For Michigan firm owners who don't have time to become IT experts but are still the ones signing the form

You're a managing partner. Or the firm owner. Or the one person whose name ends up on everything that matters.

Including the cyber insurance questionnaire.

You don't have time to become a cybersecurity expert. You're running a practice, managing clients, keeping the lights on. So when the renewal comes around, you hand it to your office manager or IT person, they check some boxes, and you sign it.

Here's the problem: those boxes now carry legal weight. Insurers aren't just asking questions anymore: they're verifying answers. And if something goes wrong, they're not asking your IT person what happened. They're asking you.

This guide is for firm owners who need to understand what they're attesting to without becoming the IT department.

What does "MFA enabled on all systems" really mean?

It means multi-factor authentication on every system that touches client data. Not just email.

Your office manager probably checked "yes" because you have MFA on Microsoft 365. That's a start. But insurers are asking about the full picture: remote access, cloud apps, your practice management software, client portals, accounting platforms.

If any of those allow password-only access, you have a gap. And that gap becomes your problem when a claim gets filed.

The question to ask your IT person: "Can someone log into any of our systems with just a password? Show me."

Do all employees need individual user accounts?

Yes. And this one trips up more small firms than almost anything else.

"Everyone uses the same login" feels efficient when you're a 12-person shop. Less confusion, faster onboarding. But shared logins mean no accountability. When something goes wrong, and eventually something will, you can't prove who did what.

Insurers specifically ask: Do all users have individual accounts? Is MFA enabled on each? Can you produce audit logs showing who accessed what?

Shared logins fail all three.

The question to ask: "Do we have any shared logins? QuickBooks? The office email? Vendor portals?" If the answer involves "everyone knows the password," that's the gap.

What audit logs do insurers expect?

Logs that show who accessed what, when, and from where. Especially for anything containing client data.

You don't need to understand log files. You just need to know they exist, they're turned on, and they're kept for at least 90 days.

Many firms have logging available but not enabled. Or enabled but overwritten every 30 days. That's not good enough anymore.

The question to ask: "If we had an incident tomorrow, could you show me who accessed what system last month? Can you pull that report right now?"

What does "endpoint detection and response" actually mean?

It means software that watches your computers for threats, not just old-school antivirus.

Here's where firm owners get burned: you upgraded to Microsoft 365 Business Premium because someone said it included security tools. It does. But out of the box, most of those tools are turned off or running on default settings that don't protect anything.

You're paying for the toolkit. Nobody configured it.

It's like buying a security system for your office and never setting the alarm code. The sticker's on the door. The sensors are in place. Nothing's actually armed.

The question to ask: "We have Business Premium: what's actually turned on? Show me the dashboard."

What happens if I answer "yes" but can't prove it?

Your claim gets denied. And you may face additional liability for misrepresentation.

This is the part most firm owners don't realize: when you sign that questionnaire, you're attesting, legally, that those controls are in place. Not planned. Not "we're working on it." In place, right now, with evidence.

"Our IT person said it was handled" isn't a defense. Neither is "we were planning to do that."

The question to ask yourself: "For every 'yes' on this form, could I show an auditor the proof? Right now?"

Who should actually fill this out?

Someone who knows what's in place not what's planned. And ideally, not the same person who set everything up.

The pattern I see constantly: the IT person fills out the questionnaire, and they're also the one who configured the systems. They're grading their own homework. Nobody's verifying.

You don't need to fill it out yourself. But you need to know what you're signing. And you need someone checking the work before your name goes on it.

The question to ask: "Before I sign this, can you show me documentation for the items we're saying 'yes' to?"

The 5-minute version for firm owners

You don't have time to audit your own systems. But you can ask five questions before you sign the next renewal:

1. MFA: "Can anyone log into anything with just a password?"

2. Individual accounts: "Do we have any shared logins anywhere?"

3. Logs: "If something happened, could you show me who accessed what last month?"

4. Tools vs. configuration: "What security tools are actually turned on, not just licensed?"

5. Proof: "For every 'yes' on this form, can you show me the evidence?"

If the answers are vague, that's your gap. And it's better to find it now than during a claim.

The bottom line

You built your firm on trust. Your clients trust you with their most sensitive information: legal matters, medical records, financial data. Your insurer is asking whether that trust is backed by real controls.

The firms handling renewals confidently aren't the ones with the biggest IT budgets. They're the ones where the person signing the form actually knows what's been attested to and can prove it.

You don't need to become an IT expert. You just need to ask the right questions before your name goes on the dotted line.

Keep IT Simple. Prove before you claim.

Big Water Technologies helps Michigan firm owners prepare for cyber insurance renewals, so you can sign with confidence, not crossed fingers. If you want to know what you're actually attesting to before your next renewal, let's talk.