That distinction matters. The steep premium increases that defined the early part of the decade are not the best way to frame the current market. Recent market reporting shows cyber rates declining after multiple quarters of increased competition and stronger insurer capacity. But the technical discipline created during the hard market remains. Underwriters still want to know whether multi-factor authentication is enforced, whether endpoint detection is deployed, whether backups are tested, whether remote access is controlled, and whether an incident response plan exists beyond a file nobody has used.
For construction firms, the renewal question has shifted. It is no longer enough to say that IT is handled, backups are running, and email is protected. The more important question is whether those controls are implemented across the right systems, documented in a way that can be verified, and maintained consistently enough to hold up if a claim is filed. This post explains what current cyber insurance underwriting is really testing, why construction firms still face exposure, and what to review before your next renewal.
The Market Has Softened. The Evidence Standard Has Not.
The cyber insurance market hardened sharply after the ransomware surge of 2020 through 2023. Premiums rose, underwriters asked more technical questions, and many firms saw new requirements around MFA, endpoint detection, backup resilience, and incident response. That history still matters, but it should not be confused with the current pricing environment.
By late 2025, major market reporting showed a different pricing picture. U.S. cyber insurance rates decreased again in Q4 2025, continuing a multi-quarter softening trend. At the same time, underwriting did not become casual again. Technical underwriting remained a focus because cyber risk is more complex, claims are still active, and carriers still need confidence that applicants are not only buying insurance but operating with the controls their applications describe.
| Criterion | Older Application Pattern | Current Underwriting Pattern |
|---|---|---|
| Market context | Hard-market pricing and broad premium pressure | More competitive pricing, but continued technical underwriting discipline |
| MFA question | Do you use MFA? | Where is MFA enforced, which systems are covered, and which users are included? |
| Backup question | Do you have backups? | Are backups tested, protected from ransomware encryption, and recoverable within defined timelines? |
| Endpoint security | Antivirus may have been accepted | EDR is commonly expected on workstations and servers |
| Incident response | Not always asked in detail | Written plan, responsible parties, escalation path, and evidence of testing may be requested |
| Key risk | Cost of coverage | Accuracy of application answers and ability to prove controls after a claim |
Why Construction Firms Are Still in Scope
Construction was historically treated as a lower cyber risk than financial services or healthcare. That assumption is harder to defend now. Modern construction firms rely on cloud project management platforms, remote access, job costing systems, mobile devices, subcontractor collaboration, wire instructions, payroll systems, and email-heavy workflows that move money and project authority every day.
Current claims data supports the concern. NetDiligence’s 2025 Cyber Claims Study analyzed more than 10,000 cyber insurance claims from incidents occurring between 2020 and 2024. In its construction-specific data, total incident cost ranged from $3,400 to $1.7 million. The top causes of loss were ransomware and business email compromise, and the average construction ransom payment was $254,000.
That does not mean every construction firm is uninsurable or facing a massive premium increase. It means underwriters have a rational reason to ask harder questions. Construction firms handle sensitive project documents, subcontractor payment information, bid data, payroll data, and owner communications. They also depend on remote access and field mobility. Those workflows create real underwriting questions about access, recovery, email security, and incident readiness.
- Marsh reported that U.S. cyber insurance rates decreased again in Q4 2025, marking the eleventh consecutive quarter of cyber rate decreases.
- Coalition’s 2026 Cyber Claims Report, covering full-year 2025 claims data, found that business email compromise and funds transfer fraud accounted for 58 percent of all claims.
- Coalition also reported that initial ransom demands rose 47 percent year over year, while 86 percent of businesses hit by ransomware refused to pay.
- NetDiligence’s 2025 Cyber Claims Study reported that construction claims from 2020 through 2024 ranged from $3,400 to $1.7 million in total incident cost, with ransomware and BEC as the top causes of loss.
What Underwriters Are Really Testing in 2026
The application may still look like a form, but the underlying review is closer to a security control check. The underwriter is not simply asking whether a construction firm believes it has reasonable cybersecurity. They are asking whether specific controls exist, where they are enforced, and whether the answers are accurate enough to rely on if something goes wrong.
- MFA enforced on remote access: VPN, RDP, email, cloud platforms, and administrative access paths
- Endpoint detection and response: EDR deployed across workstations and servers, not only basic antivirus
- Privileged access controls: Separate administrative accounts, limited privileges, and no shared admin credentials
- Tested backups: Documented restore testing, protected backup copies, and clear recovery objectives
- Email authentication: SPF, DKIM, and DMARC configured and monitored for the domain
- Patch management: A defined process for critical vulnerabilities and evidence that patching actually occurs
- Incident response plan: Written, current, assigned to responsible people, and tested through a tabletop or similar exercise
- Remote access review: No exposed RDP, clear VPN controls, and MFA protecting access into the environment
The practical problem is not that these controls are impossible. It is that many firms answer the application based on assumptions. A contractor may believe MFA is in place because Microsoft 365 requires it for some users, while VPN, RDP, admin accounts, or third-party platforms remain outside the policy. A firm may believe backups are working because backup jobs show green, while no one has tested a real restore in months. A firm may believe it has an incident response plan because a template exists, while no one has assigned roles, tested contacts, or walked through a ransomware scenario.
The Risk Is the Gap Between the Application and Reality
The most dangerous part of the renewal process is not always the premium. It is the gap between what the application says and what the environment can prove. If the application says MFA is enforced on all remote access, but remote desktop access is still exposed or a privileged account is excluded, that is not a small wording issue. It is a claim defensibility issue.
The questions that matter before renewal are simple but uncomfortable: Can you show where MFA is enforced? Can you prove EDR is installed across endpoints? Can you show a recent backup restore test? Can you prove RDP is not exposed to the public internet? Can you produce an incident response plan that has been reviewed and tested? If the answer is unclear, the firm should know that before the renewal application goes to the carrier, not after a claim is being investigated.
Misrepresentation is also a separate concern from underwriting friction. If a firm answers inaccurately because it did not understand the question, the problem may not appear until the worst possible moment. The goal is not to make the application sound better. The goal is to make the environment match the answers and make the answers accurate enough to defend.
What the Controls Map To. And What VQIS Delivers
Each control underwriters ask about maps to a real operational capability. These are not abstract maturity statements. They are configuration, documentation, monitoring, and evidence questions.
MFA on remote access is enforced through identity provider configuration and conditional access policies across VPN, RDP, Microsoft 365, and administrative logins. EDR is deployed across workstations and servers, monitored continuously, and reviewed for coverage gaps. Tested backup means restore testing is documented, recovery objectives are defined, and backup copies are protected from ransomware encryption through immutability, separation, or other resilience measures. Email authentication means SPF, DKIM, and DMARC are configured and monitored. Incident response planning means the firm has assigned roles, escalation paths, contact lists, and tested procedures that people know how to use.
Cyber insurance applications are no longer just asking what you believe about your security posture. They are asking whether specific controls can be proven.
What to Do Before Your Next Renewal
If your cyber insurance renewal is coming up in 2026, do not treat it as an administrative task. Treat it as a security control review with financial consequences.
Request the current application early and compare it to the questions you answered last year. Applications change, and a question that sounded broad in the past may now require a much more specific answer.
Assess your environment against the actual application language, not against a generic cybersecurity checklist. The relevant question is whether your environment satisfies the specific controls the underwriter is asking about.
Prioritize the controls that affect insurability and claim defensibility: MFA on remote access, endpoint detection, tested backups, incident response planning, email security, patch management, and exposed remote access paths. These are the areas where assumptions create the most risk.
Document the proof before you submit the application. Screenshots, configuration exports, policy documents, backup test records, EDR deployment reports, and tabletop notes are not busywork. They are the evidence that turns an application answer from a guess into a defensible statement.
What This Means for Greater Sacramento Construction Firms
Cyber insurance pricing may be more favorable than it was during the peak hard-market years, but that does not mean underwriting has gone back to easy. The lasting change is the expectation that security controls are real, documented, and provable.
For construction firms, the practical question before renewal is not simply whether you can afford the policy. It is whether your current environment can support the answers you are giving the carrier. If it cannot, you need time to close gaps before the application is submitted or before a claim forces the issue.
We work with Sacramento-area construction firms to assess their environment against current cyber insurance requirements, identify gaps that affect renewal and claim defensibility, and implement the controls underwriters are actually asking about.
Assess Your Environment Before Your Renewal
If you are not sure whether your current security posture would satisfy a 2026 cyber insurance application, we can tell you. Contact us for a pre-renewal security assessment.
Schedule Assessment
