Evidence Beats Attestation: How Underwriters Evaluate Workforce Risk in 2026

Banner Image

Evidence Beats Attestation: How Underwriters Evaluate Workforce Risk in 2026

Banner Image

Somewhere in last year's renewal packet, someone on your team answered yes to this question: "Is multi-factor authentication enforced on all accounts with access to business data?"

Was it true? Not "true for the accounts we thought about." True for the shared finance mailbox. True for the three service accounts IT set up during the migration and forgot. True for the contractor who offboarded in March but whose VPN credential didn't.

This is where cyber claims go to die. In one analysis of denied claims, 82% involved organizations that couldn't verify MFA compliance when the carrier's forensics team came looking. The questionnaire stopped being paperwork a while ago. It's a security audit with a delayed grade, and the grade arrives at the worst possible moment: after the incident, when you're asking the carrier to pay.

The renewal conversation has quietly changed shape. It's no longer about whether you have controls. It's about whether you can prove they work on every employee, every account, every device. Attestation is out. Evidence is in.

Cheaper to Buy, Harder to Qualify For

Here's the paradox of the current market. Cyber insurance is in its softest stretch in years: eight consecutive quarters of rate cuts through Q1 2026, with cumulative declines around 27% since mid-2022. If a vendor's pitch is "buy our product to lower your premium," they're selling you the wrong decade's problem. Your broker is already lowering your premium. That's what a soft market does.

What the soft market did not soften is qualification. Carriers now expect phishing-resistant MFA, documented ongoing training, and simulated phishing data as table stakes, with completion rates above 90% and at least quarterly cadence. Organizations that fail the underwriting audit see premium increases of 40 to 100%, coverage exclusions, or outright denial into surplus lines at triple the standard rate.

And the bar is still rising. Industry loss ratios climbed for the second straight year, which means carriers are paying out more per premium dollar even as prices fall. Something has to give, and it won't be their scrutiny. When this market hardens again, the organizations that can produce evidence on demand will renew on good terms. Everyone else will rediscover what 2021 felt like.

The Claims Are Coming From Your Workforce

Underwriters don't gate on workforce controls out of habit. They gate on them because that's where their losses live. Business email compromise and funds transfer fraud together accounted for 60% of claims filed in 2024. The human element shows up in roughly 60% of breaches tracked by Verizon's DBIR.

The lazy read of those numbers is "users are the weakest link." That framing is wrong, and it leads to wrong-headed fixes. Your employees aren't the weakest link; your coverage is. A phishing-resistant MFA policy that covers 94% of accounts is a 6% open door, and attackers are patient enough to find it. Human risk isn't a character flaw in your workforce. It's the measurable gap between the controls you bought and the controls actually running on every person, credential, and laptop in the company. Insurers price that gap because it predicts their losses better than your tooling budget does.

The Attestation Trap

Every yes on a renewal questionnaire is a representation the carrier relies on to price your risk. An unverifiable yes isn't just a coverage gap waiting to be discovered. It's grounds for rescission.

This isn't hypothetical. In Travelers v. International Control Services, the carrier didn't merely deny a ransomware claim; it moved to rescind the entire policy because the insured had attested to MFA it wasn't fully enforcing. The policyholder agreed to rescission in the settlement. Read that again: the company had insurance, paid for insurance, and ended up with no policy at all because a questionnaire answer didn't survive contact with forensics.

The trap works like this. Someone answers the questionnaire based on policy, not posture. The policy says MFA everywhere; the posture says MFA almost everywhere. Nobody lies, exactly. But policy exists and control verified on every account are different claims, and only one of them survives a claims investigation.


Carriers have noticed the gap, which is why the evidence bar keeps moving. Annual compliance training is explicitly flagged as insufficient by major carriers. What increasingly differentiates organizations in underwriting is the ability to produce evidence quickly: showing controls working, not describing them. Training happened is an activity metric. Behavior actually changed is an outcome. Underwriters have learned to tell the difference, and your renewal now depends on which one you can demonstrate.

What Renewal-Ready Evidence Looks Like

The questionnaire's control categories map cleanly to the surfaces your workforce touches. For each one, there's a checkbox answer and there's evidence. Here's the difference.

Identity posture. The checkbox says "MFA is enforced." Evidence is a live enrollment number: what percentage of accounts, including service accounts, shared mailboxes, and contractors, are enrolled in phishing-resistant MFA today, and what happens automatically when someone falls out. A policy PDF answers the question as of the day it was written. A posture number answers it as of this morning.

Device coverage. The checkbox says "EDR is deployed." Evidence is a coverage percentage across the full fleet, with a trend line. Every environment has sensors that went offline, laptops that never got enrolled, and machines running an OS old enough to vote. The gap between owning security tools and having them work on every device is exactly what a forensics team finds after an incident, so it's exactly what you should be able to see before one.

Behavior. The checkbox says "employees complete security training." Evidence is a trend: phishing simulation failure rates declining quarter over quarter, reporting rates rising, repeat-clicker counts shrinking. Completion certificates prove attendance. Trend lines prove change, and change is what the carrier is pricing.

Vulnerability remediation. The checkbox says "we patch regularly." Evidence is time-to-remediate, measured and shrinking. Scan counts tell an underwriter you can find problems. Closure velocity tells them you can fix them, which is the only part that reduces their exposure.


Notice the pattern. In every category, the evidence that satisfies an underwriter is the same evidence that would satisfy you as a security leader. The renewal isn't asking for anything your program shouldn't already produce. It's asking whether your program produces it or just asserts it.

Just-in-Case Awareness Won't Get You There

Here's where we take a side. Over the past few years, the security awareness training industry rebranded itself as "human risk management." New label, same product: phishing simulations, training modules, and a risk score stapled on top. The rebrand papers over the industry's core problem, which is that awareness doesn't translate into action often enough to move the numbers underwriters care about.

Call it what it is: just-in-case awareness. Train everyone on everything, in case some of it sticks, in case they remember it months later, in case the attack looks like the training. Carriers have effectively rendered their verdict on this model already; it's why annual training is flagged insufficient and why questionnaires now ask for behavioral data instead of completion rates. And even a best-in-class training program answers exactly one row of the questionnaire. It has nothing to say about MFA enrollment, EDR coverage, or patch velocity, which is where the other rows live.

The alternative is just-in-time guidance: engage the specific person with the specific gap at the moment it matters. Not "all staff completed module 7," but "the AI agent noticed your MFA enrollment lapsed during the phone upgrade, reached out on Slack, explained why it matters, and walked you through re-enrolling in four minutes." That's the human-centric model: treat employees as capable adults who fix things when someone makes it easy, not as liabilities to be lectured just in case.

Workforce Security Turns the Renewal Into a Receipt

This is the problem workforce security exists to solve, and it's why Amplifier looks different from the rebranded training vendors. The platform does two things that map directly onto the renewal.

First, it gives you the evidence layer. Amplifier's Human Risk Graph connects to the security stack you already run and builds a live map of workforce posture: identity, devices, apps, behavior, and vulnerabilities in one place. When the questionnaire asks about MFA coverage, you don't excavate spreadsheets. You read a number off a dashboard, with the history to back it up.

Second, and more to the point, it moves that number. Ampy, Amplifier's AI security agent, engages the specific employees behind each gap and guides them through fixing it themselves, human-in-the-loop the whole way. Customers have taken EDR and DLP coverage from 60% to 98%, closed 7,500 endpoint vulnerabilities in under 30 days, and pushed phishing-resistant MFA adoption from 90% to 99%. Those aren't awareness metrics. They're the posture numbers a forensics team would find, improved before anyone came looking.

That's the reframe worth leaving with: stop preparing for your renewal like it's an exam. Build a workforce security program whose normal operating output is the evidence, and the renewal becomes a receipt for work already done. Your carrier gets a lower-risk insured. You get better terms, a defensible questionnaire, and a security posture that's actually what the paperwork says it is.

If you want to see where your questionnaire answers and your actual posture disagree, request a demo and free human risk assessment. It's a faster way to find out than a claims investigation.

Frequently Asked Questions

What security controls do cyber insurers require in 2026?

Cyber insurance carriers in 2026 treat a core set of controls as qualification requirements rather than pricing factors: phishing-resistant multi-factor authentication (MFA) on all accounts including email, VPN, remote access, and privileged accounts; endpoint detection and response (EDR) across the full device fleet; immutable or offline backups; a tested incident response plan; and documented, ongoing security awareness training with completion rates above 90% and at least quarterly frequency. Organizations that cannot demonstrate these controls face premium increases of 40 to 100%, coverage exclusions, or denial into surplus lines markets. Increasingly, carriers also distinguish between attesting to a control and verifying it, asking for evidence such as MFA enrollment percentages, EDR coverage numbers, and phishing simulation trend data rather than policy documents.

Why do cyber insurance claims get denied?

The most common reason cyber insurance claims are denied is a gap between what the organization attested to on its application and what forensic investigation finds after an incident. In one analysis, 82% of denied claims involved organizations that could not verify MFA compliance on the affected systems. Other frequent causes include failure to maintain controls the policy required as a condition of coverage, incidents falling under exclusions such as acts of war or prior known vulnerabilities, and late notification. In severe cases carriers pursue rescission rather than denial: in Travelers v. International Control Services, the carrier rescinded the entire policy after a ransomware claim because the insured had attested to MFA it was not fully enforcing. The practical defense is verified, continuously monitored control coverage rather than policy-based attestation.

Does security awareness training lower cyber insurance premiums?

Mostly no, and vendors claiming otherwise are overselling. In the current soft market, premiums are falling broadly regardless of training investment, and underwriters rarely offer line-item discounts for individual controls. What security awareness training actually does is keep you eligible: carriers flag annual compliance-only training as insufficient and expect documented, ongoing programs with simulated phishing, so a weak program raises premiums, narrows coverage, or blocks renewal. The controls that most influence underwriting outcomes are verified MFA coverage, EDR deployment across the full fleet, and demonstrated remediation velocity. Where discounts do exist, such as programs offering 5 to 30% reductions tied to measured breach likelihood, they reward overall verified security posture, not training completion rates in isolation.