- February 19, 2026
- · Cybersecurity
- · Operations
- · 6 min read
Why your cyber-insurance questionnaire keeps getting longer
Carriers used to ask three questions. Now they ask thirty. Here's why — and what to answer truthfully without losing the policy.
Five years ago, the cyber-insurance section of a business policy was three questions and a signature. Today it's a four-page questionnaire with controls-level specificity — and an underwriter who will deny coverage if any of your answers smell weak.
The reason is simple: carriers paid out a lot of ransomware claims between 2020 and 2023. Premiums went up, and so did the bar for what you have to prove before they'll write the policy. The questionnaire is no longer a formality — it's a controls audit.
What carriers are now asking
The specifics vary by carrier, but the common pattern looks like this:
- Multi-factor authentication. On email. On remote access. On privileged accounts. They want a yes on all three, with documentation.
- Endpoint detection and response (EDR). Not "we have antivirus." A real EDR product on every endpoint, monitored.
- Backup posture. Immutable copies, offsite, tested. The questionnaire will ask when you last performed a successful restore test.
- Patching cadence. Documented patch windows for critical and security-relevant updates.
- Written incident-response plan. A real document, with names and phone numbers. Not just "we'll call our IT person."
- Email security. Anti-phishing controls beyond what's built into your mail provider.
- User-awareness training. Some form of recurring program.
Why answering "kind of" is worse than "no"
A common mistake: businesses check "yes" on questions they're mostly doing because they don't want the policy denied. Don't do this. If a breach happens and the carrier finds out a control wasn't actually in place, they will deny the claim. That's the whole point of the questionnaire.
The right move when you can't honestly check "yes" is to either: (a) implement the control before submitting the questionnaire, or (b) answer honestly and accept the carrier may require remediation as a condition of binding. Both are better than fabricating coverage.
The questionnaire isn't trying to trick you. It's a list of the controls that, when present, dramatically reduce the carrier's exposure — and yours.
What we run by default
Our standard managed-IT engagement covers every common questionnaire item out of the box: SentinelOne EDR, Adlumin MDR, Cove immutable backups, conditional access, MFA, written IR plan. Most clients answer "yes" to every checkbox within their first 60 days with us — and more importantly, they're actually doing it.
If you're up for renewal and the questionnaire is making you nervous, talk to us before you fill it out. Two hours of conversation now is cheaper than a denied claim later.