What if we are in the process of implementing a control?

You must answer based on the control's status at the moment you sign the application. Do not attest "yes" to a control that is planned or partially deployed. The correct approach is to answer "no" or "partially" and attach a detailed addendum. In the addendum, specify the project timeline, the percentage of completion, the key milestones remaining, and any interim or compensating controls you have in place to mitigate the risk until the project is complete. For example: "EDR deployment is at 80% coverage on endpoints. The remaining 20% are legacy servers scheduled for decommissioning in Q3. In the interim, these servers are on a segmented network, monitored by our SIEM with custom rules for anomalous activity." This transparency demonstrates maturity and is viewed more favorably than an inaccurate "yes."

Can our broker fill out the application for us?

A knowledgeable broker is an invaluable partner in the application process. They can help interpret confusing questions, advise on how to frame answers about compensating controls, and advocate for you with underwriters. However, they cannot and should not complete the application on your behalf. The application is a legal attestation made by the insured organization. A C-level executive or designated risk officer must personally review every answer for accuracy and sign the form. The ultimate responsibility for the truthfulness of the statements lies with your company, not the broker. Relying on a broker to answer technical questions without internal validation is a direct path to misrepresentation.

How do external security scans (BitSight, SecurityScorecard) impact our application?

These scans are a significant factor in modern underwriting. Insurers use them as an independent verification tool to corroborate the claims made on your application. A strong security score can lead to a smoother underwriting process and potentially better terms. Conversely, a poor score—especially one showing unpatched critical vulnerabilities, open RDP ports, or malware activity—will trigger intense scrutiny. The insurer may issue a "Subject to Risk Improvement" notice, requiring you to fix specific issues before they will bind coverage. In some cases, a persistently low score may lead to an outright declination. Proactively managing your external security posture is no longer just good practice; it is a prerequisite for insurability.

What is the most common reason for a claim denial based on the application?

Misrepresentation of multi-factor authentication (MFA) deployment is consistently one of the leading causes of policy rescission and claim denial. This is because carriers view MFA as the single most effective control against account takeover and subsequent ransomware deployment. Questions about MFA are now extremely specific, asking for its use on remote access, privileged accounts, and cloud email. A common pitfall is when a company answers "yes" to MFA on all remote access when, in reality, a legacy VPN or a specific executive's account is exempted. As seen in cases like *Travelers v. ICS*, such an inaccuracy is considered a material misrepresentation that can void the entire policy, leaving the company uninsured for the incident.

How often do we need to update our security posture information for the insurer?

You are required to provide a complete, updated application at every annual renewal. This is a full re-underwriting process where your security posture will be reassessed based on the current threat landscape and carrier requirements. However, your obligation does not end there. Most policies contain a "material change" clause. This provision requires you to notify the insurer of any significant changes to your risk profile or security posture during the policy period. Examples could include a major corporate acquisition, a complete migration to a new cloud provider, or a decision to replace your EDR solution. Failure to report such a change could jeopardize coverage for a future incident related to that change.

Cyber Insurance Underwriting Questionnaire: How to Answer Correctly

By Business Indemnity EditorialUpdated May 5, 2026

TL;DR: The cyber insurance application is no longer a simple form; it is a rigorous technical audit. Insurers are scrutinizing controls like MFA, EDR, and immutable backups, and are using external scans to verify applicant claims. Misrepresenting security controls, even unintentionally, can void your policy entirely, leaving you without coverage during an incident. The key to a successful application is not perfection, but precision. Applicants must answer truthfully, document compensating controls with evidence, and engage subject matter experts to ensure every response can withstand carrier scrutiny during the policy period and, most critically, during the [cyber insurance claims process](/cyber-insurance/cyber-insurance-claims-process).

The Shift from Questionnaire to Technical Audit

The cyber insurance market has fundamentally transformed. In the recent past, securing a policy was a straightforward exercise in attestation. An organization would check boxes, sign a form, and receive coverage. Today, driven by the escalating frequency and cost of ransomware attacks—a trend consistently documented in reports from Verizon and IBM—carriers have re-engineered their underwriting process. It has evolved from a questionnaire into a granular technical audit.

Insurers now operate under a "trust but verify" model. The application serves as the baseline for your organization's security posture, and every "yes" is a binding statement of fact. Carriers assume that if you attest to a control, it is fully implemented, consistently enforced, and effective. This high standard arises from significant carrier losses where breached policyholders were found to lack the very controls they claimed to have.

Consequently, the underwriting questionnaire is the single most critical document in the insurance lifecycle. Its purpose is not just to set a premium; it is to determine insurability itself. Answering inaccurately, whether through misunderstanding, optimism, or deliberate misrepresentation, creates a direct path for the carrier to rescind the policy and deny a claim when you need coverage most.

Anatomy of the Modern Control Scrutiny

Underwriters now focus on a core set of preventative and responsive controls that have proven effective in mitigating the most common and costly attack vectors, particularly ransomware. Answering "no" to these questions without substantial documented compensating controls is often an immediate disqualifier for coverage.

Multi-Factor Authentication (MFA)

This is the paramount control. Insurers are no longer asking if you use MFA, but where and how. The questions are specific:

Email: Is MFA required for all employees, including executives, on all cloud-based email access (e.g., Microsoft 365, Google Workspace)?
Remote Access: Is MFA mandatory for all remote access to the network, including VPNs and other remote desktop solutions?
Privileged Accounts: Is MFA required for all administrative access, both internal and remote, to critical infrastructure like domain controllers, cloud consoles (AWS, Azure, GCP), firewalls, and core servers?

A simple "yes" implies 100% enforcement. If MFA is deployed to 98% of users, the correct answer is "no," accompanied by an addendum explaining the gap and the plan to close it. Selecting from the best MFA solutions for business is only the first step; universal deployment is what underwriters demand.

Endpoint Detection and Response (EDR)

Antivirus (AV) is considered an insufficient legacy control. Insurers mandate the use of EDR or Managed Detection and Response (MDR) solutions that provide behavioral analysis, threat hunting, and rollback capabilities. Underwriters will ask for the specific vendor (e.g., CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) and, crucially, the percentage of endpoints covered. Most carriers require coverage on over 95% of all servers and workstations. If your EDR is deployed only to workstations but not your server fleet, you cannot truthfully claim full implementation.

Backup and Recovery

Backups are an organization's last line of defense against a destructive ransomware attack. Underwriter questions have become extremely precise, moving beyond "do you have backups?" to:

Segmentation: Are backups stored on a logically or physically segmented network, separate from the primary environment?
Immutability: Are backups immutable or stored in an air-gapped environment, rendering them unable to be encrypted or deleted by an attacker?
Testing: How frequently are backups tested for data integrity and restorability? Carriers expect, at minimum, quarterly or semi-annual testing with documented proof of success.

The expectation is a modern backup architecture that adheres to the 3-2-1 rule (three copies of data on two different media types, with one copy off-site) with an added layer of immutability.

Privileged Access Management (PAM)

Attackers who gain initial access immediately seek to escalate privileges to become domain administrators. PAM solutions are designed to prevent this. Insurers will probe your controls over privileged accounts, asking if you:

Use a PAM solution to vault, rotate, and monitor administrative credentials.
Enforce principles of least privilege, ensuring users have only the minimum access required for their roles.
Restrict the use of shared administrative accounts.

Failure to control privileged access is a red flag, as it directly correlates with an attacker's ability to move laterally and deploy ransomware across the entire network.

Security Awareness and Email Filtering

Given that phishing remains a primary initial access vector according to CISA alerts and industry breach reports, underwriters evaluate your human firewall. They require details on:

Cadence: How often do you conduct phishing simulation campaigns for all employees? The standard is moving from annual to quarterly or even monthly.
Remediation: What is the process for employees who repeatedly fail phishing tests? This demonstrates a commitment to improving security culture.
Technology: What advanced email filtering solutions are in place (e.g., Mimecast, Proofpoint) to block malicious attachments and links before they reach the user?

Beyond the Page: Out-of-Band Verification

Carriers no longer solely rely on your application answers. They actively verify your security posture using external, objective data sources. This "outside-in" view helps them validate claims and identify undisclosed risks.

The most common method is through security ratings platforms like BitSight and SecurityScorecard. These services continuously scan the public internet for signals related to your organization's security hygiene. They monitor for:

Open Ports and Vulnerable Services: Unnecessarily exposed RDP ports, outdated SSL/TLS configurations, or vulnerable web application versions.
Patching Cadence: Evidence of systems running software with known, unpatched critical vulnerabilities (CVEs).
Malware Infections: Botnet participation or other indicators of compromise originating from your IP space.
Data Breaches: Publicly disclosed credentials associated with your company's domain.

A low security score or the discovery of a critical vulnerability during underwriting will, at best, lead to difficult questions and a "risk improvement plan" requirement. At worst, it can result in a declination of coverage. Applicants should know their external security score and address major findings before submitting their application.

The Rescission Doctrine: The High Cost of Misrepresentation

Answering a questionnaire incorrectly is not merely a paperwork error; it is a material misrepresentation that can give the insurer the right to rescind the policy. Rescission means the policy is treated as if it never existed. The carrier returns your premium payments and, in turn, owes you nothing for any claims filed under the policy.

The 2022 case of Travelers Property Casualty Co. of America v. International Control Services, Inc. serves as a stark warning. ICS, a manufacturing company, applied for a cyber policy with Travelers. On its application, it affirmed that it used multi-factor authentication for remote access. After suffering a ransomware attack, ICS filed a claim. During the investigation, Travelers discovered that MFA was not, in fact, implemented for remote access as stated.

The court ruled in favor of Travelers, allowing the insurer to rescind the policy. The judge determined that the MFA attestation was a material misrepresentation that influenced the underwriting decision. Had Travelers known the true state of the control, it would not have issued the policy under the same terms. ICS was left to bear the full, multi-million-dollar cost of its ransomware incident. This case underscores a critical legal principle: the accuracy of your application is a condition of coverage.

Answering with Integrity: Documenting Compensating Controls

The goal is not to present a flawless security program but an accurately represented one. Honesty combined with proactive risk management is far more insurable than perfection that exists only on paper.

When you encounter a question where the answer is "no," or "partially," do not simply check the box and hope for the best. This is an opportunity to demonstrate security maturity.

Use Addenda: Never try to fit a complex explanation into a small comment box. Attach a separate, formal addendum to the application.
Define and Clarify: For a question like, "Is 100% of your data encrypted at rest?" an honest answer may be "no." The addendum should clarify: "Data categorized as 'Confidential' and 'Restricted,' representing 95% of our critical data assets, is encrypted at rest using AES-256. Data categorized as 'Public' is not encrypted. This risk-based approach is detailed in our Data Classification Policy, attached as Appendix B."
Document Compensating Controls: If you cannot implement a primary control, explain what alternative measure is in place. For example, if you lack a formal PAM solution, your addendum might state: "While a commercial PAM tool is not yet deployed (projected Q4), we enforce privileged access control through a combination of highly segmented administrative jump boxes, mandatory 25-character complex passwords for all admin accounts rotated quarterly, and real-time logging of all administrative sessions to our SIEM for daily review."
Show the Roadmap: If a control is in progress, provide specifics. "MFA for remote VPN access is 75% deployed. The remaining 25% represents legacy contractor accounts, which are scheduled for migration to our new MFA-enabled VPN gateway by October 31. In the interim, these accounts are restricted to a firewalled network segment with no access to production data."

Working closely with an experienced cyber insurance broker is vital. They can help frame these answers in a way that underwriters understand and accept. An accurate, well-documented application that acknowledges gaps but demonstrates a clear strategy for managing them is the hallmark of a good risk and one of the most influential cyber insurance cost factors.

Pre-Application Readiness Checklist

Before your security and risk leaders even see the application form, undertake this internal readiness review. This proactive approach prevents last-minute scrambling and improves your chances of securing favorable terms.

Conduct an Internal Audit

Perform a self-assessment against the common control categories: MFA, EDR, backups, PAM, and patching. Use a framework like the NIST Cybersecurity Framework (CSF) or the CIS Controls as a guide. Identify gaps between your current state and underwriter expectations.

Gather Your Documentation

Assemble the evidence you will need to support your answers. This includes:

IT security policy and procedure documents.
Recent vulnerability scan reports (internal and external).
Penetration test executive summaries from the last 12-18 months.
Backup restoration test logs.
A network diagram showing key segmentation points.
An asset inventory showing your EDR coverage percentage.

Know Your External Posture

Request a copy of your security ratings report from your broker or directly from a vendor like BitSight or SecurityScorecard. Remediate any critical or high-severity findings, especially open RDP ports or known exploitable vulnerabilities, before applying.

Align with Leadership and Legal

Brief your CFO, CEO, and General Counsel on the state of your security posture and the attestations that will be made on the application. The individual signing the application (often the CFO or CEO) is legally attesting to its accuracy. They must understand the security reality and the risk of misrepresentation. This is also the time to review common cyber insurance exclusions to watch for, ensuring the coverage pursued aligns with the organization's risk profile.

Frequently asked questions

Written by

Business Indemnity Editorial

Editorial Team

The Business Indemnity editorial team covers AI security, cybersecurity, and cyber insurance for SaaS and modern businesses.

About the editorial team →