Something interesting happened in the cybersecurity insurance market over the past several years: the application questionnaire evolved from a checkbox exercise into something that resembles a security assessment. What was once a two-page form asking "do you have antivirus?" now runs to 30 or more pages of detailed questions about authentication practices, backup configurations, endpoint detection capabilities, and incident response planning.
For many small businesses, that questionnaire has become the de facto driver of their security investments — not because they've thought carefully about their threat model, but because they need the coverage and the insurer controls the requirements. That's a reasonable starting point, but it has real gaps. What the questionnaire asks and what it means, what the policy covers and what it excludes, and what happens when a claim is denied — these are things every organization should understand before they need to find out.
what insurers are actually asking about
Modern cyber insurance applications have largely converged on a set of security controls that underwriters have determined are the strongest predictors of claim frequency and severity.
multi-factor authentication
This is now a near-universal requirement, not a preference. Insurers ask specifically about MFA coverage on: email, remote access (VPN, RDP), administrative and privileged accounts, and cloud services.
Answering "yes" while having partial MFA deployment is a material misrepresentation — and one that can void coverage. If your MFA deployment has gaps, document them and answer accurately, then fix them before renewal.
endpoint detection and response
Basic antivirus answers "no" to an EDR question. Insurers distinguish between traditional signature-based antivirus and behavioral EDR that provides visibility into process activity, network connections, and lateral movement. Many organizations discover during the application process that their "security software" doesn't actually meet the question's intent.
privileged access management
Questions about privileged account management are asking whether your administrative credentials are segregated from standard user accounts, whether privileged sessions are monitored, and whether you have controls preventing lateral movement via administrative tools.
backup and recovery
The backup questions have gotten specific: Are backups offline or air-gapped? How frequently are they tested? What is your recovery time objective? Can you recover without the primary environment? These questions directly reflect insurer loss data showing that organizations with tested, offline backups have dramatically lower ransomware claim costs.
patch management
Most applications ask about your patch management process and your patching cadence for critical vulnerabilities. The "regularly patched" answer is insufficient — insurers want to know whether you have a documented process with defined timelines.
The misrepresentation risk: Cyber insurance applications are submitted under warranty — you're attesting that your answers are accurate. When a claim is filed, insurers investigate. If they discover that material answers on the application were inaccurate (say, you answered "yes" to MFA but it wasn't deployed on email), they can deny the claim on the basis of material misrepresentation. This has happened and continues to happen. Answer accurately, even if the accurate answer is "no."
what a policy actually covers
Cyber policies typically cover some combination of first-party and third-party costs.
first-party coverage (your costs)
- Incident response and forensics — The cost of the IR firm that investigates the breach. This is typically one of the larger line items in an incident and is covered under most policies.
- Notification costs — The cost of notifying affected individuals, which can be substantial when large volumes of records are involved.
- Business interruption loss — Lost income during the period your systems are down. Many policies require that the interruption exceed a minimum threshold (waiting period), and some have sublimits significantly below the policy limit.
- Ransomware payment — Covered under most policies, subject to limits and terms. Note that some policies require you to obtain insurer approval before paying.
- Data recovery costs — The cost of restoring or recreating data, if backups are insufficient.
third-party coverage (others' claims against you)
- Privacy liability — Claims from individuals whose data was compromised in a breach affecting your systems.
- Network security liability — Claims from third parties who suffer losses due to a security failure on your network.
- Regulatory defense and fines — Legal defense costs and, in some cases, regulatory fines arising from a breach. Coverage for fines and penalties varies significantly by policy and jurisdiction.
the coverage gaps that surprise organizations most
nation-state and war exclusions
Most cyber policies contain war exclusions that have been extended by some insurers to include nation-state cyberattacks. The practical application of these exclusions — particularly when attribution is uncertain — has been the subject of litigation. If your organization could be a potential nation-state target, this exclusion warrants explicit discussion with your broker.
betterment limitations
Many policies will not pay to restore systems to a better state than they were in pre-incident. If your environment was running 10-year-old systems before the breach, the insurer may only cover restoration to that same state — not the modernized environment your IT team would prefer to build.
waiting periods on business interruption
Business interruption coverage typically includes a waiting period (often 8–12 hours) before coverage begins. For organizations where a single day of downtime causes significant financial damage, the waiting period can exclude a meaningful portion of the actual loss.
social engineering and funds transfer fraud
Business email compromise — where an attacker impersonates a vendor or executive to redirect a payment — is one of the most common and costly cyber-enabled crimes. Many organizations assume this is covered under their cyber policy. Whether it is depends heavily on policy language; some policies cover it clearly, others exclude it or have it only under a sublimit.
| Coverage Item | Typically Covered | Common Limitations |
|---|---|---|
| IR and forensics | Yes | Insurer may direct vendor choice |
| Ransomware payment | Yes, with conditions | Insurer approval often required |
| Business interruption | Yes, with waiting period | Sublimits common; waiting period applies |
| Data recovery | Often | Betterment limitations apply |
| Regulatory fines | Varies | Uninsurable in some jurisdictions |
| Funds transfer fraud (BEC) | Sometimes | Often a sublimit or excluded |
| Nation-state attacks | Uncertain | War exclusion may apply |
how to prepare for the application
The organizations that get the best coverage at the best price complete the application accurately and can demonstrate that their answers are backed by documented practices.
-
Audit your current controls before applying — Know where your MFA gaps are. Know whether your EDR meets the definition being asked. Know your backup configuration. It's better to find gaps before the application than to answer inaccurately and have it surface during a claim investigation.
-
Document your security practices — Written policies and documented procedures are worth more than undocumented ones when you're answering a questionnaire. Even basic documentation of your patch management process, backup procedures, and incident response plan demonstrates operational maturity.
-
Work with a broker who understands cyber — Cyber insurance is a specialty line with real complexity. A generalist broker who handles your property and casualty coverage may not have the expertise to navigate cyber policy language accurately.
-
Read the exclusions, not just the coverage summary — The coverage summary tells you what's in the policy. The exclusions tell you what's actually out. These should be read with specific attention to the scenarios most relevant to your organization: nation-state exclusions if applicable, social engineering coverage, business interruption waiting periods and sublimits.
The bottom line: Cyber insurance is a valuable risk transfer tool — but it's not a substitute for security controls, and it won't cover everything you assume it covers. The questionnaire requirements, properly understood, are actually a reasonable starting framework for building a basic security program. Use them as a floor, not a ceiling — and make sure you actually have what you say you have.