Cyber insurance questionnaires used to be a checkbox exercise. Now they decide whether you get a quote at all. Here's what they're really asking and what to do before your next renewal.
Why questionnaires got harder
Cyber claim frequency and severity climbed sharply between 2021 and 2025. Carriers have repriced and tightened underwriting. The questionnaire is now the underwriter's first filter. Weak answers mean higher premium, lower limit, or no quote at all.
MFA on everything
The number one question is whether you have multi-factor authentication on all administrative access and all remote access. Note 'all'. If your admins still log into the firewall with a username and password, the answer is no. Fix this first, every time.
Tested backups
Carriers ask whether you have tested, offline or immutable backups. 'We have backups' is not the answer they want. They want to know that you've actually restored from them recently, that the immutable tier exists, and that the retention covers the time it would take to detect ransomware.
EDR deployed everywhere
Endpoint detection and response on every laptop and server, not just file servers. Brand matters less than coverage. If you have EDR on 95% of endpoints but the office manager's home laptop is exempt, count yourself as not fully covered.
Incident response plan
Carriers want a documented IR plan and named external IR partner. Not aspirational. Documented. The retainer-style relationships some MSPs and law firms offer now exist specifically because of this question.
Training and phishing simulation
Annual training plus regular phishing simulation. 'Annual training' alone is now considered weak. Quarterly simulation with click-and-train flows is the new bar.
How to triage before renewal
Sixty days before renewal, walk the questionnaire and rate every answer Honest Yes, Soft Yes, Soft No, Honest No. Anything that isn't Honest Yes is a project. Soft Yes answers turn into Honest No when the carrier audits a claim, which is when it actually matters.