Ransomware Insurance Prerequisites: What Carriers Actually Require from Texas Businesses in 2026
Cyber insurance applications now run 60-100 questions, and a single No on a critical control can disqualify you. This is what Texas SMBs need in place to be quotable in 2026.
Introduction
Cyber insurance underwriting tightened sharply through 2024 and 2025, and 2026 is the year the bar fully reset. According to Marsh's 2025 Cyber Insurance Trends report, the average application now runs 60-100 questions covering technical controls, incident response, and vendor risk. A single No on a critical control can disqualify a Texas SMB from coverage entirely — or push them into the surplus-lines market with premiums 3-5x higher.
This is the practitioner's view of what carriers actually require, why each requirement exists, and the cheapest defensible way to meet each one.
Why Ransomware Reset Cyber Underwriting
Coveware's 2025 Q4 Ransomware Report puts the median Texas SMB ransomware recovery cost at $310,000-$1.2 million depending on segment. Carriers paid out aggressively in 2020-2022, took losses, and tightened criteria. The result: 2026 underwriting is harder than it was in 2018, when basic AV plus a checkbox was sufficient.
The Non-Negotiable Controls
1. MFA on All Externally-Accessible Services
Email, VPN, RDP, cloud admin consoles, financial systems. Carriers want screenshots or attestation. SMS-based MFA is now considered insufficient by most carriers — phishing-resistant MFA (FIDO2 hardware keys or Microsoft Authenticator with number matching) is the rising baseline. See our MFA bypass guide.
2. EDR on All Endpoints
SentinelOne, CrowdStrike, Microsoft Defender for Endpoint, ThreatLocker EDR. Legacy AV (signature-based) does not satisfy. Carriers want either Plan tier or attestation that you have behavioral detection on every endpoint, including servers. Coverage gaps (one VLAN of unmanaged devices, an OT subnet, a developer's macOS laptop) get noticed in the questionnaire.
3. Immutable, Tested Backups
The 3-2-1 rule is no longer enough. Carriers want immutability (Object Lock, hardened repositories) and evidence of regular restore testing. See our deep-dive: Immutable Backups for Texas SMBs: The 3-2-1-1-0 Rule.
4. Documented Incident Response Plan
Tabletop-tested in the last 12 months. Carriers want copies of the plan, the tabletop after-action report, and the names of the IR retainer firm. A signed MSA with an incident response provider is now standard.
5. Network Segmentation
Flat networks are an automatic disqualifier with several carriers. Carriers want VLAN segmentation between user subnets, server subnets, and OT/IoT subnets. East-west firewall rules between segments. Domain controllers on a privileged VLAN.
6. Privileged Access Management
Increasingly, carriers ask explicitly about PAM deployment. Application allowlisting and ringfencing — see our PAM tools comparison — significantly reduce ransomware execution risk. Some carriers offer 5-15% premium credits for documented PAM deployment.
7. Email Filtering and DMARC
Microsoft Defender for Office 365, Proofpoint, Mimecast, or equivalent. DMARC at p=reject (or at minimum p=quarantine with progress to reject). SPF and DKIM correctly configured. Carriers will check DMARC via public lookup before quoting.
8. Vulnerability Management Program
Documented patching cadence. For criticals, expect carriers to want 7-14 day SLA. For high-severity, 30 days. Evidence: a Tenable or Rapid7 report, or attestation from an MSP.
9. Vendor Risk / Third-Party Access
Documented inventory of vendors with access to your environment. SOC 2 reports on critical SaaS providers. Time-bounded vendor access with MFA and session recording.
10. Security Awareness Training
Annual minimum, quarterly preferred. Phishing simulation results tracked. Documented training program. KnowBe4, Proofpoint, Hoxhunt — choose one and run it.
What Disqualifies You Outright
- End-of-life Windows 7, Windows Server 2012/2012 R2, Windows Server 2016 (going EOL Jan 2027), unpatched ESXi 6.x, Windows 8.x
- RDP exposed directly to the internet
- No MFA on email
- No EDR (legacy AV only)
- No backup testing in 12+ months
- Open recursive DNS or unauthenticated SMB exposed to internet
Texas-Specific Considerations
Texas businesses face elevated targeting in healthcare, energy, and DoD supply chain. The Texas Data Privacy and Security Act (TDPSA, effective July 2024) and Texas SB 2610 small business safe harbor add documentation requirements that carriers also reference. Texas hurricanes also factor into business interruption coverage — pair cyber with proper BCP/DR.
Where to Start
For Texas SMBs whose cyber insurance renewal is within 90 days: pull your current application, map every No answer to the controls above, and prioritize remediation. Most gaps can be closed in 60 days with the right MSP partner. See our managed IT services and cybersecurity services overviews.
Geographic Coverage
Related Articles
Need Expert IT Support?
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.