Cyber liability insurance has become a must-have for small and mid-sized businesses. But qualifying for coverage—and getting claims paid—isn’t as simple as it used to be.

Whether you're running a 25-person law firm, a growing accounting office, or a healthcare practice without in-house IT, you're probably noticing the same trend:

The insurance applications are getting longer. The questions are getting tougher. And "good enough" IT doesn't cut it anymore.

Insurers are now asking about your actual controls—not just whether you have antivirus, but how you protect your business, document your processes, and reduce risk in a meaningful way.

Here are the 12 most important questions we see on cyber insurance applications, ranked by how much they impact eligibility, premium costs, and claim success.

🔐 1. Do you use Multi-Factor Authentication (MFA)?

Where: Email, remote access, admin panels, cloud apps (e.g., Microsoft 365, VPN, EHR)
Why it matters: Most insurers will deny or restrict coverage without MFA in place. It’s a dealbreaker.

💾 2. Do you have encrypted, regularly tested backups?

Why it matters: If ransomware hits and you can’t restore, you’re stuck. Insurers now ask for proof of encryption and testing logs.

🛡️ 3. Do you have Endpoint Detection & Response (EDR) or advanced threat protection?

Why it matters: EDR is the modern replacement for antivirus—it detects threats based on behavior, not just known viruses.

🔄 4. Do you perform regular patching and updates?

Why it matters: 60–80% of breaches happen because of unpatched software. Insurers look for patch cadence documentation.

📚 5. Do you provide security awareness training to all employees?

Why it matters: Human error is the #1 cause of cyber incidents. Training frequency (quarterly or biannually) matters more than a one-time session.

🚨 6. Do you have an incident response plan (IRP) and breach notification process?

Why it matters: Insurers may ask to see your plan. A clear IRP reduces downtime and limits legal exposure in the event of a breach.

👥 7. Do you control and log user access to critical systems?

Why it matters: Role-based access is essential. Shared logins or admin access for everyone is a red flag.

🔚 8. Do you have a formal offboarding process?

Why it matters: Former employees, contractors, or vendors with leftover access are a major risk. Insurers look for policy and checklist documentation.

✉️ 9. Do you use email filtering, DNS filtering, and spam protection?

Why it matters: Phishing is still the most common attack vector. Insurers want more than basic spam filters—they want active threat prevention.

📋 10. Do you have a current risk assessment or audit on file?

Why it matters: Proactive businesses document their risk posture. Insurers see this as a sign of maturity and lower risk.

🛑 11. Do you restrict administrator rights to IT staff only?

Why it matters: Admin privileges should be tightly controlled. Insurers flag flat access models as high-risk environments.

🧾 12. Do you maintain a current software and asset inventory?

Why it matters: You can’t secure what you don’t know you have. An up-to-date inventory supports compliance and accountability.

📄 Pro Tip: Insurers Now Want Proof

For each of these questions, be prepared to provide:

• Policies and process documentation

• Screenshots or logs from your security tools (M365, EDR, backup software)

• Records of employee training and onboarding/offboarding

• Vendor agreements, BAAs, and access audits

💡 Final Thought

Cyber liability insurance is still a valuable safety net—but only if you can qualify and prove your readiness.

At Big Water Technologies, we help SMBs align their IT environments with insurer expectations using practical frameworks like CIS Controls. We don’t just plug in tools—we document your environment, tighten up your gaps, and help you sleep better knowing you're covered (on paper and in practice).

📩 Want to know how your firm stacks up? Let’s review your setup before you fill out your next insurance application.