Cyber Insurance 2026: Identity Proofing Is the New MFA

Cyber insurance premiums hit $23 billion in 2026 with rate increases of 15–20%, and 41% of applications are denied on first submission. MFA is now a baseline floor — entities that cannot evidence enforcement do not get coverage. The new underwriting line has moved below MFA into identity proofing at enrolment, and that is where 2026 renewals are won and lost.

By 2026, cyber insurance has stopped being a tick-box product. S&P Global Ratings projects the market will reach $23 billion in premiums this year, up from about $14 billion at the end of 2023, and has forecast rate increases of 15 to 20% for 2026 after two years of declining pricing (S&P — Cyber Insurance Market Outlook 2026). The volume story is known. The underwriting story is less widely understood — and it is where renewals are now being won and lost. The line between approval and denial has moved. It has moved from "do you have MFA?" to "can you prove enforcement was active at the moment the incident occurred?", and, quietly, to "can you prove the identity bound to the credential was ever verified in the first place?"

The 2026 Underwriting Shape

Three independent numbers describe what has changed. 99% of cyber insurance applications now include specific questions about multi-factor authentication implementation, according to the Marsh McLennan 2025 Cyber Insurance Market Report. 82% of denied claims in Coalition's 2024 Cyber Claims data involved organisations that lacked properly implemented MFA across their environment. And 41% of cyber insurance applications are now denied on first submission — the top two reasons being missing MFA and inadequate endpoint protection (CyberDuo — 2026 cyber insurance renewal checklist).

Those numbers tell a consistent story. MFA is no longer a differentiator. It is a floor, and entities that cannot evidence the floor do not make it into the pool. The competitive pricing that dominated the market from 2023 to 2025 came out of improved loss ratios; the 2026 rate increase reflects a harder underwriting view of residual risk, driven by S&P's reported 17% rise in claim severity per incident versus 2024 alongside a 126% surge in ransomware incidents in Q1 2025 and an 800% jump in infostealer-driven credential theft (S&P — Cyber Insurance Market Outlook 2026).

The questionnaire does not ask whether you have a control. It asks whether you can prove you have it, that it is enforced everywhere it should be, and that it was working at the time of any incident. Those are three very different questions.

That framing — from CyberDuo's 2026 renewal guide — is the underwriting mindset entities now face. The artefact insurers are adjudicating is not a security posture claim. It is an evidence chain.

Why MFA-Alone Fails the Chain

Consider how a claim adjudication actually works in 2026. An employee account is compromised; privileged access to a CRM results in data exfiltration; the insured claims against the policy. The adjuster walks back through the authentication logs. MFA was enforced. MFA succeeded on every relevant session. The token binding was intact. On the face of it, the control was working.

The question the adjuster then asks is a quieter one: who was this user, and how do you know? The credential authenticates the key material. The key material was bound at issuance to an identity. That identity was verified, at onboarding, by someone — typically a remote onboarding vendor using a photo of an ID document and a selfie-plus-liveness check, scored by a proprietary model.

Two problems surface at that step. First, the proofing evidence is opaque — a vendor's pass/fail flag and a closed-model score are not the same thing as cryptographic attestation. Second, in the ransomware-by-infostealer era described in the S&P outlook, credentials being stolen at industrial scale are credentials whose provenance the holding organisation cannot independently reconstruct. The entity's MFA enforcement may have been flawless, and the underlying identity binding can still have been the weak point. The adjudicator is not required to deny on this basis alone — but coverage disputes, retrospective premium adjustments, and reduced renewal limits are increasingly anchored on this exact gap.

Identity-Centric Underwriting Is the 2026 Shift

The technical underwriting direction in 2026 is toward identity-centric scoring. The Hacker News in February 2026 described the emergence of "identity cyber scores" as a market metric — derived from privileged access management coverage, MFA consistency, conditional access policies, and access governance maturity (The Hacker News — Identity Cyber Scores (February 2026)). Five controls now sit at the floor of coverage: MFA everywhere, EDR on every endpoint, immutable backups, a tested incident response plan, and documented patch management. Below those five, insurers increasingly price — and sometimes decline — on the quality of identity governance: how consistently identity is proven, bound, monitored, and revoked across the workforce and across contractors.

For a CISO walking into a 2026 renewal, the difference between a flat or improved rate and a declined application often comes down to four questions. How many of your workforce identities were proofed against an authoritative source, not an internal form? How many of your privileged identities — admins, on-call engineers, third-party support — can you name with government-verified enrolment evidence? How many of your non-employee contractors can you evidence the same way? And — for any of those — can you produce the evidence on demand during claim adjudication, not reconstruct it afterward? The same evidence question is what NIS2 Article 21 auditors now ask of essential and important entities.

The Cross-Border Workforce Problem

The harder variant of the problem is the cross-border workforce. Global insurers increasingly underwrite multinational organisations as a single risk; the controls must be demonstrated across the whole perimeter, not just the EU or US headquarters. Where an entity's employees and contractors include non-EU nationals — the offshore engineering team, the support centre in a non-EU jurisdiction, the fly-in specialist on a critical project — the identity-proofing toolkit gets thinner.

An EU-issued electronic ID covers an EU citizen. The EUDI Wallet, which every Member State must make available by December 2026, extends that to EU residents. Neither covers a non-EU national. The default tool at that point reverts to a scanned ID document and a selfie — precisely the evidence class that insurers are grading down.

The workable answer is to read the chip that 180 countries and regions have been issuing in their biometric passports since the ICAO Doc 9303 rollout (Signicat, December 2025). The chip read produces data signed by the issuing government, clone-resistant via Active or Chip Authentication, and bound to physical presence via PACE. Captured at enrolment and countersigned under a qualified electronic signature, that evidence creates a cryptographic identity record for a non-EU contractor that is categorically stronger than any selfie-plus-document pipeline — and categorically closer to the evidence class insurers are building their 2026 underwriting around.

What an "Insurance-Grade" Identity Layer Produces

For the CISO or risk manager preparing a 2026 renewal, the question is less about tooling and more about whether the identity layer produces three artefacts on demand:

• Enrolment evidence for every privileged identity that is independently verifiable — not "we checked" but "here is the signed attestation from the issuing authority".
• Binding evidence — the cryptographic link between the verified identity and the credential that the MFA system subsequently enforces against.
• Revocation evidence — a timestamped chain from the moment a role changes to the moment the access attached to that identity is removed.

Where those three exist, the adjudicator's walk-back stops producing findings. Where any of them is a PDF, a screenshot, or a vendor score, it produces questions — and in 2026, questions produce either increased premiums, reduced limits, or declined claims. These three artefacts — enrolment, binding, revocation — are the operational core of workforce identity verification for cross-border privileged personnel.

2026 Is the Proof Year

The premium market is growing, not shrinking. S&P's $23 billion 2026 forecast makes that explicit. What has tightened is the underwriting filter that precedes a premium quote at all. The MFA floor was the first tightening, applied in 2023 to 2024. The proof-of-enforcement refinement was the second, visible through 2025. The identity-proofing refinement — auditability of the enrolment step, not only the authentication step — is the 2026 one, and it is the one most existing identity stacks were not built for. Entities whose identity layer produces enrolment evidence in the cryptographic class, especially across non-EU personnel, will find their renewal experience in 2026 structurally different from those whose evidence relies on vendor scoring. The pool of coverage is expanding. The bar to enter it is rising — just below the MFA line, in the layer most incumbents have not yet audited.

Sources

Market outlook and premium forecast

• S&P Global Ratings — Cyber Insurance Market Outlook 2026
• Reinsurance News — S&P projects cyber insurance premiums to hit $23bn by 2026
• Industrial Cyber — S&P research on cyber insurance premiums 2026
• Munich Re — Cyber insurance risks and trends 2026

Underwriting requirements and denials

• CyberDuo — Cyber Insurance Renewal Denied? 2026 Checklist
• Security Today — What insurers really check in 2026
• Delinea — Cyber Insurance Coverage Requirements for 2026

Identity-centric underwriting

• The Hacker News — Identity Cyber Scores: The New Metric Shaping Cyber Insurance in 2026
• Datawiza — MFA Enforcement in the Eyes of Insurers
• SafeBooks Global — Cyber Insurance 2026: Why MFA Alone Won't Get You Approved

MFA and claims data

• BIO-key — MFA Requirements for Cyber Insurance

ePassport standard

• Signicat — Which countries have ePassports (December 2025)
• ICAO — Doc 9303 Machine Readable Travel Documents

About the author

Mairi Kutberg is co-founder of IdentiGate, where she runs operations and content. She works at the intersection of EU regulation (eIDAS, NIS2, AMLR, eFTI), cross-border digital identity, and the practical compliance angles of advanced electronic signatures.