Cyber Insurance Has Changed (Quietly, Then Suddenly)
This one’s for the CFO’s, it hits risk, money, and the “oh sh*t” conversations with insurers all at once.
A few years ago, cyber insurance applications were… optimistic.
Tick-box questions.
Best-effort answers.
A lot of “we plan to”.
That era is over.
Modern cyber insurers now assume one thing:
If you don’t control email, you don’t control risk.
And the fastest way for them to measure that?
Email authentication – specifically DMARC.
Why Insurers Care So Much About Email
Because from an insurer’s point of view:
- Most claims start with email
- Most losses come from impersonation
- Most “breaches” are actually fraud and deception, not malware
Business Email Compromise (BEC):
- Bypasses antivirus
- Bypasses firewalls
- Exploits human trust
- Produces clean, expensive claims
From an underwriting perspective, email is the highest-ROI control to assess.
What Cyber Insurers Are Now Looking For
Increasingly common requirements include:
1. DMARC Implemented (Not Just Present)
Insurers are no longer impressed by:
- p=none
- “We’re monitoring”
- “It’s on the roadmap”
They want:
- Enforced DMARC
- Ideally p=quarantine or p=reject
Why? Because p=none does not reduce claims.
If this is new to you, start with the main guide: DMARC: The Email Security Standard You Can’t Afford to Ignore.
2. SPF & DKIM Properly Aligned
Underwriters increasingly ask:
- Are SPF and DKIM configured?
- Are they aligned with the From domain?
- Are third-party senders controlled?
Misalignment = spoofing risk = higher premiums.
3. Proof, Not Promises
This is the uncomfortable bit.
Insurers may ask for:
- Screenshots of DMARC records
- Evidence of enforcement
- Confirmation that spoofing is blocked
Some policies now include warranties, meaning:
If you said you had DMARC and you didn’t…
claims can be reduced or denied.
Yes. Really.
The Claim Denial Nobody Warns You About
Here’s the nightmare scenario we’re seeing more often:
- Company suffers invoice fraud
- Loss claimed under cyber policy
- Insurer investigates
- Discovers:
- No enforced DMARC
- Domain easily spoofed
- Insurer argues:
- “Reasonable security controls were not in place”
Outcome?
- Reduced payout
- Delayed payout
- Or flat-out rejection
All because email authentication was “planned”.
DMARC as a Risk Signal (Not Just a Control)
To insurers, DMARC isn’t just technical.
It signals:
- Governance maturity
- Security awareness
- Reduced likelihood of repeat claims
Which can mean:
- Better premiums
- Better terms
- Fewer exclusions
DMARC won’t guarantee coverage –
but not having it increasingly guarantees scrutiny.
The Brutal Truth for Leadership Teams
When insurers ask about DMARC, they’re really asking:
“If someone pretends to be you by email, will it work?”
If the honest answer is “maybe”,
your risk profile just spiked.
And in 2026, that has financial consequences.
Where Businesses Go Wrong
Common (and costly) misunderstandings:
- “Our IT provider handles that”
- “It’s a Microsoft thing”
- “We’ve never had a problem”
Insurers don’t insure past luck.
They insure future probability.
How DMARC Fits Into a Defensible Insurance Posture
DMARC is usually assessed alongside:
- MFA enforcement
- Conditional access
- Security awareness training
- Incident response planning
But email authentication is often the first gate.
Fail it, and everything else is questioned.
See how DMARC interacts with SPF and DKIM here: DMARC vs SPF vs DKIM: What They Do, How They Work, and Why You Need All Three.
The Morse Take
Cyber insurance used to be about recovery.
Now it’s about preventability.
If a loss could have been avoided with basic controls –
insurers expect those controls to exist.
DMARC is no longer “nice to have”.
It’s table stakes.
If your domain can be spoofed,
your risk model is broken – and insurers know it.
Related Reads in This DMARC Cluster
- DMARC policy types explained
- Common DMARC mistakes that break email
- How to read DMARC reports properly
- DMARC for Microsoft 365 and Google Workspace
All roads still lead back to:
DMARC: The Email Security Standard You Can’t Afford to Ignore
Dot. Dash. Insurable.