Cyber insurance premiums have been getting cheaper for most of two years. Marsh and Aon both report consecutive quarterly rate cuts running from 2024 into 2026. If you only watch the price line, the obvious read is that pressure is coming off the market and cyber cover is turning into an easy renewal again. That read is wrong, and the gap between it and reality is the whole point of this piece.
The price fell. The bar rose. While premiums softened, carriers quietly moved a list of security controls (multi-factor authentication, endpoint detection, immutable backups, tested incident-response plans) from "recommended" to pass or fail on the underwriting questionnaire. Cheaper policy, harder qualification. For an MSP and its clients, that means the requirements you can now satisfy to get covered are turning into a de facto operating standard, whether or not anyone in your market has called it that.
Here is the part almost nobody has connected, and I want to be clear up front that this next claim is my own synthesis rather than a reported fact. A client book that cannot pass renewal underwriting is a book with elevated churn and liability risk that has not been named as such yet. That makes insurability an unpriced item in MSP and MSSP acquisition diligence. I read this from the buyer's seat because that is the seat I spent a decade in. I moved more than $7bn of transactions across investment banking and private equity, sat on a board through a $300M-plus exit, and now I run growth for MSPs and cyber firms. When an operating requirement hardens across an entire market, I look for where it will surface in a valuation before it shows up in anyone's guide. It has not shown up yet, and that is exactly why I am writing this.
The contradiction: cheaper premiums, harder questions
Start with the price, because it is real and it is verifiable. Marsh's cyber market update puts US cyber rates down 5 percent on average in the fourth quarter of 2024 and expects favorable conditions to continue. Reported figures from Marsh's broader index (treat these as secondary, not a direct quote) extend the run to eight consecutive quarterly cyber rate cuts through the first quarter of 2026, with global cyber down around 7 percent in Q4 2025 and 5 percent in Q1 2026. Aon's pricing read agrees on direction: North America cyber rates down about 4 percent on average in Q2 2025, Canada down 19 percent in Q1 and 16 percent in Q2 2025. So the softening is multi-source and not in dispute.
Now pair it with the thing the price line hides, because you should never look at one without the other. Aon's own data shows the decline decelerating, from a steeper drop in Q1 2025 to that softer 4 percent in Q2, which is what a market looks like near the bottom of a pricing cycle rather than in free fall. And the reason the bottom is near is not a mystery: the losses are getting worse even as the premiums get cheaper. That is an unstable combination, and carriers know it. When a carrier cannot raise price fast enough, it tightens the gate instead. The pressure moved from what you pay to whether you qualify.
My operator read is that this is the more dangerous kind of pressure, precisely because it is quiet. A 20 percent premium hike gets a finance director's attention. A renewal questionnaire that adds three new pass-or-fail control requirements does not, until the day a client cannot answer yes to all of them and the quote comes back with an exclusion that guts the coverage, or does not come back at all.
What carriers actually require now
The requirements are not a secret and they are not exotic. Coalition, a cyber carrier, publishes its baseline for eligibility: multi-factor authentication, employee cybersecurity training, data backups held both on-site and off-site with regular recovery testing, identity and access management, and data classification under least-privilege access. Coalition lists endpoint detection and antivirus, firewalls, incident-response plans, and security risk assessments as additional recommended controls on top of those five. That is one carrier's stated floor, in its own words.
| Control | Coalition's tier | What it proves to an underwriter |
|---|---|---|
| Multi-factor authentication | Baseline (eligibility) | Stolen credentials alone cannot open the door |
| Employee security training | Baseline | The most common entry path, email, is defended by the humans |
| Backups, on-site and off-site, recovery tested | Baseline | A ransomware hit does not force a payment to recover |
| Identity and access management | Baseline | Access is scoped, so one compromise is contained |
| Data classification, least privilege | Baseline | The crown-jewel data is not reachable by every account |
| Endpoint detection and response, antivirus | Recommended | Attacks are caught in progress, not just at the perimeter |
| Firewalls, IR plan, risk assessments | Recommended | The response is planned, not improvised, when it matters |
The bar is not uniformly hardline everywhere, and it is worth saying so, because a monolith is easy to dismiss and a spectrum is not. Travelers frames MFA on remote network access, privileged accounts, and remote email access as expected best practice rather than a stated contractual minimum on that page, and it cites a CISA figure that 99.9 percent of account-compromise attacks can be blocked by implementing MFA. Travelers even offers its CyberRisk policyholders access to security coaching through HCL Technologies to help them get there. That is a softer, more advisory posture than the pass-or-fail language you see in MSP-vendor marketing. The market is a range, from Coalition's explicit eligibility list to Travelers' guided best practice. But the direction of travel across carriers is the same: the controls that used to earn a discount are becoming the controls that decide whether you get a policy at all.
One clarification that trips people up on the questionnaire. When a carrier asks for "endpoint detection and response," it usually wants EDR as a deployed capability. MDR, managed detection and response, is EDR plus a human team watching and responding around the clock. Deploying the tool satisfies the checkbox; buying the managed service is what actually catches the attack at 3am. For an MSP, that difference is both a coverage question and a service-revenue question, which is a large part of why cyber insurers have started buying MSSPs outright.
The claims data behind the tightening
Underwriters tighten because the loss data tells them to, and the carriers publish enough of that data to see the shape. Read it with one caveat in mind: these are companies selling insurance and claims services, so their numbers show their own book, not a neutral industry benchmark.
Coalition's 2026 cyber claims report, drawn from claims across more than 100,000 global policyholders in 2025, found 58 percent of claims were email-based, ransomware demands surged 47 percent year over year to an average above $1M, and 70 percent of ransomware incidents involved both encryption and data exfiltration. The prior year's 2025 report put average ransomware loss at $292,000 and noted business email compromise plus funds-transfer fraud made up 60 percent of all claims. Coalition also markets that its policyholders "experience 73 percent fewer claims than the industry average," which is Coalition's own self-comparison against NAIC data rather than an independent audit, so read it as a marketing claim with a real mechanism behind it, not a benchmark.
At-Bay, another cyber carrier, reports average ransomware severity of $468,000 in 2024, overall claims frequency up 16 percent year over year, and ransomware frequency up nearly 20 percent. The number that matters most for the mid-market MSP client base: companies with $25M to $100M in revenue saw a 46 percent jump in ransomware frequency and a 47 percent jump in severity. At-Bay found 80 percent of its 2024 ransomware claims began with remote access tools like RDP and VPN, and 83 percent of financial-fraud incidents started with a malicious email. At-Bay's own data, as reported by CSO Online, adds that self-managed VPN users were roughly four times more likely to suffer ransomware than cloud-based VPN users. Every one of those figures maps straight back to a control on the underwriting questionnaire. That is not a coincidence. The questionnaire is the loss data, turned into a gate.
Why this is becoming an operating standard
An insurance requirement becomes an operating standard the moment failing it costs you the business, not just the discount. That threshold has been crossed for MSPs and their clients, and it works through three mechanics.
The renewal questionnaire is now a churn event
A client renewing its cyber policy has to attest to its controls. If the client runs on an MSP, those controls are largely the MSP's responsibility, so the questionnaire is really an audit of the MSP's own delivery. A client that cannot answer yes and gets hit with an exclusion, a much higher premium, or a declination will ask exactly one question: why is my IT provider not giving me what my insurer says I need. That is how a failed renewal turns into a churn event, and churn is the single most important thing an acquirer prices in an MSP book.
The MSP carries downstream liability
SeedPod Cyber, a cyber insurance MGA that underwrites policies for MSPs, argues that MSPs increasingly carry downstream liability exposure when a client turns out to be uninsured or under-insured after an incident, because the client's recovery options narrow to going after the MSP relationship. Take that as a market participant's claim rather than settled fact, since SeedPod sells into exactly this problem. But the logic is hard to wave off: if you were the provider responsible for the controls that failed, and the client's insurer walks away, you are the deepest pocket left standing.
One weak client can taint the book
Aggregation risk is the version of this that keeps carriers up at night. An MSP is a single point of failure sitting above dozens or hundreds of client networks running the same stack, the same RMM tool, the same patching cadence. One compromise at the MSP level can propagate across the entire client base at once, which is a correlated loss rather than a diversified one. A carrier that insures many clients of the same weak MSP is holding a concentration it may not have priced. That is why insurability at the MSP level is quietly becoming a property of the whole book, not just of each client in isolation.
Insurability as an unpriced diligence item
Now the synthesis, and I am going to label it clearly because it deserves the honesty: this connection is my argument, not an industry consensus. I checked. The two most current dedicated MSP and MSSP valuation guides on the market do not treat insurability as a valuation driver at all.
CT Acquisitions' MSSP M&A Multiples Report 2026 lists eighteen named valuation drivers. Not one of them is cyber insurance, insurability, or carrier security requirements. The only insurance in the whole report is representations-and-warranties insurance as a deal-closing mechanism, plus one mention of "cyber insurance panel relationships" framed purely as a lead-generation asset. Auxo Capital Advisors' MSSP M&A 2026 guide gives it exactly one sentence, listing "cyber insurance alignment" among several factors that "can affect valuation and deal structure," with no mechanism, no multiple, and no elaboration. The whitespace is real.
Here is why that whitespace matters, built from mechanics that the same guides do document. CT Acquisitions' own IT services valuation work is clear that recurring-revenue quality is the dominant valuation lever, more than any other single factor. An MSP with sub-$1M EBITDA and under 60 percent recurring revenue trades around 4 to 7 times EBITDA; one with $10M-plus EBITDA and 85-percent-plus recurring revenue reaches 10 to 15 times. Cybersecurity-services businesses run higher, roughly 8 to 15 times and up. Treat all of those as advisory-firm synthesis estimates, not audited transaction data. The point is not the exact number. The point is that the multiple is a bet on the durability of the recurring revenue.
So follow the chain. Insurability failure raises churn risk (the renewal-questionnaire mechanic) and adds liability exposure (the downstream and aggregation mechanics). Churn and liability are precisely what erode recurring-revenue durability. Recurring-revenue durability is the thing the multiple is priced on. Therefore a client book that cannot pass renewal underwriting is, mechanically, a book that should carry a lower multiple, even though no current guide has drawn the line that way. This is judgment, not data. I am not going to invent a discount percentage, because no source states one and a made-up number would be worse than an honest gap. But an acquirer who runs recurring-revenue and churn analysis without ever asking whether the underlying book is insurable is measuring the symptom and ignoring one of its causes.
That gap will not last. It is the same de facto standard-setting that NIS2 and DORA compliance and the CMMC land grab are doing through regulation, only here the enforcer is an underwriter instead of a regulator. Regulatory baselines eventually get priced into diligence. Insurance baselines will too, and the first buyers to run the check will get a real information edge over the ones still working off last year's valuation guide.
What to do about it
The practical read splits by which side of the table you sit on.
If you own an MSP and might sell
Get the client book insurable before you go to market, and treat it as part of exit readiness, not an IT chore. Walk every client through a live carrier questionnaire and fix the fails: MFA everywhere, EDR deployed (ideally managed), immutable and recovery-tested backups, a written and tested incident-response plan. Two reasons this pays. First, SeedPod Cyber, the MSP-focused MGA, claims clients that can document MFA, EDR, immutable backups, and privileged-access management "routinely save 20 to 40 percent on premiums" versus peers who cannot, which is an unsourced vendor claim but a plausible retention tool you can hand your clients. Second, and larger, a book where every client can pass renewal underwriting is a book with lower churn risk, which is the input that actually drives your multiple. You are not doing security hygiene. You are protecting the recurring-revenue durability that a buyer pays for. This sits directly on top of the ordinary MSP valuation multiples and the recurring-revenue and churn drivers that set them.
If you buy MSPs
Add insurability to the diligence checklist before your competitors do. Ask for the client base's current cyber-insurance status, the last round of renewal questionnaires, and any exclusions or declinations in the past two renewals. A book where a chunk of clients are one questionnaire away from an exclusion is a book with hidden churn and liability loaded into it, and right now that risk is sitting unpriced because the buyers running MSP diligence (including the private-equity firms that were in 69 percent of 2025's disclosed MSP deals, per CT Acquisitions) are not yet asking. The same discipline applies whether you are pricing a median MSP deal or planning the full exit lifecycle. This is the cheapest edge available in MSP M&A right now, because it costs nothing but a few added questions and it prices a risk nobody else is pricing.
One honest close. The softening premiums are verified, the carrier requirements are quoted from the carriers' own pages, and the claims data comes from the carriers who hold the losses. The one thing I cannot hand you with a citation is the valuation link itself, because no guide has drawn it yet. That is the argument I am making from mechanics, and it is the reason this piece exists. If you want the fuller picture of who ends up owning these businesses, I mapped the carriers moving into the space in insurers buying MSSPs, and the buyer landscape in who buys MSPs. If you run an MSP or invest in one, run the insurability check on the book now, while it is still an edge and not yet table stakes.
Frequently asked questions
Coalition, a cyber carrier, publishes its eligibility baseline as multi-factor authentication, employee security training, data backups held on-site and off-site with regular recovery testing, identity and access management, and least-privilege data classification. Endpoint detection and response, firewalls, incident-response plans, and risk assessments sit on top as recommended controls. The bar is not identical across every carrier: Travelers, for example, frames MFA as expected best practice rather than a stated contractual minimum. But the direction is consistent, and the controls that used to earn a discount are increasingly the ones that decide whether a policy is offered at all.
Yes, and this is aggregation risk. An MSP sits above dozens or hundreds of client networks that often share the same stack, RMM tool, and patching cadence, so one compromise at the MSP level can propagate across the whole client base as a single correlated loss rather than a diversified one. Carriers watch that concentration closely. SeedPod Cyber, an MGA that underwrites MSP policies, also argues that MSPs carry downstream liability when a client turns out to be uninsured after an incident, because the client's recovery narrows to going after the MSP. Treat that as a market participant's claim, but the exposure is real.
It creates a direct path to it. When a client renews cyber cover, it must attest to its controls, and for a client that runs on an MSP those controls are largely the MSP's delivery responsibility. If the client cannot answer yes and gets an exclusion, a steep premium increase, or a declination, the obvious question becomes why the IT provider is not supplying what the insurer requires. That is a live reason to switch providers, which is why insurability failures translate into churn risk, the single biggest thing an acquirer prices in an MSP's recurring-revenue base.
Down, but that is only half the story. Marsh reports US cyber rates down about 5 percent in Q4 2024 with the softening continuing into 2026, and Aon shows North America cyber down roughly 4 percent in Q2 2025, though the decline is decelerating. Falling price does not mean an easier renewal. Carriers responded to worsening loss data by moving controls like MFA, EDR, and tested backups from recommended to pass-or-fail on the questionnaire. The pressure shifted from what you pay to whether you qualify, so the underwriting bar keeps rising regardless of price direction.
Not yet, in any systematic way, which is the point of this article. The two most current dedicated MSP and MSSP valuation guides, from CT Acquisitions and Auxo Capital Advisors, do not treat insurability or carrier security requirements as a named valuation driver. CT Acquisitions lists eighteen drivers and none is cyber insurance; Auxo gives the topic a single sentence. My argument, built from mechanics rather than reported as consensus, is that insurability failure raises churn and liability risk, which erode the recurring-revenue durability that the multiple is actually priced on. Acquirers who add the check now get an information edge.
The clearest figure comes from SeedPod Cyber, a cyber insurance MGA serving MSPs, which claims that clients able to document MFA, EDR, immutable backups, and privileged-access management routinely save 20 to 40 percent on premiums versus peers who cannot document those controls. Note that this is an unsourced vendor claim from a company that sells MSP policies, not independently verified data, so treat the exact range with caution. The more durable benefit is not the discount. It is eligibility itself: documented controls are increasingly what separates a book that can renew cleanly from one facing exclusions or declinations.
Because an MSP is a shared dependency, not an isolated vendor. Its clients frequently run the same tools, the same remote-access setup, and the same maintenance routines, all managed from the MSP's own systems. When the MSP itself is compromised, the attack can reach many clients at once, producing a correlated loss instead of the diversified, independent losses insurers price around. For a carrier holding policies on multiple clients of the same MSP, that is a concentration risk. It is why the insurability of the MSP is starting to function as a property of the whole client book rather than of each client on its own.