The application became an audit
A few years ago a cyber insurance application was a short form and a premium. After a wave of ransomware payouts gutted insurer profitability, that era ended. Today the application is a detailed security questionnaire, the answers are treated as binding representations, and the controls you claim are increasingly verified — sometimes by an external scan of your perimeter before a policy is even issued. Two consequences follow, and both bite: you can be denied coverage for missing controls, and worse, you can have a claim denied after a breach because you attested to a control you didn't actually have.
That second risk is the one that quietly ruins companies. You pay premiums for years, suffer the incident the policy exists for, and discover the payout hinges on whether the MFA you swore was "everywhere" was actually on the one account the attacker used. Cyber insurance readiness is the work of making sure your answers are true before you sign, so the policy is an asset and not a lawsuit waiting to happen.
The controls underwriters now treat as table stakes
Questionnaires vary by carrier, but a consistent core has emerged. These are the ones where "no" often means "no policy," and a false "yes" means "no payout":
- MFA everywhere that matters — email, VPN/remote access, privileged/admin accounts, and increasingly any internet-facing application. "We have MFA" is not the question; "is it on every account that can reach something important" is. This is exactly the everywhere-not-mostly standard behind MFA and identity hardening, and the gap between "mostly" and "everywhere" is where claims get denied.
- Endpoint detection and response (EDR) — not just antivirus. Underwriters increasingly distinguish between signature-based AV and modern EDR with behavioral detection, and the distinction shows up as a line item on the form.
- Tested, offline backups — the single biggest determinant of ransomware survivability. Insurers ask not just "do you back up" but "are backups isolated/immutable" and "have you tested a restore." The whole point of the ransomware prevention playbook is that backups you've never restored from are a hope, not a control.
- A written, tested incident response plan — a plan that exists on paper and has been exercised at least once. "We'd figure it out" is a declined answer. A real incident response plan with named roles is the expected one.
- Email security and phishing defense — given that phishing is the top initial-access vector, carriers want filtering, and often awareness training, in place.
- Privileged access management and timely offboarding — least privilege, no shared admin accounts, and departed users actually deactivated. Stale privileged accounts are a flagged risk.
- A patch/vulnerability management process — evidence that known-critical flaws get fixed on a defined cadence rather than whenever someone notices, which is why a defensible patch cadence is increasingly an insurance question, not just a hygiene one.
The trap is the gap between "yes" and "true"
Read the list again and notice the pattern: every item is something most teams will instinctively answer "yes" to, and most teams are partly wrong. MFA is on most accounts. Backups run, but nobody's restored from them since last year. The IR plan exists, but it's a stub from 2023 and has never been read aloud. Each of those is a "yes" on the form and a "no" in reality, and the reality is what surfaces during a claim investigation when the insurer's forensics team reconstructs exactly how the attacker got in.
The defensible posture is not "we believe we have these controls." It's "we can show, on demand, that we have them" — the same continuous-proof standard that makes continuous compliance monitoring work. An attestation backed by evidence is an asset. An attestation backed by optimism is a liability you're paying to hold.
Get ready before you apply, not during the claim
Treat the questionnaire as a gap assessment you run on yourself first. Walk every question and answer it honestly in private, where a wrong answer costs nothing:
- Map each required control to evidence. For "MFA on all admin accounts," can you produce the list of admin accounts and their MFA status today? If not, that's a finding, not a yes.
- Close the gaps before you sign. It is far cheaper to enable MFA on the last three accounts now than to lose a seven-figure claim later because of them.
- Keep the evidence current. Controls drift — a new admin gets added without MFA, a backup job silently fails. Continuous monitoring of security posture is what keeps your attestations true between renewal cycles, not just on the day you filled out the form.
A practical bonus: the readiness exercise is good security on its own terms. Every control an insurer demands — MFA, EDR, tested backups, an exercised IR plan, timely patching — is something you'd want regardless of whether you ever file a claim. The questionnaire is just a forcing function that an external party with money on the line wrote for you.
A note on what this is and isn't
Monitoring your posture and keeping evidence current makes the application honest and the renewal smoother — it does not underwrite your policy, guarantee approval, or replace the broker and carrier who set terms. Coverage decisions, exclusions, and payout determinations are theirs. What you control is whether the answers you give them are true, and whether you can prove it. That's the entire game, and it's winnable.
Cyber insurance no longer rewards the company that says the right things. It rewards the one that can show them — before the application, and again at 2 a.m. when a forensics team is deciding whether your policy pays out.