Cyber Insurance Requirements in Texas: A 2026 Checklist for Dallas Small Businesses

April 23, 2026
- 48 Technologies Team

By Tom Cloud, Founder, 48 Technologies Published April 23, 2026

If you run a small business in Dallas-Fort Worth, your cyber insurance renewal this year is going to be harder than your last one. Premiums are still up, the questionnaire is longer, and the controls insurers want to see have shifted again. None of that is the headline.

The headline is this: even if you get coverage, your application is now a legally binding document that insurers will use against you if you ever file a claim.

In 2022, Travelers asked a federal court to void an entire policy with a manufacturing client after the client got hit with ransomware — not because the client was uninsured, but because forensic investigators found that multi-factor authentication (MFA) wasn’t actually deployed where the application said it was. More recently, a U.S. municipality had an $18.3 million claim denied for the same reason: MFA was attested to on the application, but the post-incident forensic review found gaps.

And in industry data from the back end of 2025, 82% of denied cyber insurance claims involved organizations that didn’t have MFA fully implemented — even though most of those organizations checked “yes” to the MFA question on their applications.

If you’re a Dallas small business owner who buys cyber insurance the way you buy general liability — fill out the form, write the check, file it away — this post is for you. Below is the checklist I walk every 48 Technologies client through before their renewal.

Why insurers are tightening the screws (again)

A quick context-set, because the “why” matters more than the “what.”

Cyber insurance is a young market. From 2015–2020, carriers wrote policies at scale with very loose underwriting. Then ransomware happened — actually, then ransomware kept happening — and loss ratios blew up. By 2022 most major carriers were either pulling out of the SMB market or rewriting underwriting from scratch.

The market has stabilized in 2025–2026, but with a permanent shift: insurers are now treating cyber the way they treat fire insurance. They want to see specific controls in place, they want documented evidence those controls work, and they will absolutely deny a claim if the controls weren’t where you said they were.

Marsh McLennan’s most recent industry data found that 41% of cyber insurance applications are denied on first submission. The two most common reasons: missing or incomplete MFA, and inadequate endpoint protection.

The 2026 underwriting checklist

Here’s what you should expect to see on a 2026 cyber insurance application for a Dallas SMB. If you can’t honestly answer “yes” to all of these, you have a renewal problem.

1. Multi-factor authentication, everywhere it matters

This is the single biggest line item. Insurers want MFA enforced on:

  • All email accounts (Microsoft 365, Google Workspace, anything else)
  • All VPN access
  • All cloud admin portals (Azure AD/Entra, AWS, Google Cloud, Microsoft 365 admin)
  • All remote access tools (RDP, RMM, screen-sharing tools)
  • Privileged accounts (domain admins, server admins)
  • Customer-facing portals where applicable

The trap: many SMBs deploy MFA on email and assume that satisfies the question. It does not. The application asks whether MFA is enforced everywhere it should be. If your VPN, RDP, or admin accounts are excluded — even unintentionally — you have a misrepresentation problem waiting to happen.

Phishing-resistant MFA (FIDO2 hardware keys, certificate-based authentication) is increasingly preferred for privileged accounts. SMS-based MFA is still accepted but viewed as the weakest acceptable form.

2. EDR or MDR on every endpoint

Traditional antivirus is no longer acceptable to most carriers. You need Endpoint Detection and Response (EDR) — or, ideally, Managed Detection and Response (MDR) where a security team monitors the EDR around the clock.

For a 25–75 employee Dallas business, EDR alone is often enough to clear underwriting. For regulated verticals (healthcare, legal, financial services, anything CMMC-adjacent), MDR is increasingly required.

3. Backups that meet the 3-2-1-1 standard

The new bar:

  • 3 copies of your data
  • on 2 different media types
  • with 1 stored offsite
  • and 1 stored in an immutable or air-gapped state (so ransomware can’t encrypt it)

The last one is the change. Underwriters want immutable backups specifically because ransomware actors now go after backup systems first. If your backups live on the same network as your production environment with no immutable copy, you will fail this question.

4. A written incident response plan (and a tabletop exercise)

Roughly 79% of carriers now require a documented incident response plan. The plan should cover: who decides what, who calls the lawyer, who calls the cyber insurance carrier (and in what order), who talks to employees, who talks to customers, who talks to the media.

A growing number of carriers also want evidence that you’ve actually run a tabletop exercise — at least once a year — to pressure-test the plan. “We have a plan in a binder” is not the same as “we’ve practiced the plan.”

5. Privileged access management

About 71% of insurers now require some form of privileged access management. The basic version: admin accounts are separated from daily-use accounts, monitored, and protected with stronger controls.

If your IT person logs into their personal email from the same account that has Domain Admin rights, you have a problem.

6. Patching cadence

Underwriters increasingly ask about your patching policy: how quickly are critical patches deployed, who’s responsible, and how is it verified. Missing patches were the entry point in roughly 30% of 2025 ransomware events. Carriers want to see a documented cadence (typically 30 days for critical patches, 60–90 for everything else) with evidence of compliance.

7. Email filtering with link/attachment sandboxing

Standard email filtering isn’t sufficient anymore. Carriers want to see advanced threat protection that scans links and attachments at click time — not just at delivery — to catch credential-harvesting and malware that gets weaponized hours after the email arrives.

8. Employee security awareness training

This is partly a Texas-specific note: under Texas HB 3834, state and local government employees and certain state contractors must complete annual cybersecurity awareness training certified by the Texas Department of Information Resources. If you do work for any Texas governmental entity, you should expect to be asked about this on the application.

Even if HB 3834 doesn’t apply to you directly, virtually every cyber insurance carrier now wants to see ongoing security awareness training (not a one-time onboarding video) with phishing simulation results documented.

Texas safe harbor: a defense most Dallas SMBs don’t know they have

One Texas-specific angle worth knowing: in 2023, Texas joined a small group of states (Connecticut, Iowa, Ohio, Utah) with a cybersecurity safe harbor law. The Texas law provides a partial affirmative defense in data breach lawsuits if you’ve implemented and maintained a cybersecurity program that conforms to a recognized framework — NIST CSF, ISO 27001, CIS Controls, HIPAA, PCI DSS, and a handful of others.

This doesn’t reduce your insurance premium. But it does meaningfully reduce your liability exposure if you are sued by affected customers after a breach. For a Dallas SMB carrying a $1M cyber policy, the practical effect is that the safe harbor caps the downside scenario where a single incident could otherwise produce uninsured losses larger than the policy limit.

If you don’t currently align to a recognized framework, this is worth raising with your IT provider or vCISO before your next renewal.

What to do before your 2026 renewal

If your renewal is in the next 90 days, here’s the order of operations:

  1. Pull your last application. Read every yes/no question. For each “yes,” ask: can I prove this was true at the time, and is it still true today? If the answer to either is no, you have a renewal problem and a potential claim problem.
  2. Audit MFA coverage specifically. Don’t trust assumptions. Have someone enumerate every system that should have MFA and verify it’s enforced for every user.
  3. Verify backup immutability. If your backup vendor doesn’t use the words “immutable” or “air-gapped” in their product documentation, you almost certainly don’t have what insurers want.
  4. Document the incident response plan. If it doesn’t exist on paper, write it. If it does exist, run a 90-minute tabletop with your leadership team this quarter.
  5. Talk to your broker before the renewal questionnaire arrives. A good cyber broker will walk you through what underwriters are looking for in 2026 and where your gaps are. If your current broker doesn’t volunteer this conversation, find a new broker.

Want a second set of eyes on your application before you sign it? 48 Technologies offers a free 30-minute Cyber Insurance Application Audit for Dallas-Fort Worth SMBs. I’ll personally review your most recent application against the controls underwriters are verifying in 2026 and send you a 1–2 page risk memo flagging anything that looks like a misrepresentation problem before it becomes a denied claim. No cost. No obligation. No sales pitch. Book the audit →

The bottom line

Cyber insurance in 2026 isn’t a financial product, and it isn’t a checkbox. It’s a legal contract that obligates you to maintain specific security controls — and that gives the insurer permission to walk away from a claim if you can’t prove you did.

For most Dallas small businesses, the gap between what’s checked “yes” on the application and what’s actually true on the network is the single largest uninsured cybersecurity risk on the balance sheet.

It’s also fixable. None of the eight controls above are exotic. They’re standard practice in 2026. The work is in honestly auditing where you stand and closing the gaps before — not after — your renewal.

Free Cyber Insurance Application Audit for Dallas-Fort Worth SMBs

If your cyber insurance renewal is coming up in the next 90 days, the single most valuable thing you can do is have a security professional read your last application before you sign the next one.

48 Technologies offers a free 30-minute Cyber Insurance Application Audit for DFW small and mid-sized businesses. Here’s what you get:

  • A line-by-line review of your most recent cyber insurance application against 2026 underwriting standards
  • A 1–2 page written risk memo flagging any answers that look like misrepresentation risk (the kind that get claims denied after a breach)
  • Specific, prioritized recommendations for closing gaps before your renewal
  • A direct conversation with Tom Cloud — no sales engineer, no junior tech, no script

No cost. No obligation. No sales pitch — if you’re already in good shape, I’ll tell you that and we’ll part ways.

Book your free Cyber Insurance Application Audit →

Tom Cloud is the founder of 48 Technologies, a Dallas-based managed IT and cybersecurity firm serving small and mid-sized businesses across DFW.

Contact us to schedule a complimentary technology consultation

Contact

48 Technologies, LLC
362 West Fork
Irving, TX 75039

info@48tech.com 214-729-1660
Privacy Policy Terms of Service Support

© 2026 48 Technologies, LLC.