Cyber Insurance Renewal: The Six Questions Carriers Now Demand a Yes On

Cyber insurance applications are not the same form they were three years ago. The 2024-2026 carrier questionnaires read more like a security audit than an insurance application — and answering wrong gets you a non-renewal letter instead of a higher premium.

If your renewal is coming up in the next six months, here are the six checkbox questions that have hardened across every major carrier. They map almost one-to-one with the controls we deploy on Titanium and Carbon plans, which is not a coincidence.

1. MFA on every privileged and remote-access account

The question reads roughly: “Is multi-factor authentication enforced on (a) all administrator accounts, (b) all remote access (VPN, RDP, cloud admin consoles), and (c) all webmail?”

The expected answer is yes to all three. SMS-based MFA is being rejected by some carriers in favor of authenticator apps or hardware tokens — read the fine print on yours.

The fix: enforce MFA at the identity provider level (Microsoft 365 Conditional Access, Google Workspace 2SV enforcement, or your tenant’s equivalent). Single users do not opt in or out.

2. Endpoint Detection and Response on every endpoint

“Do you deploy EDR on all servers, workstations, and laptops?”

Antivirus is no longer the answer. Carriers have caught up to the fact that signature-based AV misses behavioral attacks, which are most attacks. EDR plus a managed response capability (MDR) is the new floor.

The fix: roll out a real EDR product across every endpoint — including the partner laptops nobody admits exist.

3. Backup that is offline or immutable

“Are backups stored offline, air-gapped, or in immutable storage?”

The reason: ransomware in the modern playbook hunts for backup repositories first. If your backup lives on the same network with the same domain credentials, it gets encrypted alongside production.

The fix: object storage with object lock, or a backup vendor that supports immutable retention out of the box. Tested restores at least quarterly.

4. Email filtering and security awareness training

“Do you filter email at the gateway and run security awareness training at least annually?”

Phishing remains the dominant initial-access vector. Carriers want evidence that you reduce both the attack surface and the human factor.

The fix: a real email security gateway (or the EOP/Defender tier you’re paying for in M365 actually configured), plus quarterly phishing simulations, plus training that gets recorded.

5. Patching and vulnerability management

“What is your patching cadence for critical operating system and third-party application vulnerabilities?”

The expected answer is something like “critical patches deployed within 7-14 days, evidence available.” If you cannot say that with a straight face, your unattended Windows update settings will not save you.

The fix: a real patch management tool with reporting. Critical patches in two weeks, others monthly. Documented exceptions for the systems that genuinely cannot be patched on schedule (with compensating controls).

6. Incident response plan that has been tested

“Do you have a written incident response plan that has been tested in the past 12 months?”

This used to be a softball. It is no longer. Tabletop exercises with documented results have become a standard ask, especially on policies above $1M.

The fix: an IR plan in writing. A tabletop exercise every six months walking through one scenario (ransomware, business email compromise, lost laptop). Notes from the exercise on file.

What “no” answers cost you

In the 2026 market, the cost ladder for the wrong answers looks like:

• One or two soft no’s: premium goes up 25-60%, deductible doubles, coverage limits halved.
• Three or more weak answers: non-renewed by your current carrier, sent to surplus lines markets at 2-3x the rate.
• Yes answers that turn out to have been false at claim time: claim denied, policy rescinded, possible bad-faith litigation in your direction.

That last one is the most expensive scenario nobody plans for. Misrepresenting controls on a renewal application is fraud, and carriers have lawyers who specialize in finding it after a breach.

What to do this quarter

If your renewal is more than 90 days out, you have time to actually fix things. The order of operations we use:

1. Pull last year’s application. Highlight every control question.
2. Run our Cyber Score. Free, public-surface scan plus a control-coverage quiz, branded report by email. Hits the same areas above.
3. For every soft “yes” or outright “no”, figure out the gap and the cost to close it.
4. Get the controls in place. Document everything in a single security plan.
5. Submit the application with confident, defensible answers. Premiums often go down even as coverage limits go up.

If your renewal is closer than 90 days out, the fix is the same — you just have less room to improve before the carrier sees the answers.

What we deploy

Titanium clients get items 1-5 of this list as part of the plan. Carbon clients get all six plus the documented IR plan and the tabletop facilitation. Steel clients can add the security stack as an upgrade for the months leading up to a renewal.

If you want a real read on where you stand against your next renewal application, the free Cyber Score takes two minutes and emails you a written report. No follow-up calls unless you ask.