A client slid the form across the table with the look of a man who had been defeated by a PDF. It was his cyber insurance renewal application, and it had grown from one page last year to eleven this year. “I do not even understand half of these questions,” he said. “Can you just fill it out so we can be done?”
I told him what I will tell you: that application is the best free security checklist your business will ever get, and the insurer is not asking these questions to be annoying. They are asking because their data tells them exactly which missing controls lead to claims. Read the application as a to-do list and it stops being paperwork and starts being useful.
The questions are a map of how businesses get hit
Look at what they actually ask. Do you require multi-factor authentication on email and remote access? Do you keep offline, tested backups? Do you train employees on phishing? Do you patch quickly? Do you have an incident response plan? Each of those questions exists because the absence of that control showed up, over and over, in expensive claims. The insurer has run the experiment across thousands of businesses. The form is the answer key.
So before you treat it as a form to survive, treat it as a question worth answering honestly: if I cannot truthfully say yes to this, that is not an application problem. That is a security gap the insurer has just pointed at for free.
Do not lie on it, even a little
This is the part that gets businesses in trouble. It is tempting to check “yes, we have MFA everywhere” when you really mean “mostly.” Do not. If you have a claim and the insurer discovers a control you attested to was not actually in place, they can reduce or deny the payout. You will have paid premiums for years and bought yourself nothing at the exact moment you needed it. An honest “no” with a plan to fix it is far safer than a convenient “yes.”
Read the policy, not just the application
The application is half the story. The policy itself is where the surprises live, and I have watched owners discover them at the worst possible time. A few things worth checking before you sign:
- Sub-limits. A policy can advertise a million dollars of coverage and quietly cap ransomware or social-engineering fraud at a small fraction of that. Find the sub-limits.
- Social engineering coverage. The wire-transfer scam where an employee is tricked into sending money is often excluded or limited unless you add it. Ask specifically.
- The incident hotline. Good policies give you a number to call and a panel of responders. That is worth real money in the first hour of an incident.
- Conditions you must maintain. Some policies require you to keep the controls you attested to. Let MFA lapse and you may have let your coverage lapse too.
Use it as leverage
Here is the part owners like. The controls the insurer wants are the same controls that actually reduce your risk, and putting them in place often lowers your premium. So the work pays for itself twice: once in a smaller bill, and once in the breach that never happens. I have used a renewal application more than once as the thing that finally got a skeptical owner to approve the MFA rollout they had been putting off.
So do not just fill out the form. Walk through it line by line and turn every honest “no” into a project. By next year’s renewal you will answer “yes” because it is true, your premium will reflect it, and you will have spent the year measurably harder to breach. That is a much better outcome than a tidy PDF.
Further reading
- From Resolute Security: The Backup You’ve Never Tested Is Not a Backup
- From Resolute Security: Compliance Is Not Security
- From Resolute Security: The First Hour: What to Do When You Think You’ve Been Breached
- FTC cybersecurity for small business
- NIST Cybersecurity Framework
- Not sure where you stand? Take the free 10-minute cyber readiness assessment.
Some compliance work needs a consultant. Some of it is just paperwork that needs a system.
We built a tool for the paperwork.
See the compliance tool →