Before you renew cyber insurance, check these 10 items.
Underwriters and claim reviewers may compare questionnaire answers with the controls that were actually in place. Verify each item, preserve dated evidence, and describe gaps honestly before submitting the renewal.
The 10 controls to verify
- Item 1
MFA coverage
Verify MFA is enforced for every administrator, email user, and remote-access account. Record exceptions instead of treating enrollment as enforcement.
- Item 2
DMARC enforcement
Publish DMARC at p=quarantine or p=reject after confirming every legitimate sender is aligned.
- Item 3
Endpoint detection and response
Confirm EDR is active on every supported endpoint and document any unmanaged or offline devices.
- Item 4
Immutable backups
Keep an off-site or immutable copy and retain evidence of a successful restore test within the last six months.
- Item 5
Patch management
Document ownership and timelines for operating-system and high-risk application patches, including exceptions.
- Item 6
Incident response plan
Keep the insurer, broker, breach counsel, and incident-response firm contacts in a tested call tree.
- Item 7
Security awareness training
Record completion for every employee and provide focused training for finance and privileged users.
- Item 8
Privileged access
Inventory administrator accounts, remove standing access where possible, and protect emergency accounts.
- Item 9
Network segmentation
Separate business-critical systems from guest, operational-technology, and untrusted IoT networks.
- Item 10
Wire-transfer verification
Require a callback to a previously known phone number for new beneficiaries or changed payment instructions.
Use the questionnaire as a forcing function
Each unsupported answer is a prioritized risk. If a control is incomplete, record the current coverage, responsible owner, compensating control, and target completion date. An accurate partial answer with evidence is more defensible than a clean answer that fails during claim review.
Frequently asked questions
What if a control is only partially deployed?
Tell your broker before submission. State the verified coverage, exception count, compensating controls, owner, and target date rather than answering with an unsupported yes.
Does the free scan replace the carrier questionnaire?
No. It verifies public DNS, TLS, HTTP-header, and attack-surface signals. Internal controls such as MFA, EDR, backup restores, and training still need evidence from your systems.
How often should we refresh renewal evidence?
Refresh it before renewal, after material IT changes, and whenever a major gap is closed. Save dated exports or screenshots with the submitted application.
Does cyber insurance always pay ransomware demands?
Coverage, exclusions, sublimits, and payment rules vary by policy. Confirm the exact terms with your broker or qualified counsel before an incident.
See what attackers see — before they do.
Run the free passive scan, get a prioritized fix plan, and close the gaps yourself or have us do it for you.