The questionnaire lands in email early spring. 20 pages. Lots of checkboxes. Questions about network, security, backups, employees.
Most business owners fill quickly, guess answers, send back.
Then when they need claim, find out answers matter.
The Insurance Company’s Job
Cyber-insurance covers costs when breach happens. Investigation, notification, legal, ransom, lost revenue, damage.
Insurance company needs to know odds of breach. So questionnaire isn’t busy work. It’s risk assessment.
Answer like guessing and you’ve told them basic security. If actual security weaker, they notice at claim time and may deny.
What They’re Actually Asking
Do you have firewall? Boundary between office and internet.
Do you have backups? Can recover from ransomware, tested regularly, offline, documented.
Do you have MFA? Stolen passwords can’t unlock.
Do you have endpoint protection? Every computer has threat detection.
Do you monitor network? Watch for attack signs.
Do you have incident response plan? Process for when wrong.
Do you have documentation? Backup test results, incident logs, patches, training.
Do you have remote work policy? Company devices or personal.
Have you had breach? Your history.
Have you had assessment? Outside opinion.
The Honest Answer Is Usually “Mostly”
Almost nobody says yes to all. Most say some or working on it.
Usually fine. Insurance knows no business perfect.
But they know difference between “untested backup process” and “test quarterly with documented results.”
What Happens at Claim Time
Network breached. Insurance sends someone to look.
Find your answer was not accurate.
Claim gets denied or partial coverage.
More common than you think.
The Questionnaire Is Contract
Every answer technically part of insurance contract. If false, company has grounds to deny.
Not predatory. That’s how insurance works. Tell them basic security when you actually have none, they mispriced risk.
How to Answer Honestly
Go through with person who knows setup.
For each question, give actual answer. Not wish, not plan. Current state.
If gap, note it. “MFA on admin but not regular users.” “Backups but haven’t tested two years.”
Gaps might cost higher premium. Won’t cost claim denial.
Before You Renew
Get security assessment. Thirty minutes identifies gaps.
Then decide: fix before renewal or disclose.
Honest with gaps beats pristine that doesn’t match reality.
When You File Claim
File honestly and insurance has to pay. File optimistically and they have out.