iPiP Tec Solutions
Book a call →
← All posts
Cyber InsuranceMay 22, 2026 · 3 min read

How to Answer a Cyber Insurance Questionnaire Without Tanking Your Premium — or Your Claim

Underwriters now verify answers against your environment. Overstating controls doesn't lower your premium; it voids your policy when you need it most.

By iP Tec Solutions Editorial
Cyber InsuranceUnderwritingRisk

Three years ago, cyber insurance applications were lightweight. You checked some boxes, signed at the bottom, and got a quote. Those days are over.

In 2026, underwriters at Travelers, Chubb, Coalition, and AT-BAY all use external scanning, dark web monitoring, and — increasingly — third-party attestation to verify what you claim. The questionnaire is no longer a self-attestation. It's the first artifact in a future claim dispute.

Here's how to answer the five questions most SMBs get wrong.

"Do you require MFA for all remote access and privileged accounts?"

The wrong answer is "yes" when you mean "yes, for email." MFA must cover: VPN, RDP, RMM tools, your domain admin accounts, your M365 global admins, your DMS or PSA portal, and your cloud console.

If MFA is enforced on email and Microsoft 365 but your domain admin can still sign in to a server via RDP with just a password, the answer is no. Mark it no, then fix it before renewal.

"Are backups stored offline or immutable?"

Veeam to a USB drive that's plugged in 24/7 is not offline. A Datto BCDR with cloud replication where the cloud account uses the same password as the on-prem admin is not immutable.

The bar is: a copy of your backups that an attacker with full domain admin cannot delete or encrypt. That means either truly air-gapped media, S3 Object Lock, Azure Immutable Blob Storage, or a BCDR with explicit retention locks.

insight

Insurers are now asking for proof of last successful restore test. "We test backups" is not the same as "we restored a 200GB SQL database from cold storage in the last 90 days." Have the proof.

"Do you have an Endpoint Detection and Response (EDR) solution deployed?"

Windows Defender Antivirus is not EDR. Defender for Endpoint (P1 or P2) is. CrowdStrike, SentinelOne, Sophos Intercept X with EDR, Huntress — these are EDR. Your $40/year free antivirus is not.

If you can't show the underwriter a console with detection telemetry from every endpoint, you don't have EDR.

"Do you have a documented Incident Response Plan and have you tested it in the past 12 months?"

Two questions, one answer. Both must be yes. A plan you wrote in 2022 and never opened is not tested. Run one tabletop, write a one-page after-action report, and now you can truthfully say yes.

"Are you using any end-of-life software or operating systems?"

Server 2012 R2 went end-of-life in October 2023. Windows 10 (without ESU) reached end-of-life in October 2025. SQL Server 2014 went out of extended support in July 2024. If any of these are still in production, the honest answer is yes, and you should disclose it with a documented remediation timeline.

Discovering one of these post-incident, after answering no, is what gets claims denied.

The principle

Insurers don't expect a perfect environment. They expect an accurate one. A truthful "no, but" with a remediation plan beats a flattering "yes" that collapses under scrutiny when something happens.

If you're not sure how your environment maps to the questionnaire, get the answer before you sign — not after.