Do cyber insurance carriers actually require phishing simulation training?

Most cyber insurance carriers now require evidence of an active phishing simulation and security awareness training program before binding coverage. Major writers in the cyber-insurance market include phishing-program questions in standard 2026 renewal applications. Carriers without an explicit requirement frequently use phishing program evidence as a premium-adjustment factor during underwriting.

How often do cyber insurers want phishing simulations to run?

Most carriers expect quarterly simulations at minimum, with monthly campaigns viewed favorably during underwriting. The frequency matters less than consistency - running 12 small monthly campaigns generally scores better than 4 large quarterly ones because it shows continuous behavioral reinforcement rather than a check-the-box exercise.

What phishing click-rate do insurers consider acceptable?

Industry benchmarks vary, but carriers generally expect organizations to be trending downward over time. A first-time program may report 25-35% click rates; mature programs typically achieve sub-5%. Insurers care more about the trend line and whether failed users receive remediation training than they do about the absolute number in any single campaign.

Can phishing training reduce my cyber insurance premium?

Yes - documented phishing training is one of the most consistent premium-reduction factors carriers consider. Brokers report typical premium reductions of 5-15% for organizations with continuous phishing simulation programs that include automated training assignment for failed users, compared to organizations with no formal program. The exact discount depends on industry, revenue and overall security posture.

What documentation do cyber insurers want about phishing training?

Carriers and brokers typically request: campaign frequency and dates over the past 12 months, click-through rate trends, completion rates for assigned training, evidence of automated remediation for users who fail simulations, board or executive reporting cadence and a written security awareness policy. Most platforms can export this in a single PDF report; if yours can't, that's a signal you've outgrown it.

What Cyber Insurers Ask About Phishing Training (2026 Renewal)

The cyber insurance market in 2026 is unforgiving. After three consecutive renewal cycles of premium hikes, capacity reductions and tightened sub-limits, carriers are no longer treating phishing training as a "nice to have" - it's a binding requirement on most policies and a direct premium-adjustment factor on the rest. If your renewal is coming up, the questions on the application have changed and the answers your broker turns in will materially shape what you pay for the next 12 months.

This post walks through the nine questions carriers actually ask about phishing simulation and security awareness training in 2026 renewal applications, how to answer each one, what documentation to keep on hand and the common mistakes that quietly increase premiums.

Why cyber insurers care about phishing specifically

Phishing remains the initial-access vector in the majority of insured cyber claims. The Verizon Data Breach Investigations Report has consistently found phishing and stolen credentials among the top breach origins, and post-claim forensic reports cited by major brokers (Marsh, Aon, Howden) repeatedly trace ransomware and business email compromise (BEC) losses back to a single user clicking a malicious link or opening a weaponized attachment.

Carriers learned the lesson quickly: the cheapest control with the largest measured impact on claim severity is a continuously-running phishing simulation program with automated remediation training. That's why their underwriting questionnaires went from one vague checkbox to a full subsection in the last three years.

The 9 questions cyber insurers ask about phishing training

Different carriers word these slightly differently, but the underlying nine questions are remarkably consistent across the major writers in the cyber-insurance market and the standard MGA forms.

Do you operate a continuous phishing simulation program? Carriers want a yes/no plus a frequency (weekly, monthly, quarterly). "Annual" is treated as effectively no.
How many simulated phishing campaigns did your organization run in the past 12 months? A specific number; "we don't track" is the worst possible answer.
What was your average click-through rate on simulated phishing emails over the past 12 months? Underwriters want a percentage, ideally with a trend line.
What percentage of users who clicked on a simulated phishing email completed remediation training within 7 days? This is the question that separates programs from theatre.
Do all employees, contractors and executives receive the same simulations and training? Carve-outs for executives are a red flag; whaling is the highest-loss scenario.
Are SMS (smishing) and voice (vishing) attack vectors included in your simulation program? A 2026 question that wasn't on 2023 forms - multi-channel coverage is now expected.
Do you have a written security awareness policy approved by management? Carriers want evidence the program is governed, not ad hoc.
How are phishing simulation results reported to executive leadership? "Verbally" is a poor answer; quarterly written reports to a board or risk committee score best.
Have you experienced a phishing-related security incident in the past 24 months? If yes, describe remediation. Honesty here is non-negotiable - a misrepresentation can void coverage.

How to answer them and lower your premium

The most common premium-adjustment patterns brokers report:

Quarterly cadence as the floor, monthly as the discount trigger. Moving from quarterly to monthly campaigns has been worth a 5-10% premium reduction at multiple carriers, because it demonstrates continuous behavioral reinforcement rather than a check-the-box exercise.
Automated remediation training is now table stakes. If a user clicks and remediation is manual ("we'll talk to them"), most carriers will not credit the program. Auto-assigned training that fires the moment a user clicks is what carriers want documented.
Multi-channel coverage matters in 2026. Adding SMS phishing (smishing) and voice phishing (vishing) simulations on top of email pushes you into a smaller bucket of "above-baseline" applicants and is increasingly being asked about by name.
Trend matters more than absolute numbers. A program with a 28% click rate trending down to 8% over 12 months scores better than a static 5% program with no measured improvement. Underwriters read this as evidence the program is working, not just numerically clean.
Board-level reporting is the upgrade most CFOs miss. Adding a one-page quarterly summary to the board packet - campaigns run, click rate, completion rate, top-clicked templates - is one of the cheapest moves with the largest underwriting impact. It signals governance.

Documentation checklist for renewal and audit

Before your renewal call, have a single PDF (or a pinned dashboard share-link) ready with:

Campaign list for the past 12 months: dates, target population, template category, difficulty level
Click-through rate per campaign with a trend chart
Training completion rate per campaign (and per cohort if you segment by department)
Time-to-remediation: median hours/days from click to training completion
Coverage breakdown: % of headcount included, with rationale for any exclusions
Multi-channel evidence: a sample SMS or voice campaign report if you run them
Written security awareness policy (PDF, with signature page and version history)
Executive reporting samples: a redacted board deck or risk-committee report

Most modern phishing simulation platforms can export the first six items in a single one-click report. If yours can't, you've outgrown it; that's a signal worth bringing to your renewal conversation, not hiding from it.

Common mistakes that hurt your application

Reporting "we run quarterly" without dates. Underwriters assume you're rounding up.
Carving out executives from simulations. Executive accounts are the highest-loss targets; exemption signals weak culture.
No SMS/voice coverage and no plan to add it. "We're considering it" is a worse answer than "We're piloting it next quarter."
Click-rate without context. A 3% rate on easy templates is meaningless; carriers want difficulty-mix data.
Mismatched policy and practice. If your written policy says "monthly" and your last campaign was 80 days ago, that's a worse answer than no policy at all.

Where Bait & Phish fits

Bait & Phish has been running phishing simulation and security awareness training for organizations of every size since 2010, and we've watched the cyber insurance question evolve from a single checkbox to the most consequential section of the application. Our platform is built around the things underwriters now want to see: continuous monthly campaigns across email, SMS and voice; difficulty-tiered templates across five intent categories; auto-assigned remediation training the moment a user clicks; and one-page export reports formatted for board and broker consumption.

If your renewal is coming up and you don't have a confident answer to all nine questions above, start a free trial with up to 25 users and run your first campaign this week. If you want to walk through how the platform maps to your carrier's specific application, contact us directly. Either way, don't go into renewal with the same answers you turned in last year - the questions changed.

This post is informational and does not constitute insurance, legal or compliance advice. Specific carrier requirements vary; consult your broker for guidance on your renewal.

22apr