The 25 questions you'll fail on your next cyber insurance renewal

Cyber insurance renewal applications grew from roughly 40 questions in 2021 to 70 or more in 2025, and the underwriting teams behind those applications got sharper every year. A question that used to be answered with a vague “yes” now expects a specific control, a named tool, a documented frequency and an evidence trail. Firms that answer the 2026 application with 2021 language see one of three outcomes. Premium increase. New exclusions. Non-renewal.

What follows is a working list of 25 questions most mid-market firms struggle with on renewal. Each one is phrased close to how carriers actually ask it. Each answer describes what underwriters are really measuring and what a credible response looks like.

The 25 questions

1. Is multi-factor authentication enforced for all remote access to corporate resources?

Underwriters want “yes” with specifics. VPN, cloud email, SaaS applications with company data, remote desktop solutions. The failure mode is “yes for email, no for the VPN” or “yes, except the ERP system.”

2. Is MFA enforced on all privileged and administrative accounts?

Different question. Admin accounts get targeted more often. “Yes” should mean every domain admin, every cloud tenant admin, every vendor admin with access, every break-glass account.

3. Is MFA phishing-resistant for privileged accounts?

This is the newer bar. SMS MFA and push-only MFA are degrading faster than the old answers admit. FIDO2, hardware tokens or passkeys are the answer underwriters increasingly want.

4. What endpoint protection is deployed, and on what percentage of endpoints?

“Industry-leading antivirus” is not an answer. “CrowdStrike Falcon deployed on 100% of managed endpoints with a monthly compliance review” is an answer. The percentage number is where most firms fail. A real inventory usually shows 85 to 92% coverage, not the 100% the firm assumed.

5. Do you have endpoint detection and response (EDR), not legacy antivirus?

Traditional signature-based antivirus alone will eventually be uninsurable at the mid-market level. EDR, with or without a managed response layer, is the current expectation.

6. Is there 24x7 monitoring of security events?

“Our MSP watches things during business hours” is a failing answer. Underwriters want either an MDR provider, a SOC-as-a-service arrangement or an in-house SOC with documented after-hours coverage.

7. Are backups kept in an immutable, offline or air-gapped state?

The ransomware-crisis question. Backups that a ransomware operator can encrypt along with production data do not satisfy the requirement. Immutable cloud backups, air-gapped tapes or object-lock buckets satisfy it.

8. When did you last test a full restore, and do you have documented results?

“Our backups run successfully every night” is not the answer. The answer is a documented date, a restore runtime and a signed-off verification.

9. Do you have documented RTO and RPO per system tier?

Recovery time objective and recovery point objective. Every material system should have a number. If IT cannot produce the table in under an hour, the answer is “no” regardless of what the application says.

10. Is your incident response plan documented, current and tested?

“Current” usually means reviewed within 12 months. “Tested” usually means at least one tabletop exercise in the last 12 months with documented output.

11. Do you maintain an asset inventory of all endpoints, servers and cloud resources?

A spreadsheet updated quarterly beats a perfect but unmaintained tool. What underwriters want is evidence that the inventory is current enough to drive patching and access-review decisions.

12. Do you scan for vulnerabilities on a defined cadence, with remediation SLAs?

Weekly or monthly scans, named severity thresholds (critical within 14 days, high within 30, etc.) and evidence that the SLAs are being met.

13. Is there a documented patch management program for operating systems and third-party software?

Third-party software is where most firms fail. OS patching via Windows Update is common. Chrome, Adobe, Java, Zoom and the long tail of desktop software is often unmanaged.

14. Do you enforce least privilege on user accounts, including local admin restriction?

“Standard users cannot install software or modify system settings” is the answer. Most firms discover on first audit that 30 to 60% of workstations have local admin rights attached to the primary user account.

15. Are privileged accounts reviewed quarterly?

A list of every privileged account, signed off by an accountable owner, every 90 days. The most common finding on the first review is 30 to 50% of privileged accounts that should not exist.

16. Do you have a formal offboarding process that removes access within 24 hours?

SaaS sprawl makes this hard. A firm using 80 SaaS apps often has a partial offboarding process that covers the domain account and leaves 20 to 40 SaaS apps untouched.

17. Is email filtering and advanced phishing protection in place?

Microsoft Defender for Office 365, Proofpoint, Mimecast or equivalent. The gap underwriters probe: impersonation protection, attachment sandboxing, URL rewriting.

18. Do you train employees on phishing at least annually, and do you run simulated phishing tests?

Annual training plus quarterly simulated phishing is the current bar. Click-rate trend data is what an underwriter values.

19. Is DMARC implemented in enforcement mode (p=reject or p=quarantine)?

Most mid-market firms have DMARC in monitor mode (p=none) and do not realize it. Enforcement mode is what actually prevents domain spoofing.

20. Do you segment your network between user, server and operational technology zones?

A flat network where an infected workstation can reach every server is a classic failing architecture. Segmentation does not need to be perfect; it needs to be documented and enforced at critical boundaries.

21. Do you maintain a vendor-risk inventory of third parties with access to company data?

A list, a tiering, a minimum-controls check and a contract review cadence for material vendors. “We don’t really track that” is increasingly a non-starter answer.

22. Do you have written information security and acceptable use policies, reviewed annually?

Written, dated, signed by leadership, distributed to employees. The policy framework is table stakes; the absence of one signals broader program weakness to the underwriter.

23. Have you had any cybersecurity incidents or claims in the last 3 years?

“Yes” with scope and remediation is fine. “No” when the carrier has reason to believe otherwise is how policies get voided at claim time.

24. Do you have dedicated security personnel, a vCISO or an MSP with security responsibilities?

One named accountable party. Not “the whole team is responsible for security,” which reads as nobody is.

25. Have you completed a risk assessment against a recognized framework (NIST CSF, CIS Controls, ISO 27001) in the last 12 months?

A documented assessment with findings and a remediation plan. Framework alignment is how underwriters quickly gauge program maturity.

What this usually adds up to

Most mid-market firms answer 18 to 20 of these 25 confidently on first pass. The remaining 5 to 7 are where renewal outcomes are decided. A firm that closes those gaps between renewals sees stable or reduced premium at the next cycle. A firm that does not usually sees premium increases in the 15 to 40% range, new ransomware or social-engineering exclusions or carrier non-renewal.

The usual blockers are not technical. They are organizational. Nobody owns the answer, so the answer stays weak year after year.

How to close the gap before the next renewal

A practical sequence for the 90 days before renewal:

• Pull last year’s application. Mark every question where the answer was soft.
• Build a mapping. Each soft answer to the specific control, tool or process that would make it firm.
• Prioritize by cost-to-close. MFA expansion, EDR coverage and backup testing are usually the highest-impact lifts.
• Document as you go. Screenshots, policy PDFs, tool configuration exports. The evidence library pays off at renewal and any time a prospect asks for a security questionnaire.
• Draft the new application 30 days before due. Review for specificity, consistency and honesty.

Where we fit

Atticus Rowan works with mid-market firms in the window between renewals, closing control gaps and building the documentation and evidence the current underwriting environment expects. The work is mostly practical. Rolling out phishing-resistant MFA without breaking the sales team. Replacing legacy antivirus with EDR on a schedule. Getting immutable backup and a tested restore stood up. Documenting it all in a form the broker can point at during the renewal conversation.

If your cyber insurance renewal is coming up in the next 6 months and you want a fresh set of eyes on the 25 questions above, schedule a discovery call. We can walk through your current posture against the questions and scope what a credible close-the-gap plan looks like.