856-282-4100
1 Executive Drive Suite 100 Marlton, NJ 08053
+1 856-282-4100
Facebook-f X-twitter Instagram Linkedin-in Youtube
Let’s Talk
Let’s Talk

Cyber Insurance Renewal in 2025: What Your Underwriter Is Actually Asking

Cyber Insurance Renewal in 2025: What Your Underwriter Is Actually Asking — and Whether Your Answers Will Hold Up

If your cyber insurance renewal feels harder than it did three years ago, it is. The questions underwriters ask in 2025 have fundamentally changed — and the questionnaire your broker hands you today is a different document than the one you signed in 2021.

The question isn’t whether your organization has cyber insurance. It’s whether you can renew it at a reasonable premium — or renew it at all — and whether a claim would actually pay out if something went wrong.

This post is for the CFO or COO who owns that renewal conversation. Not the IT person filling out the form — the person who signs the attestation at the bottom and personally vouches for its accuracy.

Why Renewal Questionnaires Got Harder

Insurance carriers got burned. Between 2019 and 2022, ransomware payouts skyrocketed. Underwriters who had been writing broad, loosely-worded policies started paying claims on businesses with almost no security controls in place. The industry responded the only way it knows how: tighter underwriting, higher premiums, and far more specific questions.

What changed isn’t the length of the form — it’s the precision. Underwriters used to ask vague questions like “do you have antivirus software?” Now they ask whether specific categories of protection are in place, whether access to critical systems requires more than a password, and whether you can detect and contain a threat before it spreads.

If your answers don’t match what they’re looking for, one of three things happens: your premium increases significantly, your coverage narrows with new exclusions, or you get declined.

What Underwriters Are Actually Evaluating in 2025

Cyber Insurance Renewal in 2025: What Your Underwriter Is Actually Asking — professional IT services

Most renewal questionnaires are structured around a core set of security capabilities. Here’s what they’re probing for — in plain language — and what a confident answer looks like.

1. Multi-Factor Authentication — Everywhere, Not Just Email

This is the single biggest underwriting question right now. Multi-factor authentication means logging in requires something beyond a password — a code sent to a phone, a hardware token, a fingerprint. It’s the difference between a stolen password being a disaster and being a minor inconvenience.

Underwriters aren’t just asking if you have it for email anymore. They want to know whether it protects remote access to your network, administrative accounts, cloud applications, and financial systems. If your answer is “we have it for email but not for remote access,” expect follow-up questions — or a coverage exclusion.

What good looks like: Multi-factor authentication is enforced for all remote access, all administrative accounts, and all major cloud applications. No exceptions for senior staff or executives.

2. Endpoint Detection — Beyond Basic Antivirus

Traditional antivirus blocks known threats. Modern attacks use techniques that basic antivirus was never designed to catch. Underwriters now want to know whether your computers and servers are protected by a more sophisticated layer of monitoring — software that watches for unusual behavior, not just known threat signatures.

You don’t need to know the technical name for this category of software. What you need to be able to say is: “Yes, all our endpoints are protected by a tool that actively monitors for suspicious behavior and alerts our IT team in real time.” If your IT firm can’t confirm this, that’s a gap.

3. Privileged Access Controls

This question trips up a lot of smaller businesses. Underwriters want to know whether administrative access — the kind that can install software, change configurations, or reach every file on the network — is tightly controlled and logged.

In too many organizations, administrators or even regular employees have more access than they need. When attackers get in, they look for those over-privileged accounts first because they unlock everything else. Limiting who has administrative rights — and logging when those rights are used — dramatically reduces the damage any breach can cause.

4. Backup Strategy — And Whether You’ve Actually Tested It

Every business says they have backups. Underwriters have seen too many claims where the backups existed but couldn’t be restored — either because they were encrypted by the attackers, stored in the wrong place, or simply hadn’t been tested in years.

The questions are now specific: Are backups stored separately from your primary network? Are they encrypted? How frequently are they tested? How long would it take to restore critical systems?

What good looks like: Backups run daily at minimum, are stored in an isolated environment not accessible from your main network, are encrypted, and have been tested for restoration within the last 12 months with documented results.

5. Incident Response — A Plan, Not a Hope

Underwriters want to know what happens in the first 24 hours after a breach is detected. Not in theory — in practice. Who gets called? Who has authority to take systems offline? Who contacts legal counsel? Who notifies affected parties if required?

A written incident response plan isn’t a compliance checkbox. It’s the difference between a breach that costs you a week of disruption and one that costs you three months. Underwriters know this, which is why it’s now a standard question. CISA’s incident response guidance offers a practical framework if your organization is starting from scratch.

6. Employee Security Training — With Documentation

Phishing is still the most common way attackers get in. Underwriters want to know whether your employees receive regular training and whether it’s documented. Annual checkbox training isn’t enough — they’re looking for programs that include simulated phishing attempts and track who needs additional coaching.

7. Vendor and Third-Party Risk

Some of the most damaging breaches in recent years didn’t start inside the target organization — they started at a vendor who had access to the target’s systems. Underwriters are increasingly asking whether you have a process for evaluating the security posture of vendors who can reach your network or data. The NIST Cybersecurity Framework provides widely accepted standards for assessing both internal controls and third-party risk — and referencing it in your renewal documentation signals maturity to underwriters.

If you handle client data or operate in a regulated industry, this question isn’t optional. Your vendor’s security gap becomes your breach.

The Attestation Problem — and Why It Can Sink a Claim

When you sign a cyber insurance renewal application, you’re not just answering questions. You’re making legal representations. If those representations turn out to be inaccurate at the time of a claim, your insurer has grounds to deny coverage — even if the breach had nothing to do with the inaccuracy.

This is called a material misrepresentation, and it has been used in actual claim denials. A business checks “yes” on multi-factor authentication because someone set it up for email — not knowing it wasn’t enforced for remote access. A breach happens through remote access. Claim denied.

The person signing the attestation needs to actually know the answers are accurate. Before you submit your renewal, someone on your IT team — or your IT firm — needs to verify that every “yes” on that form is true in practice, not just in intent.

Red Flags to Resolve Before Your Next Renewal

If any of these describe your organization, treat them as conversations to have before your renewal questionnaire is due — not after.

  • Your IT firm hasn’t reviewed your insurance questionnaire with you. They should be your primary source of truth for most of these answers.
  • Multi-factor authentication is not enforced for remote access. This is the most common gap underwriters find — and the one most likely to cause a coverage problem.
  • Your backups have never been tested for restoration. A backup you haven’t tested is not a backup. It’s a hope.
  • You have no written incident response plan. Even a basic one is better than nothing. If you don’t know who calls whom in the first hour of a breach, the answer to that renewal question should concern you.
  • Your IT firm doesn’t provide documentation of your security posture. If you can’t point to a recent, structured review of your environment, you’re operating on trust rather than evidence — and so is your underwriter.

How to Get Ahead of Renewal — Before the Questions Land in Your Inbox

The worst time to discover a gap in your security controls is when your broker is waiting for a completed questionnaire.

Start 90 days early. If your renewal is in Q4, your security review should happen in Q3. That gives you time to remediate gaps rather than simply note them.

Have your IT firm walk through the questionnaire line by line. Not to fill it out for you — to verify that what you intend to attest is actually true. Every “yes” on that form should be confirmed by someone who can point to the technical evidence.

Get something in writing about your current security posture. A documented review of your environment — not a conversation, but a formal assessment — gives you something concrete to reference and gives your underwriter confidence that you’re not guessing.

Ask specifically about multi-factor authentication coverage. Confirm exactly which systems it’s enforced on and whether there are any exceptions. Document the answer.

Test your backups before the renewal, not after. Run a restoration test. Document it. Know your recovery time. That’s a real answer you can give with confidence — not an estimate.

The Bigger Picture

Cyber insurance isn’t a substitute for a strong security posture. It’s a financial backstop for when the posture has a bad day. Underwriters understand this, which is why they’ve shifted from asking “do you have insurance-worthy intentions?” to “can you prove you have insurance-worthy controls?”

The organizations that get through renewal cleanly — at reasonable premiums, without new exclusions — are the ones who can answer the questionnaire confidently because the controls are genuinely in place, not because someone filled out the form optimistically.

If you’re not certain where your organization stands, the right move is a formal review of your environment before your next renewal. Not a conversation — a documented assessment that tells you clearly what’s in place, what’s missing, and what your exposure looks like.

That’s exactly what a Business Technology Growth & Risk Assessment is built to surface. It’s a structured review of your IT, cybersecurity, and compliance posture that gives you a defensible picture of where you stand — which is precisely what you need before you sign an attestation.

Reserve Your Business Technology Growth & Risk Assessment — and go into your next renewal with answers you can actually stand behind.