- A cyber insurance application is a controls questionnaire, and the insurer decides coverage based on the security you can truthfully say you have in place.
- Carriers consistently ask about MFA, endpoint protection on every device, managed patching, backups, email filtering, and security awareness training for staff.
- A single exception like an owner's self-built machine without antivirus turns an honest 'yes' on 'every device' into a 'no' and can get a later claim denied as an inaccurate application.
- The right order is to close the gaps first and apply second, standing up the controls and verifying no exceptions before signing the application.
In that same conversation, the attorney admitted the firm carried no cyber insurance and didn't know where to start. "I'm the weak link," he said. "The antivirus is on everybody's computer except mine, because I set up my own." That one sentence is exactly the kind of thing that gets a claim denied.
A policy isn't just bought, it's underwritten
Many small firms only think about cyber insurance after a scare. Then they discover it doesn't work like buying a tool off a shelf. You apply, and the application is a controls questionnaire. The insurer is deciding whether to cover you based on what security you can truthfully say you have in place.
The questions are fairly consistent across carriers. They want to know whether you have:
- Multi-factor authentication (MFA) on your accounts.
- Endpoint protection on every device.
- Managed patching that keeps systems up to date.
- Backups.
- Email filtering.
- Security awareness training for staff.
Why one exception is a real problem
Notice the phrase "every device." The owner's self-built machine, the one without antivirus, is exactly the gap that turns an honest "yes" into a "no." And the stakes aren't just a rejected application. If you attest to controls you don't actually have and later file a claim, the insurer can deny it on the grounds that the application was inaccurate. You pay premiums for years and get nothing at the worst possible moment.
An attestation is a legal statement, not a wish list. Checking "yes, MFA everywhere" when one account is exempt isn't a rounding error. It's the kind of discrepancy a carrier looks for when a claim lands.
The right order of operations
The fix is unglamorous and effective: close the gaps first, then apply. An IT partner can do both halves, stand up the controls (MFA across the board, endpoint protection on every machine, patching, backups, filtering, training), and then help complete the questionnaire so your answers are accurate and your coverage holds.
The sequence is the point. Implement the controls, verify there are no exceptions hiding in the corner, and only then sign the application. A policy built on a truthful questionnaire is one that actually pays out.
If you're shopping for cyber insurance, or you have a policy and aren't certain your environment matches what you attested to, that's worth checking before you ever need to file. We're happy to take a look. Let's talk it through.