What Cyber Insurance Actually Asks For
Cyber insurance applications ask a lot of technical questions in insurance language. This one-page explainer translates them into plain English - MFA everywhere, endpoint detection, tested backups, patching, employee training, and an incident response plan.
PDF explainer, ready to share or print
A plain-English rundown of the technical controls insurers commonly ask about - useful before you open an application, not just while filling one out.
What's included
- MFA everywhere - not just email, but remote access and any account with administrative rights.
- Endpoint detection and antivirus - whether anything actually notices and stops malware, on every device that touches business data.
- Backups - tested and immutable - whether recovery has actually been proven to work, and whether at least one copy can't be reached or deleted by an attacker.
- Patch management - whether known security holes are getting closed on a schedule, especially the critical ones.
- Employee security training - ongoing awareness and phishing simulation, not a one-time onboarding video.
- Incident response plan - a written plan naming who does what, reachable even if systems are down.
Why this matters
Cyber insurance applications can read like a foreign language - a page of yes/no questions about "immutable backups" and "EDR coverage" with no explanation of what any of it means or why it's being asked. Underneath the jargon, every question maps to a real-world scenario the insurer has seen play out before: a stolen password with no second factor, malware that sat undetected for weeks, a backup that turned out to be as encrypted as the system it was supposed to save.
None of these controls are exotic. They're the baseline carriers now expect before offering favorable terms - and going through an application line by line is a useful exercise even if you're not shopping for a new policy, because it's a fast way to see where the real gaps are.
How to use it
Read this before your next application or renewal so the questions aren't a surprise, and use it as a checklist to talk through with whoever manages your IT. It's not a substitute for the actual application or for advice from your insurance broker.

