Key Takeaways
- Cyber insurers score your security posture before quoting — gaps in basic controls can result in declinations or exclusions.
- Multi-factor authentication and endpoint detection are now baseline requirements at most carriers, not optional enhancements.
- Having documented policies and an incident response plan in writing dramatically improves your underwriting outcome.
- Data inventory and backup verification are two of the most commonly overlooked items on cyber applications.
- Completing this checklist before applying helps you answer questions accurately and avoid misrepresentation issues at claims time.
Summary
28 items · 45 minutes to 2 hours
Why Cyber Underwriters Ask So Many Questions
If you've never applied for a standalone cyber liability policy before, the application questionnaire will likely surprise you. Unlike a general liability application that asks your revenue and location, a cyber application goes deep — asking about your authentication methods, backup frequency, patch management cadence, and whether you've had a breach in the last five years. Some applications run to 20 pages.
That level of scrutiny isn't bureaucratic overreach. Cyber underwriters are trying to build a picture of your actual security posture, because unlike a slip-and-fall claim, a ransomware event can cost a carrier millions overnight. They need to know whether you're a manageable risk or a foreseeable catastrophe.
The practical problem for most small business owners is that they're not prepared for these questions when they sit down to apply. They either don't know the answers, or — more dangerously — they guess. Misrepresentation on an insurance application, even unintentional, can give a carrier grounds to deny a claim or rescind a policy entirely.
This checklist is designed to get you ready before you touch the application. Work through it over a few days if necessary. The goal is to give you confident, documented answers for every section of the underwriting questionnaire — and in the process, probably improve your actual security posture along the way. If you're new to cyber coverage entirely, start with the small business cyber insurance primer before diving in here.
What You'll Need Before You Start
Before working through the checklist items, gather the following. You'll reference these throughout the application process and during any follow-up questions from the underwriter.
Network diagram or asset inventory
Documents all devices, servers, and cloud services connected to your environment — underwriters ask about your technology footprint.
Current data inventory or data map
Lists what sensitive data you collect, where it's stored, and who has access — essential for answering data classification questions.
Written incident response plan (IRP)
Demonstrates that you have a documented process for detecting, containing, and reporting a cyber incident.
Employee security training records
Proof that staff have completed security awareness training — carriers ask about training frequency and who participates.
Backup verification logs
Documented evidence that backups are running successfully and have been tested by restoring actual data.
MSP or IT vendor contact and service agreement
Confirms the scope of managed security services and who is responsible for specific controls underwriters will ask about.
Prior cyber incident documentation
Any records of previous security events, breaches, or ransomware incidents that must be disclosed on the application.
Technology vendor contracts
Identifies third-party data processors, cloud services, and client indemnification obligations that affect your coverage requirements.
If your IT function is outsourced to a managed service provider (MSP), rope them in early. They will have answers to most of the technical questions, and some carriers will actually ask for MSP contact information as part of their due diligence. Understand what your MSP manages versus what your internal team owns — underwriters will ask that distinction.
Also worth knowing: how underwriters actually use this information. See how cyber underwriters assess risk when pricing your policy for context on what drives premiums up or down.
The Full Application Preparation Checklist
Work through these groups in order. Technical controls come first because they're the hardest to implement quickly — if you find gaps, you want time to address them before submitting your application. Documentation and policies follow because they're faster to produce and often just as important to underwriters.
MFA Is Now a Coverage Prerequisite
As of 2023, the majority of admitted cyber carriers will not quote a policy — at any price — for businesses that cannot confirm MFA is enabled on email and remote access. This is no longer a discount trigger; it's a threshold requirement. If MFA is not in place when you apply, get it deployed first. Applying without it will result in a declination that goes on record with the insurer, which can complicate future applications.
Identity & Access Controls
Endpoint & Network Security
Data Inventory & Classification
Backup & Recovery
Policies & Employee Training
Incident Response Planning
Application Disclosure
Partial Deployment Counts — Be Honest About It
Many businesses have MFA enabled on some systems but not others, or have EDR deployed on workstations but not servers. Don't round up to 'yes' when the accurate answer is 'partial.' Underwriters price for partial deployment — they do it routinely. What they cannot price for is inaccurate information discovered after a loss. A misrepresentation finding at claims time can void your policy regardless of whether the misrepresentation contributed to the loss.
Don't Apply Immediately After Improving Controls
If you've just implemented MFA or deployed EDR specifically to pass this application, make sure those controls are genuinely operational — not just activated. Some carriers perform post-bind technical audits, and others ask for evidence at renewal. Controls need to be sustainable, not cosmetic.
After the Checklist: What Happens Next
Once you've worked through these items, you're in a substantially better position than most small businesses that walk into a cyber application cold. Here's what to expect from this point forward.
Completing the Application Accurately
Answer every question based on what you actually have in place, not what you plan to have in place. If MFA is partially deployed — say, on email but not your accounting software — say that. Underwriters see partial implementation all the time; they build it into pricing. What they can't tolerate is discovering after a loss that your application overstated your controls. See how to prepare any insurance application for a smoother underwriting process for general principles that apply here too.
Expect Follow-Up Questions
For businesses with higher revenue, sensitive data, or complex technology environments, expect the underwriter to ask supplemental questions. They may want to see your incident response plan, request a network security assessment, or ask for your MSP's SOC 2 report. This isn't unusual and doesn't mean you're being declined — it means they're taking the account seriously.
Reviewing What You're Actually Quoted
Once quotes come in, don't just look at the premium. Cyber policies vary enormously in what they cover, what they exclude, and how sublimits are structured. Before you sign anything, walk through the policy terms carefully. The cyber policy evaluation checklist is designed specifically for that step.
Keeping Your Documentation Current
Whatever you document for this application — your incident response plan, your data inventory, your MFA rollout status — treat it as a living record. Carriers increasingly ask at renewal whether your security posture has changed. If you've had a significant change (new systems, new data types, a staff expansion), report it proactively. And if you want the full picture of how cyber coverage works from underwriting through claims, the complete cyber liability insurance reference covers it end to end.
All claims in this article are backed by peer-reviewed research. We follow strict editorial guidelines to ensure accuracy and reliability. Sources available on request from our editorial team.


