TACGaugeby TACMinds
← Blog·CYBER SECURITY7 min read

What Insurers Actually Ask Before Issuing a Cyber Insurance Policy in 2025

Cyber insurers now ask 40+ technical questions before issuing a policy. Most SMBs can't answer them accurately. Here's exactly what they ask — and how to prepare.

3 April 2026

Cyber insurance used to be straightforward. You filled out a short form, paid a premium, and received coverage. That era is over.

In 2025, insurers are rejecting claims — not because the incident wasn't covered, but because the answers on the application didn't match the reality of the organisation's security posture. The technical questionnaire has become the single biggest obstacle between an SMB and the coverage it needs.

What Insurers Are Actually Asking

Modern cyber insurance applications from providers like Chubb, AIG, Coalition, and Beazley now include between 30 and 60 technical questions. These aren't general questions about your business. They are specific, measurable security controls.

Identity and Access

  • Is multi-factor authentication (MFA) enforced for all remote access including email, VPN, and cloud applications?
  • Are privileged administrator accounts separated from standard user accounts?
  • Is there a formal process for removing access when employees leave?

Endpoint Protection

  • Is Endpoint Detection and Response (EDR) deployed on all endpoints, including servers?
  • How frequently are operating system patches applied? Within 14 days? 30 days?
  • Are USB ports and removable media controlled?

Backup and Recovery

  • Are backups stored offline or air-gapped, separate from the primary network?
  • When was the last backup restoration test performed?
  • What is your Recovery Time Objective (RTO)?

Incident Response

  • Do you have a documented incident response plan?
  • Has it been tested in the last 12 months?
  • Do you have a designated incident response contact or retainer?

Vendor and Third-Party Risk

  • Do you assess the cyber security posture of critical third-party vendors?
  • Are vendor access permissions reviewed regularly?

Why SMBs Struggle to Answer These

The problem is not that SMBs lack security controls. Most have some. The problem is they have no structured, documented view of what they have and where the gaps are.

When an IT manager guesses on a cyber insurance form — and most do — they either overstate their controls (which creates claim rejection risk) or understate them (which inflates premiums unnecessarily).

Insurers have noticed this pattern. In 2024, Coalition reported that 61% of claims involved misrepresentation on the original application. This is not fraud — it is guesswork.

The Premium Impact of a Documented Assessment

Organisations that can provide a documented technology maturity assessment alongside their insurance application consistently receive better outcomes:

  • Lower premiums, because the insurer can accurately price the actual risk
  • Faster underwriting, because the assessor has evidence rather than self-reported answers
  • Stronger negotiating position at renewal, because improvement year-over-year is visible

A benchmarked maturity score across identity, endpoint, data protection, and incident response gives the insurer exactly what they need to make a confident decision.

What a Cyber Security Assessment Covers

A structured cyber security maturity assessment maps directly onto the domains insurers care about most:

| Assessment Domain | Insurance Question Answered | |---|---| | Identity & Access Management | MFA, privileged access, offboarding | | Endpoint Security | EDR, patching cadence, device control | | Data Protection | Encryption, classification, DLP | | Backup & Recovery | Offline backups, RTO, recovery testing | | Incident Response | IR plan, testing, retainer | | Network Security | Segmentation, firewall rules, remote access | | Vulnerability Management | Scanning frequency, remediation timelines | | Third-Party Risk | Vendor assessment process |

When each domain is scored against a maturity model — Initial, Developing, Defined, Managed, Optimised — the resulting report tells a clear story to an insurer.

The Claim Rejection Risk You Need to Understand

If your organisation suffers a ransomware attack and files a claim, the insurer will conduct a forensic review. If they find that MFA was not actually enforced company-wide — despite the application stating it was — the claim can be denied on grounds of material misrepresentation.

This is increasingly common. Sophos reported in their 2024 State of Ransomware report that the average ransomware recovery cost for an SMB was $1.85 million. If the claim is denied because the application overstated security controls, that entire cost falls on the organisation.

A pre-application assessment eliminates this risk. You know exactly what you have, you report it accurately, and the coverage reflects reality.

How Your IT Consultant Can Help

An IT consultant or MSP running a structured cyber security assessment on your behalf can:

  1. Identify your current maturity score across all 8 domains
  2. Produce a documented gap analysis showing exactly what is missing
  3. Generate a 90-day remediation roadmap to close critical gaps before the insurance application
  4. Provide a benchmarked report that can be submitted alongside the insurance form as supporting evidence

This turns a stressful, guesswork-heavy application process into a structured, evidence-backed one.

Frequently Asked Questions

Do cyber insurers require a formal security assessment? Most do not require it, but insurers give significantly better terms to organisations that can provide documented evidence of their security posture. Premiums can differ by 20–40% based on demonstrated controls.

What is the most common reason cyber insurance claims are denied? Material misrepresentation on the application — specifically around MFA enforcement, backup isolation, and incident response planning. These are the three controls insurers scrutinise most in post-incident reviews.

How long does a cyber security maturity assessment take? A structured AI-powered assessment typically takes 10–15 minutes to complete and produces an immediate benchmarked report. There is no need for a multi-week engagement.

Can I use an assessment report for multiple insurers? Yes. A technology maturity report is insurer-agnostic. You can share the same report with multiple underwriters when shopping for the best premium.

What if the assessment reveals gaps before the insurance renewal? This is the ideal outcome. A gap report gives your IT team or MSP a prioritised remediation list. Closing critical gaps before application means you qualify for better coverage at lower cost.

TACGauge enables IT consultants and MSPs to run structured cyber security maturity assessments for their clients in 10 minutes. The resulting report covers all 8 domains that cyber insurers evaluate — producing a benchmarked score, gap analysis, and 90-day roadmap ready for insurer review.

Start a free trial as a TACGauge partner →

← Back to all articles

Run structured assessments for your clients

TACGauge gives IT consultants and MSPs a platform to deliver technology maturity assessments across 15 domains — cyber security, cloud, AI readiness, FinOps, and more.

Start Free Trial →View Partner Plans