Essex Junction, VT802-335-2662dkoran@davidkoran.com
David Koran& Associates
Cyber Insurance Readiness Resources

The Cyber Insurance Application Is Asking for Evidence, Not Assurances

By David W. Koran Published July 17, 2026 Independent cybersecurity advisory

The cyber insurance application is not the problem. The problem arises when the company cannot support its answers with evidence from the operating environment. An application is a representation of the business made by the business, and the underwriting process increasingly treats it that way: answers may be compared against external scans, supplemental questionnaires, and requests for documentation. A business that submits assurances where evidence is expected has created a gap it will eventually have to close.

This article examines where common assurances fail, proposes a practical hierarchy for weighing the support behind an answer, and lays out a sequence a business can follow before submission or renewal.

The application is a representation of the environment

When a business submits a cyber insurance application, it is describing its own environment to a party that will price risk based on the description. Management retains responsibility for the submitted answers even when the technical information came from an MSP, an employee, or a consultant, because the business, not its vendors, is the applicant. The legal significance of any particular representation is a matter for counsel, and nothing here is legal advice. The operational point stands on its own: the company should know what its answers are based on, and it should be able to produce that basis when asked.

That standard is not exotic. It is the same standard the business applies to its financial statements, its safety records, and its regulatory filings. Cybersecurity answers have simply joined the category of statements that need support behind them.

Why the gap develops

The gap between answers and evidence rarely develops through carelessness. It develops through ordinary business history. The company grew, and controls that covered everything at twenty employees cover most things at eighty. IT responsibility changed hands, from an employee to an MSP, or from one MSP to another, and knowledge of the environment thinned at each handoff. Systems were added for immediate operational reasons, and their security configuration was whatever the installer left behind. Documentation was written once, for an audit or a customer, and never revisited. Each step was reasonable. The cumulative result is an environment nobody fully knows, being described on a form that assumes somebody does.

Recognizing this pattern matters because it changes the remedy. If the gap were caused by negligence, the answer would be discipline. Because it is caused by accumulated change, the answer is inventory and verification: establishing what exists now, who is responsible for it, and what the evidence shows, before the next representation is made.

Where assurances fail

The statements below are heard in nearly every assessment. None of them is dishonest. Each of them, offered as a complete answer, may require qualification or evidence.

"Our MSP handles that." The service agreement defines what the MSP handles, and it is usually narrower than the sentence implies. Everything outside the contracted scope remains the business's responsibility, and the MSP's own remote access into the environment is itself a control the application may ask about.

"We have MFA." On which systems, for which users, enforced or merely available? MFA on email with unprotected VPN access is a different environment than the unqualified sentence describes.

"Everything is backed up." Backed up where, how often, with what isolation, and when was a restoration last tested? A backup reachable with the same administrator credentials an attacker would capture may not satisfy a question about protected backups.

"All systems are encrypted." Encryption at rest, in transit, on laptops, on servers, on backups? The claim usually traces to one configuration on one class of device, extended by assumption to everything else.

"Employees receive training." A program with content, a schedule, and completion records is supportable. A memory of a session held at some point is not.

"We have an incident-response plan." A plan with assigned roles, current contacts, and evidence of review or exercise is a capability. An unmodified template in a shared drive is a document.

"The firewall blocks outside access." Firewall rules accumulate. Port forwards, vendor exceptions, and remote support paths added over years frequently contradict this sentence, and external scans used in underwriting will find the ones that face the internet.

"We do not have operational technology." Manufacturers, processors, and building operators often say this while running production equipment, controllers, or building systems on the network. The answer excludes exactly the systems an underwriter would most want to know about.

"The cloud provider handles security." Cloud platforms operate on shared responsibility. The provider secures the platform; the customer configures the tenant, the identities, and the data protections. Most cloud-related losses occur on the customer's side of that line.

An evidence hierarchy

Not every answer requires the same depth of support, and treating all support as equal is its own mistake. A practical hierarchy, from strongest to weakest:

  1. Direct technical validation. The control was tested or independently confirmed in the environment: the enforcement was exercised, the restoration was performed, the configuration was inspected at the source.
  2. Configuration and system reports. Console output, configuration exports, and coverage reports generated from the systems themselves.
  3. Logs and testing records. Operational history showing the control functioning over time: backup logs, patch histories, training completions, exercise records.
  4. Written documentation. Policies, procedures, diagrams, and contracts. Valuable, but only to the degree they match practice.
  5. Management or vendor attestation. A statement by a responsible party. A legitimate starting point, and sometimes the only available support, but it is a claim rather than a demonstration.
  6. Unsupported assumption. The answer everyone believes and no one has checked. This level should not appear behind any submitted answer.

Different findings may reasonably rest at different levels. The discipline is in knowing which level each answer rests on, and in refusing to let level six masquerade as level one. This hierarchy is the same logic behind the finding classifications used in a formal cyber insurance audit, where verified, observed, and management-attested findings are deliberately distinguished.

One question, traced through the levels, shows how the hierarchy works in practice. The application asks whether backups are protected from unauthorized access and tested. At level six, the office manager believes the IT company takes care of backups. At level five, the MSP states in an email that backups run nightly and are secure. At level four, the service agreement describes a backup service with offsite copies. At level three, backup job logs show nightly completion for the past year. At level two, the backup console shows the protected repository configuration and the separate credential set guarding it. At level one, a test restoration of a production system was performed last quarter and documented. A business at level one can answer the question and produce the file. A business at level five has an email. Both may check the same box; only one can support it.

When the application exposes a governance problem

Sometimes the exercise of supporting the application reveals something larger than a missing control. No one can say who owns cybersecurity decisions. The asset inventory does not exist, so no coverage claim can be scoped. Vendors have access no one tracks. Policies describe an environment that stopped existing two upgrades ago. These are governance findings, and the application did not create them; it surfaced them.

That surfacing is useful if the business treats it that way. Assigning ownership, building the inventory, and reconciling policy with practice improve the company's position with every future counterparty that asks about its security: carriers, customers, auditors, and regulators. Frameworks such as the NIST Cybersecurity Framework and CISA's Cross-Sector Cybersecurity Performance Goals give a business an organized structure for that work, which is one reason organizations aligned to a recognized framework tend to find insurance questionnaires easier to support.

Ownership is the place to start, because every other correction depends on it. In many small and midsize businesses, cybersecurity responsibility sits in the space between an office manager who administers accounts, an MSP that manages devices, and an owner who signs the application. Each assumes one of the others is watching the whole. Naming a single accountable person inside the business, even part time and even without deep technical skill, changes the dynamic: someone now has the standing to ask the MSP for evidence, to keep the inventory current, and to notice when a policy and the practice underneath it have drifted apart. The application did not require that appointment. It simply made its absence visible.

What to do before submission or renewal

A business that wants its next submission to rest on evidence rather than assurance can follow a straightforward sequence:

  1. Identify the responsible parties: who owns the submission, and who owns each control.
  2. Obtain the full questionnaire and any supplemental forms from the broker before answering.
  3. Map each technical question to a control owner, internal or MSP.
  4. Gather the evidence behind each answer: reports, configurations, logs, records, and contracts.
  5. Resolve inconsistent answers, particularly where two owners describe the same control differently.
  6. Identify remediation blockers: the answers that cannot honestly be given yet, and what it would take to change that.
  7. Ask the broker to clarify carrier-specific requirements where a question is ambiguous.
  8. Conduct an independent assessment when the answers cannot be validated internally.

Two features of this sequence deserve emphasis. The first is that it front-loads the uncomfortable discoveries. Inconsistent answers and remediation blockers found in step five or six, weeks before the deadline, are working problems; the same items discovered by an underwriter after submission are underwriting problems, and the difference in leverage is considerable. The second is that the sequence produces an artifact trail as a byproduct. A business that follows it once has, at the end, a mapped questionnaire, a named owner for every control, and a folder of evidence tied to each answer. The next renewal starts from that position instead of from zero, which is the closest thing to a shortcut this subject offers.

The mechanics of steps three through five, including who should be in the room and what to request from an MSP, are covered in How to Complete a Cyber Insurance Questionnaire Without Guessing. The control areas the questions most often reach, and what proof looks like for each, are described in Cyber Insurance Requirements: What a Business Must Be Able to Prove.

An application supported by evidence is a stronger submission on the day it goes in, and a defensible one on every day after.

When the business cannot close the gap between its answers and its evidence on its own, an independent Cyber Insurance Readiness Assessment can establish the operating reality, identify the underwriting gaps, guide the remediation, and validate the completed work in a report the business and its authorized broker can return to the carrier. The underwriting decision, as always, remains with the insurer.

About the Author

David W. Koran is the founder of David Koran & Associates Inc., an independent cybersecurity advisory practice. His background is more than 30 years in information technology with a cybersecurity specialization dating to 2002, including work in manufacturing and other regulated operational environments. He holds the CyberAB Registered Practitioner Advanced credential, is a Certified ISO 27001 Auditor, and holds the Cisco CCCA. He conducts independent cyber insurance readiness assessments nationally. Contact: dkoran@davidkoran.com or 802-335-2662.

Next Step

Discuss a Cyber Insurance Readiness Assessment

When a business cannot determine whether its cyber insurance application answers are fully supported, an independent assessment can establish the operating reality, identify the underwriting gaps, and define the remediation work required before the account returns to the carrier.

Sources: FTC, Cybersecurity for Small Business: Cyber Insurance (developed with the National Association of Insurance Commissioners); NAIC, Cybersecurity insurance topic overview; NAIC Cybersecurity (H) Working Group, Cyber Insurance Report, noting tightened underwriting, improved cyber hygiene expectations, and policy terms that may require insureds to maintain specific security controls; CISA, Cross-Sector Cybersecurity Performance Goals; NIST, Cybersecurity Framework; Coalition, Essential Cyber Insurance Requirements, an example of controls a single carrier publicly discusses. Requirements vary by carrier, policy, organization, industry, limits, and risk profile, and the insurer retains the underwriting decision. Nothing in this article is legal or insurance coverage advice.