What Your Cyber Insurance Renewal Is Actually Asking (And Why You Need To Answer Honestly)
The questionnaire lands in your email in early spring. 20 pages. Lots of checkboxes. Questions about your network, your security, your backups, your employees.
Most business owners fill it out quickly, guess at some answers, and send it back.
Then when they need to file a claim, they find out that the answers matter.
The Insurance Company’s Job
Cyber-insurance exists to cover the costs when a breach happens. Investigation costs, notification costs, legal costs, ransom, lost revenue, damage to your business.
The insurance company’s job is to cover those costs. But they also need to know the odds that a breach will happen. A business with basic security practices is a different risk than a business where nobody uses passwords and anyone can access sensitive data.
So the questionnaire isn’t just busy work. It’s the risk assessment.
Answer it like you’re guessing and you’ve told the insurance company “this business has normal, minimal security.” If the actual security is weaker, the insurance company will notice when you file a claim and may deny it.
What They’re Actually Asking
The questionnaire usually has some variation of these questions:
Do you have a firewall? They want to know whether you have a boundary between your office network and the internet. A router from the internet company doesn’t count.
Do you have backups? They want to know whether you can recover from ransomware. And they want to know that the backups are tested regularly, stored offline (where ransomware can’t encrypt them), and documented.
Do you have multi-factor authentication? They want to know whether stolen passwords alone can’t unlock your systems.
Do you have endpoint protection? They want to know whether every computer has threat detection, not just antivirus.
Do you monitor your network? They want to know whether someone is watching for signs of an attack, or whether you’d only find out about a breach after the damage is done.
Do you have a incident response plan? They want to know whether you have a process for what to do when something goes wrong, or whether you improvise.
Do you have cyber-insurance documentation? They want to know whether you keep records: backup test results, incident logs, patch updates, security training completion. Because if you file a claim, these records prove you had security in place.
Do you have a remote work policy? They want to know whether people working from home are using company devices (presumably secured) or personal devices (presumably not).
Have you had a breach? They want to know your history.
Have you had a security assessment? They want to know whether someone from outside your company has looked at your setup and given you an independent opinion.
The Honest Answer Is Usually “Mostly”
Almost no business answers “yes” to all of these. Most answer “some of them” or “we’re working on it.”
That’s usually fine. The insurance company knows that no business is perfect.
But they also know the difference between “we have a backup process that’s untested” and “we test our backups quarterly and have documented results.”
They know the difference between “everyone has multi-factor authentication except for the legacy system we can’t upgrade” and “some people use multi-factor authentication.”
Honest answers that include your gaps are fine. Vague answers that hide your gaps are not.
What Happens When You File a Claim
Your network gets breached. Investigation costs money. The insurance company sends someone to look at your setup.
They find that your answer to “do you monitor your network” was “yes,” but the actual setup is a basic intrusion detection system that hasn’t been configured properly and nobody checks its alerts.
The fine print of your policy says that you’re required to monitor your network. The definition of monitoring isn’t super detailed, so the insurance company can claim that you weren’t actually monitoring.
Now your claim gets denied. Or it gets approved for partial coverage.
This is more common than you’d think.
The Questionnaire Is a Contract
Every answer on the questionnaire is technically part of your insurance contract. If the answers turn out to be false, the insurance company has grounds to deny your claim.
This isn’t about insurance companies being predatory. It’s about how insurance works. If you tell them “we have basic security” and it turns out you have no security, they’ve mispriced the risk.
How to Answer Honestly
Go through the questionnaire with the person who actually knows your setup. If that’s your IT person, great. If that’s nobody, that’s a problem you should solve.
For each question, give the actual answer. Not the answer you wish you had. Not the answer you’re planning to have. The answer to the current state.
If there’s a gap, note the gap. “We have multi-factor authentication on admin accounts but not on regular user accounts.” “We have backups but they haven’t been tested in two years.”
These gaps might cost you a slightly higher premium. But they won’t cost you a claim denial.
Before You Renew
Get a security assessment. Thirty minutes with an IT person who does this professionally will identify the gaps between what you think you have and what you actually have.
Then decide: fix the gaps before renewal, or disclose them in the questionnaire.
The honest disclosure with gaps is better than the pristine questionnaire that doesn’t match reality.
The Real Cost
Most business owners assume the questionnaire doesn’t matter that much. Insurance is insurance, right?
But cyber-insurance claims are contentious. The investigation after a breach is expensive. Hundreds of thousands of dollars, sometimes millions. The insurance company scrutinizes every question you answered, looking for a way to deny or reduce the claim.
If you answered the questionnaire honestly—including your gaps—the insurance company has already accounted for those gaps in the coverage and the premium.
If you answered it optimistically and the reality is different, the insurance company has an easy way out of the claim.
What to Do This Week
Pull up the renewal questionnaire. Go through it with whoever knows your actual setup.
Answer it honestly. Gaps and all.
If the gaps are big ones—no backups, no multi-factor authentication, nobody monitoring the network—start fixing them before renewal. It’ll cost time and money now, but it’ll save time and money later.
And when you file a claim (and most businesses do eventually), you’ll know you answered honestly and the insurance company has to pay.