Skip to main content
Article · explainmyit.com/blog

What Cyber Insurance Actually Asks About Your IT

·9 min read

What Cyber Insurance Actually Asks About Your IT

Cyber insurance renewals used to be straightforward. A few broad questions about your industry and revenue, a signature, done.

That changed. The questions are more specific now, and they are specifically about your IT setup. Not your business in general. Your actual technical configuration.

Most business owners cannot answer them without calling their IT provider. Some discover, mid-application, that they do not know whether they have the things the insurer is asking about.

Here is what the questions typically cover, why insurers care, and how to be ready before the form arrives.

Why Cyber Insurance Applications Got Harder

Insurers had a rough few years. Claims increased significantly as ransomware and business email compromise became more common. Underwriters responded by tightening the questions they ask and the conditions they attach to coverage.

The result is that a business that might have qualified for a policy three years ago based on revenue and industry may now need to demonstrate specific security controls before the same policy is available. Some insurers have started declining coverage or excluding specific risks for businesses that cannot confirm certain baseline configurations.

This is not necessarily bad news for a business with a reasonably well-managed IT setup. It is harder news for a business that has been operating on the assumption that everything is probably fine.

The Questions You Will Likely See

Applications vary by insurer but the same categories appear consistently.

Multi-factor authentication

Do you use multi-factor authentication for email, remote access, and privileged accounts?

This is the question that has caught the most businesses off guard. MFA has become close to a baseline requirement for many policies. An application that cannot confirm MFA on email is increasingly likely to come back with exclusions or higher premiums.

What they are checking: whether an attacker who compromises a password can access your systems without a second factor. Business email compromise, where an attacker uses stolen credentials to access email and redirect payments, is one of the most common and expensive claims insurers pay out.

Backups

Do you maintain regular backups? Are backups stored separately from your primary systems? When did you last test restoration?

The backup questions have become more detailed. Insurers have paid enough ransomware claims to know that backups stored on the same network as the infected systems are frequently encrypted too. They want to know the backups are genuinely separate and genuinely restorable.

What they are checking: whether a ransomware infection would leave you with no options other than paying the ransom.

Email security

Is SPF configured? DKIM? DMARC?

These appear on more applications than they used to. Insurers understand that a domain without DMARC enforcement is easier to spoof, which makes business email compromise easier to execute.

What they are checking: whether your domain can be impersonated in a way that makes fraudulent email appear legitimate.

Software updates and patching

Is your software kept current? Do you have a patching process?

The question is usually qualitative rather than asking for specific version numbers. But some applications ask about specific categories: operating systems, web-facing applications, remote access software.

What they are checking: whether known vulnerabilities are being addressed or left open.

Remote access

Do employees access company systems remotely? If so, how? Is VPN used? Is RDP exposed to the internet?

RDP open to the internet is a known attack vector that insurers flag specifically. If your business has remote access through an unsecured method, this is worth knowing before it appears on an application.

What they are checking: whether your network has accessible entry points that do not require compromising internal systems first.

Incident response

Do you have an incident response plan? Do you know who to contact if you experience a breach?

This one is often asked but rarely grounds for denial on its own. It is more about demonstrating that you have thought about the scenario than about having a formal document.

Vendor and third-party access

Do third parties have access to your systems? Is that access managed and monitored?

MSPs and IT providers with access to client systems are a known risk vector. Insurers want to know whether third-party access is controlled or whether any contractor who has ever worked with you still has an active credential somewhere.

What Happens If You Cannot Answer

The application does not usually say "denied." It more often comes back with:

  • Higher premiums to reflect unquantified risk
  • Specific exclusions for the risks you could not confirm controls against
  • A request for additional information before underwriting can proceed
  • A requirement to implement specific controls within a defined period as a condition of coverage None of these are ideal. The premium and exclusion outcomes are worse in a claim scenario than they sound in an application scenario.

How to Prepare

The best time to work through these questions is not when the renewal form arrives. It is in the weeks before, with enough time to address gaps.

A conversation with your IT provider framed around the application questions is a reasonable starting point. Ask them to confirm, specifically and in writing if possible, which of these controls are in place. Not "we handle security" — which ones, configured how, verified when.

If there are gaps, you have time to address them before the application rather than discovering them mid-form.

An independent external scan of your setup covers several of these categories: email security configuration, SSL certificate status, DNS records, public exposure, and breach history. It does not cover internal controls like MFA or backup configuration, but it gives you a verified picture of the external signals before you self-report them.

A Note on Self-Reporting

Cyber insurance applications are self-reported. You confirm controls are in place without necessarily providing evidence. This creates a risk that goes in both directions.

If you confirm controls that are not actually in place and subsequently make a claim, the insurer may investigate whether the application was accurate. Misrepresentation on an application can be grounds for claim denial.

If you are conservative and report that controls are not confirmed when you are unsure, you may face higher premiums unnecessarily.

The middle path is to actually know your setup before you complete the form. Not to assume it is fine, and not to leave gaps unaddressed that could be closed with a short conversation with your IT provider.

FAQ

Do small businesses actually need cyber insurance? It depends on your risk profile. Businesses that handle customer payment information, personal data, or operate in regulated industries have clearer reasons to carry it. Businesses that would be significantly damaged by a week of downtime or a data breach have reasons to carry it regardless of industry. The cost of a policy is usually easier to evaluate after you understand what the claims scenarios actually look like.

What is a typical cyber insurance claim? Business email compromise is the most common by volume. A compromised email account is used to redirect a payment, impersonate an executive, or access sensitive information. Ransomware is less frequent but higher cost per incident. Data breach notification costs, which include legal fees and customer notification, are another significant category.

Our IT provider says we are covered by their insurance. Is that enough? Probably not for your own business risk. An MSP's errors and omissions insurance typically covers their liability for mistakes, not your business's losses from a breach. These are different things and it is worth confirming exactly what is and is not covered before assuming you are protected.

How often do cyber insurance applications ask about IT configuration specifically? Increasingly often. The shift toward technical questions on applications has been consistent over the past three to four years and shows no sign of reversing. Businesses that have not reviewed their application responses against their actual IT configuration recently may find the current form more detailed than they expect.

ExplainMyIT generates a monthly external snapshot of your IT configuration covering domain registration, email security setup, SSL certificate status, DNS records, technology stack, and breach history. Several of these map directly to cyber insurance application questions. The dated record also gives you a documented baseline to reference when completing an application.

See what your current setup looks like or read more about how it works.

Related reading:

Back to all articles