Insurance and Risk Management Checklist for 2026

As we begin 2026, it is important to evaluate your company’s insurance and risk management program and plan for the year. Following up on our checklist from previous years, we have updated steps to take and things to consider for your insurance and risk management program as you move into the new year.

A few years ago, we introduced our Insurance and Risk Management Checklist to outline steps companies should take to evaluate their insurance and risk management programs, and to plan for the year ahead. That guidance is even more critical today, as the risk landscape grows more complex and fast-moving.

Over the past year, weather-driven catastrophes accelerated. Devastating wildfires in Los Angeles, California caused more than $60 billion in damage and many deaths. To this day, policyholders continue to file new claims for property damage. According to the California Department of Insurance’s Los Angeles County Wildfire Claims Tracker, as of November 17, 2025, 42,121 claims had been filed and more than $22.4 billion had been paid. In other climate change-related disasters, Texas and Kentucky, among others, faced destructive flash flooding, with heavy rainfall causing loss of life and significant damage. Harsh winter storms have wreaked havoc across the country, causing power outages and business shutdowns. As climate change advances, these events are likely to become more frequent, and businesses must be prepared.

While climate-driven threats are increasing, technology-enabled risks are also escalating across sectors. Most notably, we have seen a surge in cyberattacks targeting a range of business sectors, including IT, airport security, banking, energy, software component providers, and government databases. These frequent and sophisticated ransomware and cyber incidents result in significant business interruption, property damage, and even severe injuries or loss of life. In health care, the American Medical Association reports that insurers are increasingly relying on AI-driven prior authorization tools with minimal human oversight, which have been accused of producing denial rates far above historical norms – sometimes reportedly as much as 16 times higher – spawning lawsuits over improper denials. At the same time, social media-related exposures continue to expand, with allegations regarding addiction and online-tracking practices fueling more claims against major platforms for bodily injury, property damage, invasion of privacy, and other harms.

With no comprehensive federal privacy statute, eight states enacted comprehensive laws in 2025, with state attorneys general as the primary privacy enforcers. Against this backdrop, businesses should strengthen their privacy and security compliance programs, tighten user verification, parental controls, and content moderation and filtering, and adopt a conservative design posture wherever minors may interact with AI on their platforms.

Insurers are also responding to AI-enabled risks by adding explicit AI-related exclusions, particularly in errors and omissions policies, and it is important to be mindful of these developments.

Geopolitical instability was also prevalent in 2025 and has continued into 2026. The Venezuela crisis, military actions, and broader tensions disrupted global shipping, trade, and transportation. Policyholders in these sectors saw and still see higher premiums and expanded sanctions-related exclusions. Other major conflicts – including the Russia-Ukraine war and the Iran-Israel situation – have heightened risk, increased premiums, and introduced additional regulatory hurdles. In the same vein, the volatility in US tariffs has led to an increase in construction costs and impacted auto and homeowners’ insurance, among others. At home, civil unrest arising from government immigration policies and other measures has disrupted commerce in major cities and resulted in damage and business losses. Recent events at the World Economic Forum in Davos underscore that global instability may be the rule going forward, leading to a riskier – or at least more uncertain – international business climate.

Looking ahead to the Winter Olympics and the 2026 FIFA Men’s World Cup, we anticipate event-driven exposures that demand robust risk controls, particularly when these events are layered over an unstable political environment, both locally and globally. Businesses in affected industries should act now to minimize losses and maximize insurance recoveries.

Finally, in 2026 we expect more stringent state and federal regulatory environments, particularly around cybersecurity, cryptocurrency, and environmental, social, and governance (ESG) issues.

In this evolving and uncertain climate, a holistic approach to insurance and risk management is essential. With that in mind, here is our updated Insurance and Risk Management Checklist for 2026:

1. Identify all significant risks

• What are your physical risks?
  • Is your building more susceptible to fire or explosions?
  • Does your building contain hazardous materials that could spill or leak?
  • Have you taken measures to prevent the spread of disease in the workplace?
  • If your building is out of commission for an extended period, how would that impact your business?
  • Do you have added risks from employees working in off-site locations?
• What are your location risks?
  • Is your business in or near a location that is susceptible to fire, storm damage, or natural disasters (e.g., floods, hurricanes, tornados, or earthquakes)?
  • Are you in an area that might be prone to protests and other forms of civil unrest, such as nearby government buildings and other installations?
• What are your personnel risks?
  • Do your employees have access to products, information, or money that is susceptible to embezzlement, theft, or fraud?
  • Do your employees drive company cars and/or utilize their own vehicles for company business
• What are your technology risks?
  • Would you be crippled by a power outage?
• Do you or your vendors store personally identifiable information and/or medical information?
  • Do third parties have access to your computer systems?
  • Do your employees have mobile devices and/or remote access to your systems?
• Are you managing your data and network security risks in the new remote working environment?
  • Do you integrate AI into your business operations?
  • Do you have privacy and security measures in place?
• What are your supply chain risks?
  • Do you have single-source or concentrated dependencies in regions exposed to conflict, sanctions, civil unrest, or infrastructure disruption
  • Are you prepared for contingencies in case your operations or supply chain are impeded in vulnerable areas?
  • Do your key suppliers or vendors have adequate cybersecurity, given ransomware’s ability to trigger business disruptions?
  • Do your vendor and customer contracts contain force majeure, change-in-law, sanctions, and termination rights that realistically foresee today’s global risks?

2. Take inventory of all your coverages

• Do you have all the insurance you need to cover your significant risks? Are your coverage limits adequate to protect the business?
  • General liability insurance
  • Errors and omissions liability insurance
  • Directors’ and officers’ liability insurance
  • Employment practices liability insurance
  • Employee benefits liability insurance
  • Fiduciary liability insurance
  • Cyberliability and data privacy insurance
  • Property and business interruption insurance
  • Pollution liability insurance
  • Fidelity and crime insurance
  • Terrorism insurance
  • Insurance for the spread of communicable disease
  • Insurance for losses from government closure orders
  • Insurance for losses due to climate change
  • Insurance for losses due to errors relating to AI or social media
• Are you comfortable with your deductibles or self-insured retentions?
  • Are all your subsidiaries and/or affiliates insured?
  • Are your current (or even former) officers, directors, and employees adequately insured?
• Do you anticipate any upcoming purchases, sales, and/or mergers or acquisitions?
  • Do emerging risks such as global climate change, pandemic diseases, terrorism, and data and systems security need to be addressed in your planning?
• Are you adequately protected for any supply chain issues or ESG-related risks?
• Have you incorporated technology risks – such as claims arising from social media addiction and online tracking practices – into your planning?
• Do your policies contain AI-specific exclusions?
  • Are there any “technology error” exclusions in your policies that could be interpreted broadly?
  • Are there any endorsements referencing generative AI, algorithms, or automated decision-making in your policies?
• Do your risks change with increases in tariffs?

3. Plan for your policy renewals

• When does each of your policies expire?
  • Plan for renewals – do not wait until the last minute. This is especially important in today’s marketplace, where premiums have skyrocketed and “shopping around” could result in significant savings
  • What are you trying to accomplish with your renewals?
• Did you consider that your insurance company might decline to renew with you (especially if you filed a claim last year)? Have you prepared for that potential?
  • Increase coverage limits
  • Broaden coverage
  • Obtain better pricing
  • Change insurance carriers
• Review policies that afford the right to provide a notice of circumstances that may lead to a claim, to assess the pros and cons of providing such notice in the current policy period

4. Analyze the substantive terms of your policies

• Do your policies cover all significant risks your company faces at adequate levels?
  • Do they really cover what you think they cover
  • Carefully review coverage provisions, endorsements, and exclusions
• Do your policies contain suit limitation provisions?
  • Engage counsel to ensure the suit limitation or the applicable statute of limitations (deadlines for filing lawsuits) has not run
• Do your policies provide any alternatives for dispute resolution such as arbitration?
  • Do your policies mandate arbitration or allow for arbitration unilaterally at your option?Know whether you have Bermuda Form policies (specialty excess liability insurance contracts) that mandate confidential arbitration in London under New York law
  • Policyholders with incipient Bermuda Form disputes should seek help from counsel with experience in this area
• Has your coverage grown with your business?
  • Do not rely on just carrying your coverage over from one year to the next
  • When your business and the world in which we live change and expand, your coverage must change and expand as well

5. Put systems in place for administering your policies

• Know what the notice requirements are in each of your policies and have systems in place for providing notice
• Know what triggers a claim that must be reported promptly under the terms of your policies
• Know what your policies require regarding submitting proofs of loss, and the timing of such submissions
• Know what your policies require regarding cooperation and insurance company consent before incurring expenses and settling claims
• Do you have systems in place so that those responsible for providing notice to insurance companies are aware of claims or potential claims that must be reported?

6. Review your broker agreements

• Are they one-sided boilerplate agreements provided by the broker?
  • Do they clearly spell out each side’s respective responsibilities?
  • Do they clearly spell out the compensation to be paid to the broker and for what services?
  • Do they permit the broker to obtain contingent compensation from insurance companies?
• Are the termination provisions clear and sufficient?
  • What will you owe the broker if the agreement is terminated?
• Do they contain provisions regarding data protection, data breaches, and protection of private information and trade secrets?
• Are there provisions limiting the broker’s liability and addressing how disputes are to be resolved?

7. Review your vendor agreements

• Do they contain sufficient indemnification provisions?
• Do they contain adequate insurance requirements?
• Do they name your company as an additional insured?
• Do they contain provisions that require you to include other parties as additional insureds?
  • Do you have mechanisms in place to approve such agreements?
  • Do you have processes in place to ensure other parties are afforded the required coverage?
• Do the vendors have adequate coverage through their own insurance policies?
• Do they contain provisions regarding data protection, data breaches, and protection of private information and trade secrets?
  • Are vendor policies primary and non-contributory with respect to your own insurance policies?
  • Do you have systems in place to ensure compliance with insurance requirements?
• How are disputes to be resolved?

8. Engage your attorney

• If you are uncertain about your policies’ coverage or what type of coverage you need, contact coverage counsel.

Client Alert 2026-030