What a Cyber Insurance Underwriter Reads Before Quoting Your Small Business

Cyber Insurance Has Become a Financial Gate, Not an IT Purchase

If you are a small business owner who has applied for cyber insurance in the last twelve months, you already know the application has changed. What used to be a one-page form has become a fifteen-page security questionnaire, and the underwriter on the other end is reading every answer with the same skepticism a bank loan officer brings to a financial statement.

Most small business owners still treat cyber insurance like general liability or workers comp. They fill out the application, send it to the broker, and wait for a quote. Then they get one of three answers nobody warned them about: declined, quoted at a number that wrecks the budget, or quoted with sub-limits and exclusions that make the policy worth a fraction of what they thought they were buying.

The reason is simple. Cyber insurance is no longer a backstop. It is a financial control, and underwriters are reading your application the way an SBA lender reads your three years of tax returns. According to a 2024 Marsh McLennan report, 41 percent of cyber insurance applications are denied on first submission, with missing multi-factor authentication and inadequate endpoint protection cited as the top two reasons. Coalition reported the same year that 82 percent of denied claims involved organizations without MFA fully implemented across their environment.

I have walked small business owners through this process from both sides: helping them prepare the application before submitting, and helping them rebuild controls after a declined quote. Here is what an underwriter reads in your application, in the order they read it, and what each section is really asking.

Section One: Revenue, Records, and Industry

Before the underwriter looks at a single security control, they look at three numbers: your annual revenue, the number of personally identifiable records you store, and your NAICS code. Those three numbers tell them what a worst-case loss looks like.

A medical office with 8,000 patient records is a different risk than a marketing agency with 8,000 contact emails. A defense subcontractor with controlled unclassified information is a different risk than a retail store with point-of-sale data. The underwriter is not judging your business. They are sizing the loss they would have to pay if the worst day happens.

If you under-report your record count to lower the premium, the policy can be voided when a claim is filed and the post-breach forensics show the real number. Honest answers here protect you.

Section Two: Multi-Factor Authentication, Everywhere

This is the question that sinks more applications than any other. The underwriter is not asking whether MFA is available. They are asking whether MFA is enforced on every email account, every remote access path, every cloud admin console, and every privileged account.

"We have it on email" is no longer a passing answer. Insurers now require app-based or hardware-token MFA on email, VPN, remote desktop, Microsoft 365 or Google Workspace admin consoles, and any system that holds customer or financial data. SMS-based MFA is being downgraded or rejected on most carrier applications because of SIM-swap risk.

Section Three: Backups That Restore

The application asks about backups, but the underwriter is reading for three specific things: that the backups are immutable or air-gapped, that they are tested on a regular schedule, and that the recovery time objective is documented.

"We back up to the cloud" is a yes-no question that lets you pass the form. The underwriting team digs deeper. If your backups live on the same network as production, and ransomware encrypts production, the backups go with it. Immutable means the backup cannot be altered or deleted by an attacker, even with valid credentials. Tested means somebody restored from a backup in the last 90 days and confirmed the data came back clean.

I have reviewed environments where the business owner sincerely believed they had backups, until we tried to restore one and learned the backup job had failed silently for the last seven months. That gap is what underwriters are trying to surface.

Section Four: Endpoint Detection and Response

Old-school antivirus is not a passing answer in 2026. The underwriter wants to see EDR or MDR coverage on every endpoint, including remote workers and contractors who touch business systems. Brand names matter here because the carrier knows which products produce the telemetry they need during a claim investigation.

If you list "Windows Defender" alone, expect a follow-up question. If you list a managed detection and response provider with 24x7 monitoring, the application moves faster and the premium reflects it. The underwriter is reading this section to estimate how fast a compromise gets noticed in your environment, because every hour of dwell time multiplies the eventual loss.

Section Five: Phishing Training and Email Security

Most ransomware events that small businesses suffer start with a phishing email. The underwriter knows it, and they are reading for two controls: an email security gateway that filters malicious attachments and links, and a documented security awareness training program with simulated phishing tests.

"We tell our employees to be careful" is not training. The application is asking for a vendor name, a frequency, and a metric. Most carriers want quarterly phishing simulations at a minimum, with click-rate tracking and follow-up training for repeat clickers. If you cannot name the platform you use, the underwriter assumes you have nothing in place.

Section Six: Privileged Access and Domain Admin Controls

Underwriters now ask whether domain admin or global admin accounts are separated from daily-use accounts. The reason is direct: when an attacker compromises a domain admin account, the entire environment falls in minutes. When that account is also someone's daily email and web browsing account, compromise is almost guaranteed.

The passing answer is that admins have two accounts, the privileged account is used only for administrative tasks, and that account has its own MFA enforcement. Most small businesses I assess have one account per person, and that one account does everything. Fixing this is free, takes a week, and changes the underwriting answer.

Section Seven: Incident Response Plan

The application asks if you have a written incident response plan. The underwriter is reading for whether the plan names a specific incident response firm with a retainer, identifies the legal counsel who would handle breach notification, and lists the executive who has authority to make ransom payment decisions.

A generic "we will call our IT guy" answer fails. The carrier knows from claims history that the first 24 hours of an incident determine whether the loss is contained or catastrophic. They want to see that you have already made the calls you would otherwise be making while the network is on fire.

Section Eight: Vendor and Third-Party Risk

The newest section on most cyber insurance applications asks about your third-party vendors. The Change Healthcare incident in 2024 and the MOVEit breach in 2023 made supply-chain risk a board-level concern, and underwriters are pricing it accordingly.

The carrier wants to know which vendors have access to your customer data, whether you require those vendors to carry their own cyber insurance, and whether you have reviewed their SOC 2 reports or equivalent attestations. Small businesses are often surprised that this question even applies to them, until they list the bookkeeper, the IT provider, the CRM vendor, and the cloud backup service. Each one is a path into your data.

What Happens When the Application Is Wrong

Underwriters do not verify every answer at application time. They verify after a claim. If your application says MFA is enforced on email and the post-breach forensics show MFA was disabled for the executive who got phished, the carrier can deny the claim under the misrepresentation clause. The premium you paid does not buy you the coverage you thought you had.

The way to protect yourself is to answer the application based on what is deployed and enforced today, not what is on the roadmap. If a control is partially in place, say so and document the exception. The carrier may surcharge you for the gap, but the policy will pay when you need it.

The Quiet Shift Owners Miss

The cyber insurance application is now the de facto cybersecurity baseline for small businesses. Banks reviewing loan covenants, prime contractors flowing down requirements, and clients negotiating MSAs are pulling questions directly from cyber insurance applications and putting them into vendor due diligence questionnaires.

If you cannot pass the cyber insurance application, you will start failing vendor reviews from your customers. The control gaps that decline an insurance quote today are the same gaps that lose a renewal contract tomorrow. Cyber is now a financial gatekeeping issue, not an IT line item.

What To Do Before You Apply

Walk through every question on the application before you submit. If your honest answer is "no" or "partially," fix the control first or document the gap and the timeline to close it. Ask your broker for a copy of the carrier's full questionnaire, not the short pre-qualification form. Get the long form and use it as a project plan.

If you are inside a renewal cycle and the premium just jumped, the surcharges are almost always tied to specific controls the underwriter flagged. Get the specifics from the broker, fix the highest-impact items, and re-market the renewal at the next cycle. I have seen small businesses cut premium by 30 to 40 percent in a single renewal by closing two or three control gaps.