applying — make it one of the most cost-effective investments they make. Book your assessment here.
Can ANC Systems help us prepare a complete cyber insurance documentation packet?
Yes. For businesses we manage, we maintain the reports, records, and documentation that carriers require as a standard part of our service — patch compliance reports, EDR deployment coverage, backup logs, restore test records, and security training completion data. For the incident response plan and written security policies, our vCIO consulting can draft, review, and maintain these documents on your behalf. If you’re approaching a renewal and don’t currently have a managed IT partner, the $499 Risk Assessment is the fastest way to understand exactly what you have, what you’re missing, and what to prioritize before submitting. Contact us to discuss your timeline.
Don’t Let a Preventable Gap Deny Your Coverage
ANC Systems helps small and mid-sized businesses across Naperville, Aurora, Downers Grove, Wheaton, and the greater Chicagoland area build and maintain the security posture that 2026 cyber insurance carriers require — and produce the documentation to prove it. Start with a $499 Security and Network Risk Assessment, or talk to our team today.
Book the $499 Risk Assessment
See Our Cybersecurity Services