If you're filling out a cyber insurance renewal this year and wondering why it suddenly feels more like a college exam than a simple questionnaire, you're definitely not alone.
Over the last couple of years, cyber insurance companies have changed the way they evaluate businesses. Instead of asking a handful of basic security questions, many applications now dig into backups, multifactor authentication, incident response plans, vendor security, wire transfer procedures, and much more.
There's a good reason for that.
Several major cyber incidents over the past few years cost insurance companies hundreds of millions of dollars. Rather than simply raising premiums across the board, carriers started asking more detailed questions to better understand each company's actual security practices.
The result? Longer applications and much more specific questions.
The good news is that most of these questions aren't trying to trick you. They're simply asking whether you've put the right safeguards in place before something goes wrong.
It's Better to Answer Honestly Than Perfectly
One of the biggest mistakes we see businesses make is feeling like every answer has to be "Yes."
It doesn't.
If you haven't finished implementing a security control yet, it's usually much better to answer honestly than to overstate what your business has in place.
If an insurance company discovers after a cyber incident that your environment didn't match what was listed on your application, it could create significant problems during the claims process.
Being truthful about where you are today is always the safest approach.
The Questions You'll Probably See
While every carrier is a little different, many applications now focus on the same handful of security topics.
Backups
Today's applications often ask far more than simply "Do you have backups?"
Expect questions about whether your backups are protected from ransomware, whether you've tested restoring them recently, and whether someone with administrator access could delete them.
Having backups is great.
Knowing they'll actually work when disaster strikes is even better.
Multifactor Authentication (MFA)
Most businesses already know MFA is important.
Now insurance companies want to know exactly where it's enabled.
They'll often ask whether MFA protects:
• Microsoft 365 or email accounts
• VPN access
• Remote desktop access
• Administrator accounts
• Other privileged accounts
Some carriers are even beginning to ask what type of MFA you're using, with authenticator apps generally preferred over text message codes.
Wire Transfer Procedures
If your company sends wire transfers or ACH payments, expect questions about verification procedures.
Insurance companies have seen a dramatic increase in fraud involving fake emails, AI-generated voices, and even convincing deepfake video calls pretending to be executives.
Many carriers now want to know whether your business requires someone to independently verify payment requests before money is sent.
Endpoint Protection
Simply having antivirus software isn't always enough anymore.
Many applications now ask whether you use Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR), and whether every computer and server is protected.
Vendor Security
Your insurance company may also ask about the software vendors you trust with your business data.
That doesn't mean you need to perform a full security audit on every vendor. They generally want to know that you've identified your critical vendors and understand how they protect your information.
Don't Wait Until the Night Before Your Renewal
Many of these security improvements can't be completed in a single afternoon.
If your renewal is coming up, it's worth reviewing your environment a few weeks ahead of time so you have time to fix anything that's missing.
Things like testing backups, reviewing MFA settings, documenting security policies, or confirming your endpoint protection are all much easier when you're not racing against an insurance deadline.
Already a Layer 2 Managed Client?
If we manage your IT, don't feel like you have to answer every technical question on your own.
Many of these applications ask about backup architecture, endpoint protection, MFA, security policies, and other technical controls that we already help maintain.
If you're unsure how to answer a question, send it our way. We're happy to help explain your environment and point you toward the most accurate response.
The Bottom Line
Cyber insurance applications have become more detailed because cybersecurity threats have become more sophisticated.
While the paperwork may be longer, it's also a good opportunity to identify areas where your business can become more resilient before an incident ever happens.
And if you already work with Layer 2 Computers, you don't have to tackle those technical questions alone.
