Cyber insurance used to be a checkbox and a premium. In 2023 and 2024 the market hardened fast — ransomware losses climbed, carriers lost money, and the questionnaires got serious. In 2026 we're seeing 12-to-20-page renewal applications asking line-by-line control questions, and policies are being voided after claims when applicants answered questions optimistically rather than honestly. Here's what the current questionnaires actually look like for small and mid-size businesses, and how to answer them.
The four questionnaire sections you'll see
Carriers are increasingly using the same template shapes. Expect these:
- Identity and access. MFA coverage by system (email, remote access, privileged admin, backup console). Conditional access. Privileged account management. Service account inventory.
- Endpoint and network. EDR/MDR coverage, patching cadence, legacy OS inventory, network segmentation, firewall management, whether you have SOC monitoring and what hours it covers.
- Email and cloud. Email filtering and phishing protection, DMARC/SPF/DKIM configuration, third-party M365/Google backup, security awareness training cadence.
- Incident response and backup. Written IR plan, incident response retainer, immutable/offsite backups, last tested restore date, RTO and RPO for critical systems.
The questions that catch people out
A few specific questions trip up more applicants than the rest:
"Is MFA enforced on ALL email accounts?"
The trap word is all. If you have a shared mailbox with basic-auth still enabled, or a service account your ERP uses to send invoices without MFA, you can't truthfully answer yes. Audit the tenant for legacy auth and service accounts before checking this box — the audit is a one-hour task with the right PowerShell and doesn't require a consultant.
"Do you have 24/7 security monitoring with an incident response capability?"
A dashboard that nobody watches on nights and weekends is not 24/7 monitoring. A managed SOC is. If you're relying on your MSP's business-hours helpdesk to catch a ransomware behavior alert at 2am Saturday, the honest answer is "no — we have reactive IT support, not 24/7 security monitoring."
"Do you have immutable or offsite backups that are segmented from production?"
Backups sitting on a NAS that your domain admin accounts can reach are not immutable. Ransomware groups explicitly target backup infrastructure now — immutable means write once, read many with a retention lock that even your admins can't override. If your backup is just a second copy on the same network, that's not what carriers are asking about.
"When did you last test a full restore of a critical system?"
Carriers want a date, not a promise. "We test backups" isn't the right answer. "We restored the primary file server in full on February 4, 2026, with a written test report" is. If you can't produce the report, treat the restore as untested.
Why honesty matters at renewal
Every major cyber insurance carrier now has misrepresentation clauses that void coverage if the insured materially overstated their security posture on the application. We've seen SMBs lose coverage on legitimate ransomware claims because they said "yes, MFA everywhere" when service accounts were exempt. The short-term embarrassment of answering honestly is smaller than the long-term exposure of an unpaid claim.
What to do before next renewal
- Get the previous questionnaire and your answers in hand. Anything you said yes to, you have to be able to defend in an assessor's interview.
- Audit the tenant against the most common trap questions. MFA coverage, legacy auth, backup immutability, service account inventory. Fix the obvious gaps.
- Document what you have. Written IR plan, last restore date, MFA coverage attestation, SOC monitoring arrangement. A packet the broker can hand directly to the underwriter.
- Expect the questions to get harder. Carriers added questions about privileged access management, OAuth app governance, and vendor risk management in 2025. Expect 2026 renewals to ask about AI data governance and software supply chain.
Gravity clients on our managed cybersecurity stack get the questionnaire packet as part of the service — we answer every question line-by-line, provide the supporting documentation, and join the broker call if helpful. If renewal season is looming and the questionnaire is already making your stomach hurt, let's talk.