Pulse Check: 1Q26 Email Security Trends for Cyber Insurers and Applicants

Email remains a primary target for cyber threats, making its security a critical concern for the cyber insurance market. This pulse check highlights security trends observed during Q1 2026, based on unique data collected by BreachRisk™ a.i. and The Cyber Questionnaire Validator developed in Lloyd’s Lab. This report highlights observations of growing prevalence of SPF and DMARC security controls, but a lingering presence of legacy email systems that could undermine progress.

Key Email Security Observations from Q1 2026

The data includes a non-scientific sample of over 1,000 current or prospective policyholders. BreachRisk™ a.i. gathered information passively, which was then processed through The Cyber Questionnaire Validator. The validator is designed to streamline the cyber insurance application/underwriting process and improving quote terms by leveraging fair and accurate insights and reduce the reliance on legacy insurance applications, which can be tedious and error-prone.

Three questions highlight the state of email security:

• Blocking legacy email protocols without MFA: 49.5% of applicants block access to email using legacy protocols such as SMTP, IMAP, and POP3 that do not support multi-factor authentication (MFA). Conversely, 50.5% do not block these protocols.

• Enforcing Sender Policy Framework (SPF): 82.7% of applicants enforce SPF for incoming email, 4.9% do not, and 12.5% enforce it on some but not all servers.

• Using DMARC for incoming email: 61.6% use DMARC, 21.9% do not, and 16.5% apply it on some but not all servers.

Zoom in: the Hacker's Perspective on SPF, DMARC, and Legacy Non-MFA Emails

In the realm of email security, protocols like SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance) play crucial roles in safeguarding against email spoofing and phishing attacks. However, the presence of legacy email systems that do not implement Multi-Factor Authentication (MFA) significantly weakens overall security, making organizations vulnerable to various forms of cyberattacks.

SPF and DMARC Explained

SPF is a protocol that allows domain owners to specify which mail servers are permitted to send emails on their behalf. By checking the SPF record, receiving mail servers can determine if an incoming email is from an authorized source. This verification process helps to mitigate the risk of spoofing, where attackers impersonate legitimate senders.

DMARC builds upon SPF and adds another layer of protection by allowing domain owners to instruct receiving mail servers on how to handle emails that fail SPF checks. This includes options to quarantine or reject suspicious emails, thereby providing a feedback mechanism that helps organizations monitor and improve their email security posture.

The Risks of Legacy Non-MFA Emails

Despite the effectiveness of SPF and DMARC, many organizations still rely on legacy email systems that lack modern security features like Multi-Factor Authentication (MFA). This absence creates significant security holes. Attackers can exploit these weaknesses in several ways:

• Account Compromise: Without MFA, attackers can more easily gain unauthorized access to email accounts through stolen credentials, leading to data breaches and sensitive information theft.

• Phishing Success: Some legacy systems are more susceptible to phishing attacks, as attackers can send convincing emails without the safeguards provided by SPF and DMARC, increasing the likelihood of successful impersonation.

• Data Manipulation: Once inside an email account, attackers can manipulate communications, redirect funds, or alter transactions, causing financial and reputational damage to organizations.

• Spread of Malware: Attackers can use compromised accounts to distribute malware to contacts, further propagating attacks within an organization and its network.

Instead of migration, consider mitigation

If migrating away from a legacy email system that cannot enforce Multi-Factor Authentication (MFA) is not feasible, organizations should implement several compensatory measures to bolster security. A mitigation strategy should include one or more of the following:

• Enforce strong password policies to ensure that all users create complex, unique passwords and change them regularly.

• Utilize email filtering solutions that can detect and mitigate phishing attempts, thereby reducing the risk of credential theft.

• Consider deploying endpoint security solutions that can monitor for suspicious activity and block unauthorized access attempts.

• Educate employees about recognizing phishing attempts and the importance of reporting suspicious emails.

• Regularly audit email accounts for unusual activity and implement monitoring tools that can alert administrators to potential breaches.

• Where possible, segment the email system from sensitive data and critical business operations to limit the impact of any potential compromise.

In summary, the lack of SPF, DMARC, and MFA in legacy email systems creates a fertile ground for attackers, enabling a range of malicious activities that can have devastating consequences for organizations. Understanding these vulnerabilities is essential for establishing robust email security measures.

What These Trends Mean for Policyholders

Legacy email protocols that lack MFA continue to attract attackers. Policyholders should prioritize upgrading or blocking these outdated protocols to reduce exposure to email-based threats. Improving email security not only strengthens defenses but also enhances insurability by demonstrating proactive risk management.

For example, a mid-sized company blocking legacy protocols saw a 30% drop in phishing incidents in three months, positively affecting underwriting decisions and premium rates. A Proofpoint study confirms that blocking outdated protocols significantly reduces phishing attacks, enhancing security and risk profiles. For more details, access the Proofpoint 2023 Cybersecurity Report.

There are many options to mitigate these risks. Consider working with your technology service provider to implement a process - not just a temporary product to address the threat.

Guidance for Brokers

Brokers play a crucial role in preparing clients for the cyber insurance market. Understanding a client’s email security posture before submitting applications can save time and reduce back-and-forth during underwriting.

Since changing email infrastructure can take weeks or months, brokers should consider advising clients to start addressing legacy protocol risks early. This “know before you go” approach helps secure better quotes and avoids surprises during policy evaluation.

But don't overlook what could be a more simple approach: mitigating the risk with other security controls, and preparing your client to present evidence of mitigating controls.

Mitigating risks with security controls

In situations where a company is unable to migrate away from legacy email systems, implementing robust security controls becomes essential to mitigate associated risks.

One effective approach is to deploy advanced email filtering solutions that can identify and block malicious attachments and phishing attempts. For instance, using a secure email gateway can help in scanning incoming and outgoing emails for threats, ensuring that sensitive information is not compromised.

Preparing evidence of mitigating controls

Beyond technological solutions, companies should also focus on preparing their clients to present evidence of these mitigating controls. This could involve maintaining detailed logs of email traffic and security incidents, which can demonstrate the effectiveness of the implemented measures. Furthermore, conducting periodic security assessments or continuous testing and audits can help in identifying vulnerabilities within the legacy system and showcasing the proactive steps taken to address them.

By combining these strategies, companies can not only enhance their security posture but also provide tangible proof of their commitment to safeguarding sensitive information.

Considerations for Underwriters

Underwriters should recognize that modernization efforts may not fully eliminate legacy email risks. Even companies with advanced email security can have legacy protocols active, creating hidden vulnerabilities.

Attackers look for practical attack pathways, and legacy email provides these practical opportunities to strike - but each company may be at a different stage of security and modernization journey. Evaluating email security requires a nuanced approach that considers both protocol enforcement and legacy access controls. Removing legacy systems could be problematic for a company because migration could result in data loss and disrupt operations.

And although it would be ideal for all insurance applicants to have no trace of legacy email or spotty MFA controls for email, it might be worth considering that about half of companies with insurance have not eliminated this attack path. It may be that companies not experience breaches have other defense in depth that mitigates this particular threat.

Final Thoughts

Email security remains a critical factor in cyber insurance risk assessment. While most companies have adopted SPF and DMARC, many still allow legacy email protocols without MFA, exposing themselves to threats. Policyholders should act now to improve their email defenses and optimize insurability. Brokers can guide clients through these changes early, and underwriters may need to carefully evaluate email security beyond surface-level modernization while considering the challenges of migration.

Follow BreachBits on LinkedIn for more Pulse Check insights: insurance observations from the hacker's perspective.