For most of the last fifteen years, a US business that received a demand letter under Title III of the ADA for an inaccessible website had to absorb the legal cost itself. General liability policies excluded the exposure. Cyber policies were written for breach response and didn’t contemplate WCAG. Employment-practices liability (EPL) policies covered hiring portals only in passing. By 2024 that began to change, and by 2026 a small but visible group of US carriers and London-market syndicates have moved “website accessibility” out of the exclusion list and into a discrete, separately priced specialty line — a coverage grant with its own questionnaire, its own conditions, and its own claim triggers.
This explainer walks through how the underwriting actually works in 2026: what the pre-binding questionnaire asks, what the policy conditions attach to, what the standard exclusions look like, where premiums currently sit, and what kinds of incidents trigger a claim. It is descriptive, not prescriptive — the market is young, the wordings are not yet standardised, and the figures cited are ranges rather than fixed numbers. The point is to give an in-house counsel, a risk manager, or a finance director a usable map of how the new line is currently being priced.
Why a separate accessibility line exists in 2026
Three structural pressures combined to push accessibility out of the exclusion column. First, US federal-court filings under Title III for inaccessible websites passed 4,000 per year in 2023 and stayed there through 2025, with state-court filings under California’s Unruh Act and New York’s State Human Rights Law adding several thousand more. The volume turned what had been an episodic risk for a handful of retailers into a baseline operating exposure across consumer-facing sectors. Second, the US Department of Justice’s Title II web rule set a 2026–2027 compliance horizon for state and local government, drawing private-sector attention to WCAG 2.1 AA as the de facto liability benchmark. Third, the EU’s European Accessibility Act entered enforcement on 28 June 2025, exposing US e-commerce operators selling into the EU to a parallel non-US enforcement regime for the first time.
Carriers reacted to that combination by carving accessibility out of the older policies that had implicitly absorbed it. Older cyber wordings often pulled accessibility claims into “regulatory defence” sub-limits — typically $250,000–$1,000,000 — but the sub-limits were exhausted quickly when a single insured faced serial-plaintiff filings across multiple jurisdictions. EPL policies, designed around hiring discrimination, were a poor fit for consumer-facing website claims. The market response in 2024 and 2025 was to issue stand-alone accessibility endorsements (typically on cyber policies) and, by 2026, dedicated specialty wordings underwritten by a small group of carriers — Beazley, Coalition, At-Bay, AXA XL, Tokio Marine HCC, and the London-market specialty syndicates at Lloyd’s — and placed largely through three brokers active in the space: Marsh, Aon, and the smaller specialty broker Woodruff Sawyer.
The pre-binding questionnaire: what underwriters ask
The most visible artefact of how the line is priced is the supplemental application that an applicant submits with the underwriting submission. The questionnaires vary by carrier, but the categories cluster tightly enough to describe a 2026-typical version.
Audit history
Carriers ask whether the applicant has commissioned an accessibility audit in the past 24 months, and if so, by whom. The questionnaire distinguishes between three audit types: an automated scan (axe, Lighthouse, WAVE, Siteimprove), a manual conformance review against WCAG 2.1 AA or 2.2 AA, and a hybrid VPAT (Voluntary Product Accessibility Template) produced by an external assessor. An automated-scan-only history is treated as effectively no audit; a manual WCAG 2.2 AA conformance review by a recognised assessor is treated as the strongest signal. Underwriters then ask for the date of the most recent audit, the conformance result, the remediation plan, and the percentage of identified issues that have been closed.
Conformance claim and accessibility statement
The applicant is asked whether the website carries a published accessibility statement, and if so, whether the statement makes a conformance claim (e.g. “this site conforms to WCAG 2.1 AA”). Carriers are wary of unqualified conformance claims that the audit history does not support, because such a claim becomes a plaintiff’s exhibit in any subsequent lawsuit. Where a conformance claim is published, underwriters look for a dated VPAT or audit report behind it.
Prior demand letters and known violations
The applicant must disclose every accessibility-related demand letter, lawsuit, regulatory enquiry, or settlement in the past five years. The disclosure obligation extends to letters that were resolved informally without litigation, because such letters establish carrier-side knowledge of the exposure. Failure to disclose a prior demand letter is the most common reason a carrier voids a claim under the standard application warranty.
Remediation process and governance
The questionnaire asks whether the applicant has a named accessibility owner, a written remediation roadmap, a CI pipeline that includes automated accessibility checks, and procurement language requiring WCAG conformance from third-party vendors (chat widgets, video players, CMS templates, payment forms, and especially overlay tools — see below). Carriers also ask about training: whether developers, designers, content authors, and QA testers have completed structured accessibility training, and how recently.
Third-party components and overlay tools
A 2026-typical questionnaire includes a specific question about accessibility overlay tools — JavaScript widgets that promise automated WCAG remediation. Carriers ask whether such a tool is deployed and which vendor supplies it. Several wordings now carry an explicit exclusion or a higher retention if an overlay is the applicant’s primary accessibility control. The position reflects litigation history: courts have repeatedly declined to treat overlay deployment as a defence to a Title III claim, and the WebAIM “overlay fact sheet” (referenced in many underwriting guides) is widely treated as the reference text. Carriers also ask about other third-party embedded components — chatbots, video players, payment forms — because each is a common claim trigger.
Policy conditions: what attaches at binding
Once a policy is bound, the wording itself imposes a small number of substantive conditions that operate as ongoing obligations of the insured. Three patterns are now near-universal in 2026 wordings.
- Audit condition. The insured must commission, at its own expense, a manual WCAG 2.1 AA (or 2.2 AA) conformance audit within a defined window — typically 90 to 180 days of policy inception — and within 30 days of any material site redesign. Failure to do so suspends coverage for any claim arising after the trigger date. The audit must be performed by an external assessor on the carrier’s approved list or by an internal team meeting defined credential criteria.
- Remediation-tracking condition. The insured must maintain a written remediation log identifying every issue found in the audit, the responsible owner, the target close date, and the actual close date. Carriers occasionally request a sample of the log mid-policy as part of a mid-term review.
- Notice condition. Demand letters and regulator inquiries (DOJ, state attorney-general, foreign equivalent) must be reported within a tight window — commonly 30 days — under the standard claims-made-and-reported architecture. Several wordings treat a demand letter as a “claim” for notice purposes even where no lawsuit has been filed; the insured cannot delay notification while it negotiates a private settlement.
Where the audit and remediation conditions are met, the policy responds in full subject to the retention. Where they are not, the carrier has the contractual right to deny defence and indemnity for the specific claim or, in more aggressive wordings, to void the policy retrospectively. The conditions are why pre-binding diligence by the broker matters: an applicant who cannot realistically meet a 90-day audit condition should not bind a wording that requires one.
Standard exclusions in the 2026 wordings
Beyond the standard fraud, intentional-act, and prior-knowledge exclusions common to all liability lines, accessibility wordings carry three exclusions that are specific to the risk.
Known-violations exclusion. Any issue identified in an audit, demand letter, or regulator notice that pre-dates the policy period and that the insured had not closed by inception is excluded from coverage to the extent it features in a subsequent claim. The exclusion is the carrier’s principal defence against the moral hazard of insureds buying coverage in response to a known exposure rather than ahead of it.
Prior-demand-letter exclusion. Claims arising out of, or related to, any demand letter, lawsuit, or regulator enquiry that pre-dates the policy retroactive date are excluded entirely. Carriers underwrite the retroactive date carefully — insureds with a recent litigation history often face retroactive dates inside the current policy period rather than the prior-acts coverage that cyber buyers expect.
Overlay-tool exclusion. Where the insured’s primary accessibility control is an overlay tool — and where the carrier has flagged that fact at underwriting — the wording either excludes the exposure entirely, sub-limits it sharply, or applies a substantially higher retention. The position is unusual in insurance practice (carriers don’t normally exclude a specific commercial product) and reflects the underwriting community’s judgement that overlay tools do not reduce litigation exposure on the evidence currently available.
A handful of carriers also exclude punitive damages where state law permits insurability and exclude statutory damages under California’s Unruh Act (the $4,000-per-visit civil penalty), on the basis that statutory penalties are policy-public in nature.
Premium ranges: where the 2026 market sits
Premiums vary by sector, revenue band, claims history, and the strength of the applicant’s accessibility programme. The ranges below are 2026-typical for US-domiciled applicants buying $1M of accessibility coverage as part of, or alongside, a cyber tower. They should be read as ranges, not benchmarks; pricing in this line moves quickly and brokers report meaningful spread between carriers.
- Small enterprise (under $10M revenue, no claims history, recent WCAG 2.2 AA audit). Roughly $4,000 to $9,000 in annual premium for $1M of limit on top of a base cyber programme. Retentions in the $10,000 to $25,000 range.
- Mid-market ($10M to $250M revenue, e-commerce-heavy, clean claims history). Roughly $12,000 to $35,000 for $1M of limit. Retentions $25,000 to $100,000. Underwriters at this band insist on the audit and remediation conditions.
- Large enterprise ($250M to $5B revenue, multi-brand, one or more prior demand letters). Roughly $40,000 to $150,000 for $1M of limit, often inside a $5M to $25M tower with multiple carriers. Retentions $100,000 to $500,000.
- High-frequency sectors (consumer retail, restaurants, hospitality, ticketing, healthcare patient portals). Same revenue band, but expect a 50–150% premium loading and a higher retention. These sectors generate the bulk of Title III filings, and underwriters price accordingly.
- Applicants with active or recent litigation. Either declined, sub-limited heavily ($250,000–$500,000), or quoted with retroactive dates inside the policy period. Several carriers will not quote at all until the applicant can show 12 months without a new demand letter.
Brokers report that the cleanest underwriting signal — the single fact that most reliably moves price — is a recent, manual, third-party WCAG 2.2 AA audit with a closed remediation log. The audit costs less than the premium saving in most cases, which is why the larger brokers (Marsh, Aon) now bundle a pre-binding audit referral into their submission process.
Claim triggers: what actually moves a renewal
Four event types account for nearly all claim activity in 2026 under accessibility wordings, and each one functions differently inside the policy mechanics.
The demand letter. By volume, this is the dominant trigger. Most demand letters under Title III, California’s Unruh Act, or New York’s State Human Rights Law are issued by a small group of plaintiff firms and resolve through negotiated settlement in the $10,000 to $35,000 range plus a remediation undertaking. Carriers treat the demand letter as a notifiable claim under the policy, defence counsel is appointed from the carrier’s panel, and the negotiated settlement is paid subject to the retention. Insureds frequently misjudge the notice window here, assuming a demand letter is too small to report.
Named defendant in a serial-plaintiff filing. The same plaintiff firms file similar complaints across many defendants in rapid succession; the same insured may appear in two or three filings in the same quarter as different blind, deaf, or mobility-impaired plaintiffs sue independently. Carriers handle these claim-by-claim against the same policy limit, and the cumulative defence cost frequently exceeds the negotiated settlement value of any individual matter. Several wordings now contain a “related claims” clause aggregating filings by the same firm under one retention; the wording is worth reading closely at the binder stage.
DOJ or state-AG enquiry. Volume is far lower than private litigation, but the cost per matter is far higher. A DOJ enquiry under Title III, or a state-AG investigation under a state consumer-protection statute, draws regulatory-defence costs that run into the hundreds of thousands and can produce a consent decree with a multi-year monitoring obligation. Most 2026 wordings cover regulatory defence costs and the cost of any monitoring required under a settlement; civil penalties payable to the regulator may or may not be insurable depending on jurisdiction.
Foreign regulator action. The newest trigger. With the EAA in force across the EU since 28 June 2025 and the UK’s parallel regime building out through 2026, US e-commerce operators selling into European markets face enforcement actions by national EAA market-surveillance authorities. Several 2026 wordings now extend to EAA defence and to national-court proceedings in EU Member States. The market is still working out how to underwrite the new exposure; brokers report that applicants with material EU revenue are pricing this exposure as a discrete line item rather than as part of a base US accessibility programme.
The market shape, briefly
The 2026 accessibility-insurance market is small relative to cyber — total premium across the named carriers above is plausibly in the $200M–$400M range, against a multi-billion-dollar cyber book — but the growth rate has been steep since the line broke out of cyber in 2024. Loss-ratio data is limited and not yet publicly aggregated, but underwriters report that the line is more predictable than cyber: claim frequency is high, severity is bounded by negotiated settlement norms, and the worst-case scenario (a class action surviving motion to dismiss in a serial-plaintiff jurisdiction) remains rare. The combination — frequent, bounded, statistically tractable — is what underwriters call “underwritable risk,” and it is why the line has carriers willing to write it as a stand-alone product rather than a cyber endorsement.
What buyers should do in 2026
The practical takeaways for a buyer are short and unromantic. Commission a manual WCAG 2.2 AA audit by a recognised external assessor before going to market; close the remediation log to the extent budget allows, document what remains open, and present the closed-and-open picture in the submission. Disclose every prior demand letter, however informal, in the application — carriers will discover an undisclosed letter at the first notice of a new claim and will rely on the application warranty to void coverage. Read the audit condition, the notice condition, and the known-violations exclusion carefully — those three terms determine whether the policy will respond when a demand letter actually arrives. Treat the overlay-tool question as a flag, not a checkbox: a “yes” answer narrows the field of carriers willing to quote, and it shifts the retention upward.
For the wider question of how accessibility risk is managed inside an organisation — the upstream work that the insurance line responds to rather than replaces — see Disability World’s coverage of ADA Title III, the European Accessibility Act, and private right of action vs regulator-led enforcement. Insurance shifts the cost of the residual exposure to a counterparty that will pay defence and indemnity inside agreed limits. It does not, and does not pretend to, replace the underlying obligation to build and operate an accessible product.