Your Cyber Insurance Renewal Is About to Get Harder — What RIAs Need to Know

The insurance market has shifted

Between 2020 and 2024, the cyber insurance market lost money. Carriers paid out billions in ransomware claims, many to organizations that had checked "yes" on their applications but had no actual controls in place. The industry responded the way insurance industries always respond — by tightening underwriting.

What this means in practice: your renewal application is no longer a formality. Carriers are asking specific, technical questions about your security controls. They want evidence, not assurances. And if you cannot provide it, they will either price you out or walk away.

For RIAs, this shift hits particularly hard. Most advisory firms carry E&O and cyber liability coverage as a baseline business requirement. Custodians expect it. Clients ask about it. Regulators view it as a risk management best practice. Losing coverage or paying dramatically more for it is not a minor line-item change — it affects your operating economics.

What insurers are requiring now

The specific requirements vary by carrier, but the industry has converged around a common set of controls. If you are renewing a cyber or E&O policy in 2026, expect questions about all of the following:

Multi-factor authentication (MFA)

This is the single most common requirement. Insurers want MFA on email, remote access, administrative accounts, and any system that touches client data. Not "we plan to implement it" — it must be active and enforced. Some carriers will not even quote a policy without MFA confirmation.

Incident response plan

A written plan that covers how your firm detects, contains, and recovers from a security incident. The plan should name roles and responsibilities, define escalation procedures, include contact information for legal counsel and your insurance carrier, and outline notification obligations. Insurers want to see a document, not a verbal understanding that "we would figure it out."

Email authentication (SPF, DKIM, DMARC)

Business email compromise is the number one claim type for professional services firms. Insurers know this, and they are increasingly asking whether your domain has SPF, DKIM, and DMARC configured. Some carriers run their own DNS checks during underwriting. If your domain does not have a DMARC policy at enforcement level, that is a red flag in the application.

Endpoint detection and response (EDR)

Traditional antivirus is no longer sufficient in the eyes of most underwriters. They want to see EDR — software that monitors endpoints for suspicious behavior, not just known malware signatures. If you are still running basic antivirus on workstations, expect questions about it.

Encrypted backups

Backups must exist, must be encrypted, and must be tested. Insurers learned from ransomware cases where firms had backups that were either connected to the same network (and got encrypted by the attackers) or had never been tested and failed during recovery. They now ask about backup frequency, encryption, isolation, and testing schedules.

Written security policies

A formal written information security program (WISP) that documents your firm's security controls, access management procedures, data classification, vendor oversight, and acceptable use policies. This is the same document the SEC expects under Regulation S-P. Your insurer and your regulator want the same thing.

Employee security training

Documented training, not a one-time slide deck from three years ago. Insurers want evidence that employees receive regular security awareness training — typically quarterly or at least annually — with records of completion. Phishing simulation results are a bonus.

What happens when you cannot provide proof

The consequences are financial and immediate:

• Claim denial.If you attest to having controls on your application and cannot demonstrate them after an incident, the carrier can deny your claim. This is not theoretical — carriers have denied claims in the six- and seven-figure range based on material misrepresentation in applications. You checked "yes" for MFA but it was only enabled on some accounts? That is a denial risk.
• Premium increases. Firms without documented cybersecurity programs are seeing renewal premiums increase 50% to 200%. A policy that cost $3,000 per year might jump to $6,000 to $9,000 — or more, depending on your firm size and AUM. Over a five-year period, that premium increase alone dwarfs the cost of implementing the controls.
• Non-renewal. Some carriers are simply declining to renew firms that cannot demonstrate basic controls. This leaves you shopping for coverage in a hardened market, likely at worse terms and higher cost. If you cannot find replacement coverage, you are operating uninsured — which creates its own set of problems with custodians, clients, and regulators.
• Sublimits and exclusions. Even if you get renewed, carriers may add sublimits (capping ransomware coverage at $100K on a $1M policy) or exclusions (no coverage for incidents involving systems without MFA). Read your renewal terms carefully.

The Reg S-P overlap — same controls, same documentation

Here is the part most RIAs miss: the controls your insurer demands are almost identical to what the SEC requires under the updated Regulation S-P. The 2023 amendments to Reg S-P require written policies and procedures for safeguarding customer information, an incident response program with notification obligations, and oversight of service providers.

MFA, incident response plans, email security, written policies, training documentation — your insurer and the SEC are asking for the same evidence. This means you do not need two separate compliance efforts. A single, well-documented cybersecurity program satisfies both. Build it once, use it for your renewal application and your next SEC exam.

The cost math

This is where the financial argument becomes unavoidable:

• BlackSheep compliance documentation: $249/mo ($2,988/year). Produces the WISP, incident response plan, risk assessment, training documentation, and security controls evidence your insurer and regulator require.
• Premium increase without documentation: $5,000 to $15,000/year. The delta between a firm with a documented program and one without is significant and growing. Carriers reward firms that can demonstrate controls with better rates.
• Denied claim: $50,000 to $500,000+. A single business email compromise incident — the most common claim type for RIAs — averages $120,000 to $150,000 in losses. If your claim is denied because you could not prove you had the controls you attested to, you absorb that loss entirely.
• SEC enforcement for Reg S-P failure: $50,000 to $500,000+. If a breach exposes client data and you lack the required written policies and incident response program, the insurance problem becomes a regulatory problem too. The costs compound.

Spending $249/mo to avoid a $5K-15K premium increase — let alone a six-figure denied claim — is not a compliance expense. It is the most straightforward risk-adjusted investment your firm can make.

What to do before your renewal

If your renewal is coming up in the next 90 days, here is a practical checklist:

1. Confirm MFA is enforced everywhere.Email, remote access, custodian portals, cloud storage, CRM. Not optional, not "available" — enforced for all users.
2. Write your incident response plan. Or update the one from 2021 that names an employee who left two years ago. It should reflect your current team, your current systems, and your current notification obligations under Reg S-P.
3. Check your DMARC record. Run a free scan to see what your domain's email authentication looks like. If you do not have a DMARC policy at enforcement, fix it before your carrier checks.
4. Document your security policies. Get a current WISP in place. It should cover access controls, data classification, vendor management, acceptable use, and employee training requirements.
5. Collect training records. If you run security awareness training, make sure you have completion records with dates and names. If you do not run training, start now — quarterly phishing simulations and annual security awareness sessions are the minimum most carriers expect.
6. Review your application carefully.Do not check "yes" on anything you cannot back up with evidence. A "no" with a remediation plan is better than a "yes" that becomes a material misrepresentation during a claim.

How BlackSheep helps

BlackSheep's RIA compliance platform produces the exact documentation insurers want to see on your renewal application: the written information security policy, incident response plan, risk assessment, vendor oversight records, and training logs. Everything is timestamped, version-controlled, and exportable — so when your carrier asks for proof, you have it ready.

The same documentation satisfies your SEC examination requirements under Reg S-P. One platform, one set of documents, two problems solved.