Your cyber insurance renewal questionnaire is getting harder, a walkthrough

Cyber insurance renewal questionnaires grew from roughly 40 questions in 2022 to 70 or more in 2025. The length is the visible change. The deeper change is what the questions are asking for. A 2022 renewal asked whether you had endpoint protection and moved on. A 2026 renewal asks what tool, at what deployment percentage, with what detection-and-response layer, monitored by whom, for how many hours a day.

The modern cyber insurance renewal is effectively a compressed security audit. Firms that treat it that way tend to renew cleanly. Firms that treat it as a compliance form tend to see premium increases, new exclusions or carrier non-renewals.

Here is what the modern renewal process actually looks like, section by section, with what the underwriter is measuring behind each.

Why the questionnaire doubled

Two forces compressed the underwriting window.

• Ransomware severity. Ransomware-driven incurred losses climbed sharply between 2019 and 2021, and the carrier market responded with both rate hardening and more rigorous underwriting. The questionnaire is the most visible part of that response.
• Systemic-risk concern. Carriers now underwrite against systemic events (a widely-used SaaS provider compromised, a zero-day in a common IT tool, cloud-infrastructure outages) that were not in the risk model a few years ago. Questions about fourth-party vendors, cloud concentration and supply-chain posture follow from that.

The result is that a renewal today pulls evidence from IT, security, legal, HR, vendor management and finance. No single person in the organization can answer it accurately without coordination.

The typical renewal timeline

Most brokers run a renewal on a 90 to 120 day cadence.

• T-minus 120 days. Broker sends the prior-year application, flags the known underwriting trend changes and requests any material policy changes since last renewal.
• T-minus 90 days. First draft of the application is due internally. Gap review begins.
• T-minus 60 days. Polished application goes to the incumbent carrier and to any market carriers the broker wants to approach for competitive quotes.
• T-minus 45 days. Underwriter follow-up questions arrive. A healthy round is 5 to 15 clarifications. A rough round is 30 or more.
• T-minus 30 days. Indicated quotes arrive with any subjectivities (conditions the carrier requires before binding).
• T-minus 15 days. Final terms, binding, policy delivery.

Firms that start inside 60 days almost always pay a time premium in the form of a less favorable quote, because the broker loses the option to shop the market meaningfully.

Section 1, program governance

Underwriters open the application by testing whether the security program has real organizational accountability.

The questions that matter most:

• Named security leader, title and reporting line
• Whether security sits inside IT, inside finance or reports independently
• Written information security policy, version and last-review date
• Whether the board or ownership reviews cybersecurity on a scheduled cadence

The failure mode here is “IT handles security” without a specific named owner. The underwriter reads that as an undifferentiated function, which correlates strongly with weak controls across the rest of the questionnaire.

Section 2, access and identity

Identity is where most ransomware incidents actually start, and the underwriter knows it.

The questions that matter most:

• MFA on all remote access, all admin accounts and all cloud tenants
• Whether MFA is phishing-resistant (FIDO2, passkeys, hardware tokens) for privileged accounts
• Conditional access policies blocking legacy authentication
• Privileged account review cadence
• Standard-user local-admin rights (ideally zero)
• Offboarding time from termination to access removal

A firm with MFA on email but not on the VPN, or with SMS-based MFA on admin accounts, or with 30% of workstations where the user has local admin, reads as a higher-severity risk even if the rest of the application looks strong.

Section 3, endpoint and network

The endpoint section tests the detection and response layer rather than the presence of any single tool.

The questions that matter most:

• Endpoint protection tool, version and deployment percentage
• EDR versus legacy antivirus
• Managed detection and response coverage (MDR, SOC-as-a-service, internal SOC)
• After-hours coverage hours
• Network segmentation between user, server and any operational-technology zones
• External perimeter scanning cadence

The underwriter is checking for the gap most ransomware incidents exploit. An endpoint compromised outside business hours, lateral movement through a flat network, no managed response, ransomware deployed in the 11-hour window between Friday night and Monday morning.

Section 4, backup and recovery

The single most heavily weighted section in most modern cyber insurance renewals. An insurable firm has credible answers here.

The questions that matter most:

• Backup frequency, retention and geographic separation
• Immutable or air-gapped copy, with the technology that enforces it
• Last successful restore test, with date and documented output
• Defined RTO and RPO per system tier
• Incident-response runbook that references backup recovery

A firm that cannot produce a restore-test date within the last 90 days is treated as effectively unbacked for underwriting purposes.

Section 5, third-party and vendor risk

The supply-chain and fourth-party questions are newer, and more firms fail here than anywhere else.

The questions that matter most:

• Inventory of vendors with access to company data
• Tier classification of vendors by materiality
• Due-diligence process for material vendors
• SOC 2 or equivalent evidence collected from material vendors
• Contract language on data protection, breach notification and liability

Underwriters added these questions because systemic vendor events (a widely-used managed service provider, a common SaaS platform, a widely-embedded open-source component) drove an outsized share of claims after 2021. A firm without a vendor inventory signals blind spots the carrier has to price for.

Section 6, incident history

Straightforward but consequential.

The questions that matter most:

• Any cybersecurity incidents in the last 3 to 5 years
• Any claims filed against cyber policies
• Any regulatory notifications, litigation or settlements
• Status of any unresolved indicators of compromise

Honest answers with scope and remediation almost never end a renewal. Inaccurate answers discovered post-close can void coverage at the moment it matters most.

Section 7, training and awareness

Lower-weighted but watched.

• Annual security awareness training, completion percentage
• Simulated phishing cadence and click-rate trend
• Role-based training for developers, finance, executives

Carriers use training data as a proxy for human-risk posture. A 40% annual training completion rate reads as a program that does not have organizational buy-in, and the underwriter will price that.

What a clean renewal looks like

Three characteristics show up consistently in renewals that go well.

• The application is specific. Tool names, percentages, dates, documented policies.
• The answers match across sections. MFA coverage in the access section agrees with remote-access answers in the endpoint section.
• Evidence is attached or available on request. SOC 2 report, policy PDFs, restore-test logs, tabletop output.

Most of the renewal’s outcome is decided by the quality of the first-draft application. Underwriter follow-up rounds almost never recover an application that opens with vague, inconsistent or inflated answers.

Where we fit

Atticus Rowan works with mid-market firms in the window between renewals, building the underlying controls, the evidence library and the shape of the application itself. The work is not “we fill out the questionnaire for you.” The work is making sure that when the broker asks for specifics, the specifics exist, the documentation supports them and the evidence lines up.

If your cyber insurance renewal is in the next 4 to 6 months and you want a clear read on where the current application is weak and what a credible close-the-gap plan looks like, schedule a discovery call. We can walk through the prior-year application with you and scope the lift before the broker sends the new one.