Cyber insurance applications used to be short. "Do you have a firewall? Do you have antivirus?" Check yes, pay the premium, done.
That era ended around 2021, when the ransomware wave hit insurers hard enough to fundamentally change underwriting. The applications now look more like IT security audits. They ask about MFA on every administrative account. About endpoint detection and response. About backup testing frequency and offline backup copies. About privileged access management. About employee phishing training.
The questions aren't random. They're a fairly accurate map of what insurers have learned from paying out claims — a statistical picture of which controls were missing in the environments that got breached, and which weren't. Reading the questions carefully is one of the faster ways to understand your actual risk posture.
The Questions That Actually Move Your Premium
A few categories get more scrutiny than others, because the insurers' claims data shows they matter most.
Multi-factor authentication. Almost every application now asks about MFA coverage — specifically on email, remote access (VPN, RDP), cloud admin consoles, and privileged accounts. "We have MFA available" is different from "MFA is enforced on all accounts." Insurers are getting specific because they've paid too many claims on accounts that had MFA available but not required.
Remote Desktop Protocol (RDP) exposure. RDP is one of the most exploited services on the internet. If you're running RDP exposed to the internet without additional protections, some insurers will decline coverage outright or add explicit exclusions. This one is a hard line for many underwriters now.
Offline or immutable backups. If your backups live on the same network as your production systems, ransomware will encrypt them. Insurers know this. They ask whether you have offline backups, air-gapped copies, or immutable cloud backups that can't be deleted by ransomware. They also increasingly ask whether you test restores — because a backup you've never restored is a backup you don't actually have.
Endpoint detection and response. Basic antivirus isn't enough for most insurers anymore. They ask about EDR — whether you have behavioral detection that can catch attackers who are using legitimate system tools rather than obvious malware. Some carriers explicitly exclude claims if the environment was running only signature-based AV.
Employee security training. Phishing training programs are increasingly a checkbox item. Some insurers offer premium discounts for documented security awareness programs. Others treat the absence of training as a risk factor that affects pricing.
The Problem With Answering Inaccurately
Cyber insurance applications are attestations. When you check "yes" to having MFA enforced on all remote access, you're representing that as true. If you have a breach and the investigation reveals that RDP was exposed without MFA, and you checked yes on the application, that's a material misrepresentation — and your insurer has grounds to deny the claim.
This has happened. It's happening more as insurers get more sophisticated about post-claim forensics. The investigation after a breach will look at your actual security controls, and if those don't match your application answers, you have a problem that goes beyond the breach itself.
The safe approach is to answer the application based on what you can demonstrate, not what you intend or assume. If you're not sure whether MFA is actually enforced everywhere it should be, that's worth checking before signing.
Using the Application as a Security Roadmap
Here's the useful reframe: take your current cyber insurance application (or pull one from any carrier — they're similar enough to be interchangeable for this purpose) and use the questions as a checklist. Every question is something insurers have identified as a meaningful risk factor based on real claims data.
If you can answer "yes, with documentation" to every question, you have a reasonably strong security posture for your size. If you're answering "no" or "we should probably look at this" to several, those gaps are worth addressing — both because they're risk factors and because they affect your coverage and pricing.
We do a version of this as part of our security assessments: work through the standard cyber insurance questions with you, document your actual state, identify the gaps, and prioritize what to fix. It's a useful exercise whether you're buying insurance for the first time or renewing and wondering why your premium went up.
The Broader Point
Cyber insurance is a risk transfer mechanism, not a security strategy. You shouldn't be making security decisions to satisfy an insurer's checklist. But the checklist is a reasonable proxy for the fundamentals — and if you can't answer yes to the major questions, you probably have real gaps worth fixing regardless of what it does to your premium.
The fact that insurers now ask detailed technical questions is actually useful. It means the conversation about security controls has a practical hook: this affects your coverage and your cost. That's often more persuasive to a business owner than "this is the right thing to do."