Your cyber insurance renewal questionnaire, line by line.

If you're a small or mid-size business renewing cyber insurance this year, your underwriter probably sent you a 60- to 100-question security questionnaire. Maybe more. Maybe with attachments asking for screenshots of your MFA settings, EDR dashboard, and backup retention policy.

This isn't a formality. It is the underwriter's risk model, and your answers (and what you can prove) determine three things: whether you get renewed at all, your premium, and your sub-limits for ransomware, social engineering, and business email compromise.

We've answered these questionnaires for clients on both sides — sometimes the same control, two different carriers, two different decisions. The questions look generic. The way you answer them isn't.

Below is what each major question actually means, what evidence the underwriter is looking for, and where you should push back if the answer is "yes, but it's complicated."

1. Multi-factor authentication (MFA)

The question: "Is MFA enforced for all users on email, VPN, remote access, and privileged accounts?"

What they want to hear: Yes, on all four, with no exceptions, including service accounts and break-glass administrator accounts.

What "yes, but" really means:

• "We have MFA on Microsoft 365" — but is it enforced via a Conditional Access policy, or just enabled per-user? Underwriters will ask for the policy export.
• "Most users have it" — every exception is a finding. The one user without MFA is the one who gets phished.
• "We have MFA on email but not on the VPN" — this is the most common gap, and it's the one ransomware crews look for.

2. Endpoint Detection & Response (EDR / MDR)

The question: "Is EDR or MDR deployed on 100% of endpoints, including servers?"

This is the single biggest premium lever right now. Carriers are sorting clients into two buckets: "has real EDR" and "has consumer antivirus." If you're in bucket two, expect a 20-40% premium increase or a non-renewal letter.

What counts as real EDR: CrowdStrike, SentinelOne, Microsoft Defender for Endpoint (Plan 2), Sophos Intercept X, Huntress, or similar — products that detect behavior, not just signatures. Bonus points if it's managed (someone watches the alerts 24/7).

What doesn't count: Windows Defender out of the box (Plan 1 / consumer), Norton, McAfee small business, Webroot. These are fine products, but they aren't what the questionnaire means by EDR.

3. Backups (and the part everyone gets wrong)

The question: "Are backups immutable, offline, or otherwise inaccessible from production systems?"

This is the question that ends most ransomware claims. Attackers don't just encrypt your files anymore — they look for your backup server and delete the backups first. If your backups are on a shared drive or a NAS that production admins can write to, the underwriter will know that's not what they asked for.

What "immutable" means in practice:

• Cloud backups with Object Lock enabled (S3, Wasabi, Backblaze B2) — files can't be deleted or overwritten until the retention period expires, even by the root account.
• Veeam Hardened Linux Repository with one-way write.
• An offline copy (tape, rotated USB) that physically isn't connected.

What doesn't count: "We have backups in OneDrive" (encrypted by ransomware along with everything else). "We have a NAS in the closet" (the same admin credential that owns production owns the NAS).

4. Privileged access & admin accounts

The question: "Are administrative accounts separate from daily-use accounts, with MFA, and used only for admin tasks?"

Most small businesses fail this one quietly. The owner has a Microsoft 365 Global Admin account that they also use to send invoices. The IT consultant logs in as Domain Admin to check email. One phishing click and the attacker has the keys.

The fix is free: separate accounts. A jane@ account for daily work, and a jane.admin@ account that's only used to log into admin consoles. Both have MFA. Neither shares a password.

5. Email security & phishing

The question: "Do you have advanced email filtering (anti-phishing, link rewriting, attachment sandboxing) and conduct quarterly phishing training?"

Microsoft 365 Business Premium includes Defender for Office 365 Plan 1 — that satisfies most carriers. Google Workspace Standard does not include advanced phishing protection; you'll need to add a third-party gateway or upgrade.

For training, "yes we send a newsletter once a year" doesn't count. Underwriters want a phishing simulation platform (KnowBe4, Hoxhunt, Proofpoint Security Awareness) with quarterly campaigns and tracked click rates.

6. Incident response plan

The question: "Do you have a documented incident response plan, and has it been tested in the last 12 months?"

The honest answer for most SMBs is "we have a Word doc someone wrote three years ago." That's not enough anymore. A real IR plan that satisfies the carrier has:

• Named decision-makers with backup contacts (mobile numbers, not just email)
• Contact info for legal counsel, the cyber insurance broker, and your IR retainer firm
• A communications template for clients and (if regulated) regulators
• A tabletop exercise log — even a one-hour walkthrough counts as "tested"

If you don't have a retainer with an IR firm, get one. Most carriers now require it, and the rates negotiated through your policy are 50-70% cheaper than emergency rates.

7. Vendor / supply chain risk

The question: "Do you maintain an inventory of third-party vendors with access to sensitive data, and assess their security posture?"

This used to be a checkbox. After Kaseya, SolarWinds, and the MOVEit breaches, it's a real question. You don't need a SOC 2 from your coffee vendor, but you do need to know which third parties touch your client data and what their security looks like.

A simple spreadsheet works: vendor name, what data they access, whether they have a SOC 2 or ISO 27001, contract date, renewal date. That's enough for 95% of SMB underwriters.

8. Data classification & encryption

The question: "Is sensitive data encrypted at rest and in transit?"

Modern SaaS (Microsoft 365, Google Workspace, Dropbox Business, etc.) encrypts at rest by default. Modern operating systems encrypt laptops by default if you turn on BitLocker or FileVault. The honest answer is usually yes — but the underwriter wants evidence, not assurances.

BitLocker reports from Intune, FileVault status from your MDM, encryption settings screenshots from your SaaS apps. Keep them in a folder labeled "Insurance evidence" and update once a year.

Where to push back

Questionnaires are written for Fortune 500 companies and then handed to a 25-person firm. Some questions don't apply. Some are asked badly. You can — and should — annotate.

Examples we've used successfully on client questionnaires:

"We do not have a CISO. As a 15-person firm, security is a shared responsibility between the COO (policy and budget owner), our MSSP (24/7 SOC, EDR, identity, and incident response), and outside counsel for regulatory matters. CISO function is fully covered by this structure."

"We do not have a SIEM 'in-house.' Log aggregation, retention (365 days), and 24/7 monitoring are provided by our MSSP via a managed SIEM. Documentation attached."

Underwriters reward clarity. A specific, sourced "no" with explanation almost always scores better than a vague "yes."

The bottom line

The questionnaire isn't trying to trick you. It's the underwriter pricing your risk. If you can answer "yes, here's the evidence" to the eight categories above, you're in the top half of SMB applicants — and you'll see it reflected in your renewal quote.

If you can't, that's not a reason to panic. It's a roadmap. Most SMBs we work with close 80% of the gaps in 60 days, and that's the difference between a 30% premium hike and a 5% one.