The 2026 Cyber Insurance Checklist for Missouri SMBs

Cyber insurance applications used to be three pages. The 2026 versions we're seeing run twenty, and one wrong checkbox can turn a renewal into a non-renewal.

Here's what carriers are actually scoring on this year, in roughly the order they care about:

1. MFA, everywhere

Not just on email. On the VPN. On RDP. On the firewall admin panel. On Microsoft 365 admin accounts. On every privileged identity, period. "We have MFA on Microsoft 365" is not a yes anymore.

2. EDR with managed response

Antivirus is not EDR. EDR is not managed EDR. The carriers want a 24/7 SOC behind it. We deliver this through partner SOCs that cost a tenth of what a full in-house program would.

3. Immutable backups, tested

The backup question is now two questions: "are backups immutable" and "have you tested restore in the last 90 days." If you can't answer yes to both, you're getting hit on premium.

4. Patch cadence and EOL software

Every Server 2012 R2 box is a finding. Every unpatched firewall is a finding. Document a 30-day patch SLA and actually hit it.

5. Privileged access management

Domain admin should not be your daily driver. Service accounts should not have interactive logon. Local admin passwords should be unique per machine (LAPS).

6. Email security and DMARC

SPF, DKIM, DMARC at p=quarantine or stricter. Banner external email. Disable legacy auth.

7. Awareness training

Annual is the floor. Monthly micro-training plus phishing simulation is the bar.

We help St. Louis businesses get from "declined" to "insurable" — usually in a 60-90 day program. Book a free assessment and we'll walk through your application together.