What Cyber Insurers Are Actually Asking About Identity Controls in 2026

The Shift That Changed Everything

Until around 2021, cyber insurance underwriting was relatively relaxed about identity controls. A tick-box confirming you had MFA deployed was typically sufficient. The wave of major ransomware incidents — most of which involved compromised credentials, over-privileged accounts, and inadequate access controls — changed that entirely.

Underwriters now know that identity is the attack surface. Over 80% of significant breaches involve compromised credentials or privilege abuse at some stage. Insurers price for that risk — and they are increasingly refusing to bind cover, or binding with significant exclusions, when they cannot get evidence of basic identity controls.

This article walks through exactly what they are asking, why each question matters, and what "evidence" actually means in this context.

The Four Areas Every Underwriter Covers

Regardless of insurer or broker, cyber underwriting questionnaires now consistently focus on four identity control areas:

1. MFA Coverage — and the Exceptions

The question is no longer "do you have MFA?" It is:

• What percentage of privileged accounts are protected by MFA?
• What percentage of all user accounts are protected by MFA?
• Are there any accounts with privileged access that are MFA-excluded? If so, why?
• Do legacy authentication protocols remain enabled? For which systems?

The critical point: insurers want percentages, not yes/no answers. "We have MFA" means nothing if 15% of your admin accounts bypass it for legacy compatibility, and those bypass accounts are what attackers target first.

What evidence looks like: a coverage report showing MFA status by account type, with exceptions documented and exception owners named. Not a policy document. Actual coverage data.

2. Privileged Access Governance

Underwriters now routinely ask:

• How do you manage privileged access? Is there a PAM solution in place?
• Are administrator accounts separate from standard user accounts?
• When were privileged accounts last reviewed?
• How do you handle service accounts and non-human identities?
• What is your process for revoking access when someone leaves?

The service account question is consistently the most problematic for organisations. Service accounts are routinely discovered to have domain-level privileges, credentials that have not been rotated in years, and no documented owner. Insurers know this is a standard attack path.

What evidence looks like: a privileged account inventory showing separation status, last review date, and service account ownership mapping — not a policy stating you intend to do these things.

3. Logging and Detection Capability

Insurers want to understand whether you would know if an identity were compromised:

• Are authentication events logged? Where? How long are logs retained?
• Are privilege changes and account modifications captured?
• Do you have a SIEM or log aggregation in place?
• What alerts exist for suspicious authentication activity?

This area matters for claim assessment as much as for underwriting. When a breach claim is submitted, investigators will ask when the compromise first occurred and what logging exists to establish a timeline. Organisations with poor logging face both higher premiums and harder claims processes.

4. Recovery Readiness

The questions here concern your ability to respond if identity is compromised:

• Do you have emergency access accounts that are not dependent on your primary directory?
• How quickly could you revoke all access in a worst-case scenario?
• Do you have documented incident response procedures for identity-based attacks?
• Have you tested your recovery process?

For organisations in financial services under DORA, or regulated sectors under operational resilience requirements, these questions may also carry regulatory weight beyond the insurance context.

What Happens Without Structured Evidence

There is a significant difference between asserting that controls exist and evidencing that they work. Insurers are increasingly drawing that distinction, with concrete consequences:

• Premium loading: Inability to evidence controls → risk treated as unknown → priced accordingly
• Exclusion clauses: Identity-related incidents excluded if evidence of controls was insufficient
• Renewal risk: Declining to renew at existing terms when controls cannot be demonstrated
• Claim dispute: Post-incident, insurers challenge claims where stated controls did not exist as described

The last point is the most significant. The difference between "we have MFA" stated on a renewal questionnaire and "MFA coverage was 67% at time of incident, with 23 admin accounts excluded for legacy compatibility" can be the difference between a paid claim and a disputed one.

What "Evidence" Actually Means

When insurers or their loss adjusters ask for evidence of identity controls, they do not mean policies, procedures, or statements of intent. They mean:

• Coverage reports: System-generated data showing actual MFA status by account, not just a policy confirming MFA is required
• Inventory outputs: Privileged account lists with ownership confirmed, not an assertion that accounts are reviewed
• Dated reviews: Evidence that access reviews happened on specific dates, not a policy stating they should happen quarterly
• Exception registers: Documentation of exclusions with named owners and approved justifications, not a blank field

The shift from policy-based to evidence-based underwriting is permanent. Organisations that have not built the capability to produce this evidence will continue to face premium increases and coverage limitations at renewal.

Practical Preparation Steps

If your renewal is approaching, the most effective preparation sequence is:

1. Establish your current position: Run an assessment of actual MFA coverage across all user types — you need percentages, not assumptions. Most organisations are surprised by the real number.
2. Map your privileged accounts: Produce an inventory of privileged accounts including service accounts, with ownership and last review date. Flag stale and unowned accounts before your insurer does.
3. Document your exceptions: Every MFA exclusion, every service account with elevated privilege, every legacy authentication exception should be documented with a named owner and a justification. Undocumented exceptions look like gaps; documented exceptions look like managed risk.
4. Confirm your logging coverage: Verify that authentication events are captured, know your retention period, and confirm that your SIEM or log aggregation covers identity systems.
5. Validate your recovery path: Confirm that emergency access accounts exist and work. Test your account revocation process before the insurer asks whether you have.