Business Insurance checklist

Preparing Your Business for a Cyber Insurance Application

Business owner reviewing a cyber insurance application checklist on a laptop at their office desk.

Key Takeaways

  • Cyber insurers score your security posture before quoting — gaps in basic controls can result in declinations or exclusions.
  • Multi-factor authentication and endpoint detection are now baseline requirements at most carriers, not optional enhancements.
  • Having documented policies and an incident response plan in writing dramatically improves your underwriting outcome.
  • Data inventory and backup verification are two of the most commonly overlooked items on cyber applications.
  • Completing this checklist before applying helps you answer questions accurately and avoid misrepresentation issues at claims time.
45–120 min

Summary

28 items · 45 minutes to 2 hours

Why Cyber Underwriters Ask So Many Questions

If you've never applied for a standalone cyber liability policy before, the application questionnaire will likely surprise you. Unlike a general liability application that asks your revenue and location, a cyber application goes deep — asking about your authentication methods, backup frequency, patch management cadence, and whether you've had a breach in the last five years. Some applications run to 20 pages.

That level of scrutiny isn't bureaucratic overreach. Cyber underwriters are trying to build a picture of your actual security posture, because unlike a slip-and-fall claim, a ransomware event can cost a carrier millions overnight. They need to know whether you're a manageable risk or a foreseeable catastrophe.

The practical problem for most small business owners is that they're not prepared for these questions when they sit down to apply. They either don't know the answers, or — more dangerously — they guess. Misrepresentation on an insurance application, even unintentional, can give a carrier grounds to deny a claim or rescind a policy entirely.

This checklist is designed to get you ready before you touch the application. Work through it over a few days if necessary. The goal is to give you confident, documented answers for every section of the underwriting questionnaire — and in the process, probably improve your actual security posture along the way. If you're new to cyber coverage entirely, start with the small business cyber insurance primer before diving in here.

Split illustration comparing a disorganized unprepared business setup with an organized and documented security-ready workspace.
Underwriters can tell the difference between a business that manages security deliberately and one that doesn't — documentation is evidence.

What You'll Need Before You Start

Before working through the checklist items, gather the following. You'll reference these throughout the application process and during any follow-up questions from the underwriter.

Required

Network diagram or asset inventory

Documents all devices, servers, and cloud services connected to your environment — underwriters ask about your technology footprint.

Required

Current data inventory or data map

Lists what sensitive data you collect, where it's stored, and who has access — essential for answering data classification questions.

Required

Written incident response plan (IRP)

Demonstrates that you have a documented process for detecting, containing, and reporting a cyber incident.

Required

Employee security training records

Proof that staff have completed security awareness training — carriers ask about training frequency and who participates.

Required

Backup verification logs

Documented evidence that backups are running successfully and have been tested by restoring actual data.

Optional

MSP or IT vendor contact and service agreement

Confirms the scope of managed security services and who is responsible for specific controls underwriters will ask about.

Optional

Prior cyber incident documentation

Any records of previous security events, breaches, or ransomware incidents that must be disclosed on the application.

Optional

Technology vendor contracts

Identifies third-party data processors, cloud services, and client indemnification obligations that affect your coverage requirements.

If your IT function is outsourced to a managed service provider (MSP), rope them in early. They will have answers to most of the technical questions, and some carriers will actually ask for MSP contact information as part of their due diligence. Understand what your MSP manages versus what your internal team owns — underwriters will ask that distinction.

Also worth knowing: how underwriters actually use this information. See how cyber underwriters assess risk when pricing your policy for context on what drives premiums up or down.

The Full Application Preparation Checklist

Work through these groups in order. Technical controls come first because they're the hardest to implement quickly — if you find gaps, you want time to address them before submitting your application. Documentation and policies follow because they're faster to produce and often just as important to underwriters.

MFA Is Now a Coverage Prerequisite

As of 2023, the majority of admitted cyber carriers will not quote a policy — at any price — for businesses that cannot confirm MFA is enabled on email and remote access. This is no longer a discount trigger; it's a threshold requirement. If MFA is not in place when you apply, get it deployed first. Applying without it will result in a declination that goes on record with the insurer, which can complicate future applications.

Identity & Access Controls

Enable multi-factor authentication (MFA) on all email accounts, VPN access, and remote desktop connections — this is a hard requirement at most carriers, not a nice-to-have. Must
Apply MFA to all privileged or administrator accounts, including cloud service consoles, domain controllers, and financial systems. Must
Audit all active user accounts and remove or disable accounts belonging to former employees — insurers specifically ask about offboarding procedures. Must
Implement a least-privilege access policy so employees only have access to systems and data their role requires. Should
Document your password policy in writing, including minimum length, complexity requirements, and rotation schedules. Should

Endpoint & Network Security

Confirm that endpoint detection and response (EDR) software — not just legacy antivirus — is deployed on all workstations, laptops, and servers. Must
Verify that your operating systems and third-party software are on a documented patch management schedule with critical patches applied within 30 days of release. Must
Ensure your network firewall configurations are current and that remote access is restricted to authorized users through a VPN. Must
Segment your network so that point-of-sale systems, customer data, and operational systems are isolated from general employee workstations. Should
Disable or restrict Remote Desktop Protocol (RDP) where not strictly necessary — RDP exposed to the internet is one of the most common ransomware entry points. Must

Data Inventory & Classification

Create a written inventory of all sensitive data your business collects, stores, or transmits — including customer PII, payment card data, health information, and employee records. Must
Identify where each data type is stored (on-premises servers, cloud storage, employee laptops, third-party platforms) and document this clearly. Must
Note any regulated data categories in your inventory — HIPAA, PCI DSS, state privacy laws — since these affect both your coverage needs and underwriting classification. Should
Identify and document all third-party vendors that have access to your sensitive data, including cloud software providers and payroll processors. Should

Backup & Recovery

Verify that critical business data is backed up at least daily, with backups stored in a location that is logically and physically separate from your primary systems. Must
Test your backup restoration process — actually restore a file or system from backup — and document the test date and outcome. Must
Confirm that backups are either offline (air-gapped) or immutable so that ransomware cannot encrypt or delete your backup copies. Must
Document your recovery time objective (RTO) — how quickly you need systems restored after an incident — and share it with your IT team or MSP. Should

Policies & Employee Training

Put an acceptable use policy in writing covering employee use of company devices, email, and internet access. Should
Conduct and document at least annual security awareness training for all employees, with records showing who completed it. Must
Run phishing simulation exercises at least once per year and document participation rates and outcomes. Should
Establish a written process for employees to report suspected phishing emails or security incidents. Should

Incident Response Planning

Draft a written incident response plan (IRP) that identifies who is responsible for leading response, who makes decisions, and who handles external communications. Must
Include in your IRP the contact information for your cyber insurer's breach hotline, legal counsel, and a forensic incident response firm. Must
Conduct a tabletop exercise — a guided walkthrough of how your team would respond to a ransomware scenario — and document that it occurred. Should
Ensure your IRP addresses notification obligations under applicable state breach notification laws and, if relevant, HIPAA or PCI DSS rules. Must

Application Disclosure

Gather records of any prior cyber incidents, security breaches, or ransomware events in the last five years — applications universally ask for this disclosure. Must
If you've had a prior incident, prepare a brief written summary describing what happened, what was affected, and what remediation steps were taken. Should
Review your current technology contracts for any indemnification obligations to clients that would affect the limits of liability you need to carry. Nice to have

Partial Deployment Counts — Be Honest About It

Many businesses have MFA enabled on some systems but not others, or have EDR deployed on workstations but not servers. Don't round up to 'yes' when the accurate answer is 'partial.' Underwriters price for partial deployment — they do it routinely. What they cannot price for is inaccurate information discovered after a loss. A misrepresentation finding at claims time can void your policy regardless of whether the misrepresentation contributed to the loss.

Don't Apply Immediately After Improving Controls

If you've just implemented MFA or deployed EDR specifically to pass this application, make sure those controls are genuinely operational — not just activated. Some carriers perform post-bind technical audits, and others ask for evidence at renewal. Controls need to be sustainable, not cosmetic.

After the Checklist: What Happens Next

Once you've worked through these items, you're in a substantially better position than most small businesses that walk into a cyber application cold. Here's what to expect from this point forward.

Completing the Application Accurately

Answer every question based on what you actually have in place, not what you plan to have in place. If MFA is partially deployed — say, on email but not your accounting software — say that. Underwriters see partial implementation all the time; they build it into pricing. What they can't tolerate is discovering after a loss that your application overstated your controls. See how to prepare any insurance application for a smoother underwriting process for general principles that apply here too.

Expect Follow-Up Questions

For businesses with higher revenue, sensitive data, or complex technology environments, expect the underwriter to ask supplemental questions. They may want to see your incident response plan, request a network security assessment, or ask for your MSP's SOC 2 report. This isn't unusual and doesn't mean you're being declined — it means they're taking the account seriously.

Reviewing What You're Actually Quoted

Once quotes come in, don't just look at the premium. Cyber policies vary enormously in what they cover, what they exclude, and how sublimits are structured. Before you sign anything, walk through the policy terms carefully. The cyber policy evaluation checklist is designed specifically for that step.

Business owner confidently submitting a completed insurance application folder to an insurance broker across a desk.
A well-prepared application signals to underwriters that your business takes security seriously — which directly affects pricing and coverage terms.

Keeping Your Documentation Current

Whatever you document for this application — your incident response plan, your data inventory, your MFA rollout status — treat it as a living record. Carriers increasingly ask at renewal whether your security posture has changed. If you've had a significant change (new systems, new data types, a staff expansion), report it proactively. And if you want the full picture of how cyber coverage works from underwriting through claims, the complete cyber liability insurance reference covers it end to end.

Marcus Bellingham

Author

Marcus Bellingham

B.B.A. in Finance, University of Texas at Austin, Chartered Property Casualty Underwriter (CPCU)

Marcus Bellingham is a commercial insurance specialist with background in underwriting small-to-mid-size business policies including commercial auto, cyber liability, and specialty lines. He writes to help business owners understand the gaps between personal coverage and the commercial protection their operations actually require. His focus is on practical risk awareness without unnecessary complexity.

commercial autocyber liabilitysmall business insurancecommercial underwriting
View all articles by Marcus Bellingham →

All claims in this article are backed by peer-reviewed research. We follow strict editorial guidelines to ensure accuracy and reliability. Sources available on request from our editorial team.

Disclaimer: The content on Insure Ninja is for informational purposes only and is not a substitute for professional advice. Always consult a qualified professional for guidance specific to your situation.

Related articles