How to Answer a Cyber Insurance Questionnaire for Your Firm
Clients and insurers are asking about MFA, endpoint protection, and backup testing. Most small firms have no idea what these terms mean in that context, and a wrong answer can void coverage.

A form lands in your inbox from your insurance broker. It is a cyber insurance questionnaire, and it is full of terms you do not use every day. Do you enforce MFA? Do you run EDR on all endpoints? Are your backups immutable? You read it twice and think, “I have no idea, and I do not want to guess.”
Here is why guessing is dangerous. Checking “yes” on something you do not actually have feels harmless. It is not. If you have a claim later and the insurer finds the answer was wrong, they can deny it. The wrong answer can void the coverage you paid for.
Here is the short version. Cyber insurance questionnaires ask whether your firm has a short list of security basics. The big five are multifactor authentication on every account, real endpoint protection (EDR) on every computer, backups that cannot be tampered with, email filtering that blocks phishing, and a written plan for what to do if you get hacked. You should answer honestly, with proof, not from memory. If you cannot truthfully say yes, the fix is to put the control in place, not to check the box and hope. Getting these right also lowers your premium.
Let us go through each question in plain English, so you know what they are really asking and how to answer it.
Answer honestly, every time and with proof if you can.
First, why this form matters so much
You carry insurance because you are careful. That is smart, and getting this questionnaire right protects the very coverage you are paying for. So this is worth slowing down for.
Two things have changed. Insurers used to take your word for it. Now they want evidence, like screenshots and reports, not just a checkbox. And they reject a lot of applications. Industry data shows a large share of cyber insurance applications get denied on the first try, most often for missing MFA or weak endpoint protection. So a sloppy form does not just risk a future claim. It can cost you the policy now.
The good news. Firms that can prove these controls qualify faster and pay less, often noticeably less. So getting to a real “yes” pays you back.
Question 1: Do you enforce MFA?
In plain English, the question is: when someone logs in, do they need a second step beyond the password? A code from an app, a tap on the phone, a tap of a security key. That second step is multifactor authentication (MFA).
Insurers usually want MFA in three places: email, remote access (like a VPN or remote desktop), and admin accounts (the powerful logins that control everything). They may ask for proof, like a screenshot of the policy that forces it on.
How to answer. Only check “yes” if MFA is actually turned on and required, not just available. If it is on for email but not remote access, say so. If it is not on at all, the fix is simple and fast, and you should do it before you submit. We cover the why in our post on what small firms get wrong about passwords.
Question 2: Do you run EDR on all endpoints?
This one trips up firms because it sounds like antivirus. It is not the same thing.
Plain English first. An endpoint is any computer, laptop, or server your team uses. EDR (Endpoint Detection and Response) is modern security software that watches each device for bad behavior, catches threats in real time, and can isolate a machine automatically if it gets hit. It is a big step up from the old antivirus that just scanned for known viruses.
Here is the catch. The free antivirus that came with Windows, or an old basic antivirus product, usually does not count. Insurers specifically want EDR, real-time detection and response, on every machine, including servers.
How to answer. Check “yes” only if you actually have EDR (or its managed cousin, MDR, where a team watches it for you) running on all devices. If you only have basic antivirus, the honest answer is no, and EDR is the fix. It takes a couple of weeks to roll out across a firm.
Question 3: Are your backups immutable and tested?
Backups are where ransomware does its worst damage, so insurers dig in here.
Plain English. The question has two parts. Immutable means the backup cannot be changed or deleted once it is made, not even by an attacker who breaks in. Tested means you have actually restored from it and proven it works. A backup you have never tested is a guess, not a safety net.
Why they ask. When ransomware hits, attackers go after the backups first, because a firm with good backups will not pay the ransom. The vast majority of ransomware victims see their backups targeted. So insurers want backups that are out of reach (immutable) and an off-site or offline copy.
How to answer. Say “yes” only if your backups are protected from tampering and you have done a real test restore. If your backup is just a drive someone copies files to, that is not immutable, and the honest answer is no. This is the heart of the 3-2-1 backup idea we cover in our post on protecting your BIM files.

Question 4: Do you filter email for phishing?
Most attacks start in the inbox, so this question is about your front door.
Plain English. Email filtering is a layer that scans incoming mail and blocks the dangerous stuff: phishing (fake emails that trick people into giving up passwords or clicking bad links), spoofed senders, and malware attachments. The basic junk filter is a start, but insurers usually mean a real anti-phishing layer.
How to answer. If you have email security beyond the default junk folder, say so and name it. If you are relying on nothing but the basic filter, that is worth strengthening before you submit. It is an easy, cheap upgrade.
Question 5: Do you have an incident response plan?
The last big one is not software. It is a plan.
Plain English. An incident response plan is a simple written document that says what your firm does if you get hacked. Who you call first. How you isolate the problem. Who tells clients. Where the backups are and who restores them. It does not need to be fancy. It needs to exist and be written down.
Why they ask. In a real attack, the firms that recover fast are the ones who already decided what to do. The firms that panic and improvise lose days. A plan is the difference.
How to answer. Be honest. If you have a written plan, say yes. If your “plan” is “we would figure it out,” that is a no, and writing a simple one is the fix. Even a one-page plan counts for more than nothing.
How to answer the whole form the right way
Pull it together with a simple approach.
Answer honestly, every time. A truthful “no” keeps your coverage valid. A false “yes” can void a claim when you need it most. Never trade real protection for a checkbox.
Answer with proof. Insurers increasingly want evidence, so gather the screenshots and reports as you go. If you cannot prove it, treat it as a no until you can.
Close the gaps before you submit. Most of these controls are quick to put in place, and doing so both wins the policy and lowers the premium. Do not file the form first and fix it later.
For example, let’s say your form has three honest “no” answers: no MFA on remote access, basic antivirus instead of EDR, and an untested backup. Fix those three, then submit. You will likely get approved faster and pay less, and your coverage will actually hold up if you ever need it.
Frequently asked questions
We will help you answer it truthfully, and well
You should never have to guess on a form that protects your firm. We translate the questionnaire into plain English, tell you honestly where you stand, and close the gaps so your “yes” answers are true and provable. Then we hand you the evidence the insurer wants.
We help small architecture and engineering firms around Knoxville get their cyber insurance controls in place and documented. So you qualify, you pay less, and your coverage actually holds when it matters.
If a cyber insurance questionnaire is sitting in your inbox, give us a call. We will go through it with you and make every answer one you can stand behind. For the bigger picture of who manages this at your firm, see our post on the accidental IT person.
Key takeaways
- Cyber insurance questionnaires test for five basics: MFA on all accounts, EDR on every device, immutable and tested backups, email phishing filtering, and a written incident response plan. Missing MFA and weak endpoint protection are the top reasons firms get denied.
- Answer honestly and with proof. Insurers now want evidence, not just checkboxes, and a false “yes” can void your coverage when you file a claim. A truthful “no” keeps the policy valid.
- Close the gaps before you submit. Most of these controls are quick to add, and putting them in place both wins the policy and lowers your premium, while making your firm genuinely harder to hack.
Would your firm pass a cyber insurance questionnaire today?
We will walk through the questionnaire with you, tell you honestly where you stand on MFA, EDR, and backups, and close the gaps so every answer is true and provable. No obligation, no sales pitch.
Sources: Minimum Cyber Insurance Requirements: The Controls Checklist (SeedPod Cyber), 5 Requirements to Get Cyber Insurance in 2025 (Aldridge), Cyber Insurance Requirements (MoneyGeek)
