Essex Junction, VT802-335-2662dkoran@davidkoran.com
David Koran& Associates
Cyber Insurance Readiness Resources

How to Complete a Cyber Insurance Questionnaire Without Guessing

By David W. Koran Published July 17, 2026 Independent cybersecurity advisory

A cyber insurance questionnaire is a set of technical representations that the business, not its vendors, ultimately stands behind. It should be completed using supported evidence from the operating environment, not from memory, assumption, or an unverified statement that someone else handles it. This article describes who should be involved in answering, where answers most often go wrong, and a practical way to gather the evidence before the form is submitted.

The questionnaire itself is not the problem. Carriers ask technical questions because the losses they pay for are technical. The problem develops when a business treats the questionnaire as paperwork to be finished rather than as a description of its environment that someone may later compare against reality. External scans, supplemental questionnaires, and post-incident review all create moments when an answer and the environment are placed side by side.

Timing shapes everything that follows. A business that opens the questionnaire three weeks before the renewal date has time to gather evidence or to answer accurately and explain. A business that opens it three days before the deadline has time only to guess, and guessed answers are where underwriting problems begin. The single most useful habit is to obtain the forms early, before any answering starts.

Who owns the questionnaire

Several parties touch a cyber insurance questionnaire, and the process works best when each stays in its lane.

Business leadership owns the submission. The answers are representations made by the company, and management remains responsible for their accuracy even when the underlying information came from a technician or a vendor. Leadership does not need to understand every control personally, but it does need to know who verified each answer.

The insurance broker manages the insurance relationship: obtaining the right forms, explaining what the carrier is asking, communicating deadlines, and returning the completed package to underwriting. The broker should not be expected to validate technical controls inside the client's environment. That is not the broker's role, and treating it as such places the broker in a position no one benefits from.

Internal IT holds much of the raw information: configurations, inventories, console access, and institutional knowledge of how the environment actually runs. Internal IT should supply evidence, not just answers.

The MSP, where one is engaged, operates some or all of the controls the questionnaire asks about. The MSP should be asked for evidence of the specific controls within its scope, in writing, with the service agreement establishing where its responsibility ends.

An independent security consultant is appropriate when the answers cannot be validated internally, when the environment is complex, or when a prior submission has already produced underwriting problems.

Legal counsel may be appropriate for questions about the legal significance of application representations. That subject is outside this article, which does not provide legal advice.

Where answers most often go wrong

The recurring problems on completed questionnaires are rarely fabrications. They are unexamined assumptions:

  • MFA answered as fully deployed when coverage is partial
  • EDR reported on all endpoints when some devices never received the agent
  • Administrator accounts that no one has inventoried, including shared and service accounts
  • Backups described as reliable when restoration has never been tested
  • Remote access paths that were never fully listed, including vendor and MSP connections
  • Vendor responsibilities assumed rather than confirmed against the contract
  • Encryption claims that no one can trace to a specific configuration
  • Network diagrams that describe the environment as designed years ago
  • Written policies that do not match what employees actually do
  • Yes-or-no questions answered yes because the honest answer is complicated

Each of these produces the same downstream event: an answer the business cannot support when the underwriter, an external scan, or a later review asks for the basis behind it.

These problems also persist across renewal cycles for a structural reason: questionnaires are usually answered fresh each year, by whoever is available, without reference to what was submitted last time or to what has changed since. The employee who answered the previous form may have left. The MSP contract may have been renegotiated. New locations, new cloud services, and new equipment arrived without anyone reopening the answers they affect. A business that keeps its prior submission, the evidence behind it, and a short record of what changed during the year converts the annual questionnaire from an act of memory into an act of reconciliation, which is both faster and considerably safer.

Why an unqualified yes may be too broad

Most questionnaire trouble concentrates in scope. The control exists somewhere, so the box gets checked, but the question reached further than the control does. Consider what the gap looks like in practice:

  • MFA protects email but not VPN access, and the question asked about remote access generally.
  • EDR covers laptops but not servers, and the question asked about all endpoints.
  • Backups exist but are reachable with the same administrator credentials an attacker would hold, and the question asked about protected or isolated backups.
  • Security training occurs informally but is not documented, and the question asked about a training program.
  • An incident-response plan exists as a template, unassigned and unexercised, and the question asked whether the business maintains one.

In each case the accurate answer is narrower than yes. Whether the right course is to qualify the answer, remediate before submission, or ask the broker to clarify what the carrier means is a decision for the business, made with its broker and, where appropriate, its counsel. What should not happen is a broad yes recorded because nobody checked the boundaries of the control.

A practical approach to gathering evidence

Evidence collection does not need to be elaborate. A workable sequence for a small or midsize business looks like this:

  1. Obtain the complete questionnaire and any supplemental forms from the broker before answering anything.
  2. Assign each technical question a single owner: the person or provider who operates that control.
  3. Ask each owner for the answer and the artifact behind it: a console report, a configuration export, a log, a test record, or a written procedure.
  4. Compare the artifacts against a current asset inventory. Coverage claims mean nothing without knowing the population of systems they apply to.
  5. Record where each answer came from, so that six months later the business can reconstruct the basis for its submission.
  6. Flag every question where the artifact does not exist, is out of date, or does not cover the whole environment.

The flags produced in the last step are the real output of the exercise. They are the difference between what the business believed and what it can support. The control areas that most often produce flags, and what proof looks like for each, are described in Cyber Insurance Requirements: What a Business Must Be Able to Prove.

A single question, walked through the sequence, shows what the discipline looks like. The form asks whether MFA is enforced for all remote access. The owner is the MSP, which manages both the VPN and the identity platform. The request to the MSP is specific: an enforcement report from the identity provider and the VPN authentication configuration. The report comes back showing MFA enforced for the office staff group but not for three legacy accounts used by a warehouse application, and the VPN turns out to accept password-only logins from two vendor accounts. Compared against the asset inventory, the answer to the question as asked is no, with a short list of exactly what stands between no and yes. That is a better position than a yes recorded in good faith and contradicted later, because the business now knows the boundary of the control and the cost of moving it.

What to do when an answer cannot be fully supported

An unsupported answer is a decision point, not a dead end. The business has several legitimate paths, and choosing among them is management's call:

  • Answer accurately, with a qualification or explanation where the form allows one
  • Remediate the control before submission, when the timeline permits
  • Ask the broker to seek clarification from the carrier about what the question requires
  • Commission an independent assessment when the business cannot establish the facts internally

What matters is that the choice is made deliberately, by someone who understands both the state of the control and the significance of the representation. Whichever path the business takes, the decision and its basis are worth recording at the time it is made. A short note stating what was known, what was asked, and why the answer was given the way it was costs a few minutes during the submission and can save considerable difficulty if the answer is ever examined later. How much weight different kinds of support can carry, from direct technical validation down to unsupported assumption, is the subject of The Cyber Insurance Application Is Asking for Evidence, Not Assurances.

Involving the MSP without outsourcing the answer

Most small and midsize businesses will need their MSP's help to complete the questionnaire, and there is nothing wrong with that. The provider operates the controls and holds the consoles. The distinction to preserve is between the MSP as a source of evidence and the MSP as the party answering for the business.

Ask the provider for specific artifacts tied to specific questions: the MFA enforcement report, the EDR coverage report against the device inventory, the backup logs and the most recent restoration test, the list of its own access paths into the environment. Ask in writing. A provider that operates the controls competently can produce these without difficulty. Where the provider's answer is a verbal assurance that everything is handled, treat that as a starting point that still requires support, not as a completed answer. The service agreement, not memory, defines what the provider is responsible for; everything outside that boundary remains the business's responsibility.

Two practical cautions complete the picture. First, the MSP should not be treated as the underwriter: the provider's opinion that the environment is fine is not the question the form is asking, and a provider placed in the position of blessing the whole submission has been given a role that belongs to management. Second, where the MSP's commercial interest and the evidence request intersect, for example when the honest answer would reveal a gap in the provider's own service delivery, the business should expect the conversation to require some care. Most providers respond professionally to a specific, written evidence request. The rare case where evidence is promised and never arrives is itself information.

When the provider's statements and the observable environment need to be reconciled independently, that reconciliation is one of the core functions of a cyber insurance audit.

A questionnaire completed from evidence takes longer than one completed from memory. It is also the only version worth submitting, because it is the only version the business can stand behind when someone asks what the answers were based on.

When the answers cannot be validated internally, an independent Cyber Insurance Readiness Assessment can establish the current state of the controls, identify the gaps affecting underwriting, and document the evidence before the submission goes back through the broker to the carrier.

About the Author

David W. Koran is the founder of David Koran & Associates Inc., an independent cybersecurity advisory practice. His background is more than 30 years in information technology with a cybersecurity specialization dating to 2002, including work in manufacturing and other regulated operational environments. He holds the CyberAB Registered Practitioner Advanced credential, is a Certified ISO 27001 Auditor, and holds the Cisco CCCA. He conducts independent cyber insurance readiness assessments nationally. Contact: dkoran@davidkoran.com or 802-335-2662.

Next Step

Discuss a Cyber Insurance Readiness Assessment

When a business cannot determine whether its cyber insurance application answers are fully supported, an independent assessment can establish the operating reality, identify the underwriting gaps, and define the remediation work required before the account returns to the carrier.

Sources: FTC, Cybersecurity for Small Business: Cyber Insurance (developed with the National Association of Insurance Commissioners); NAIC, Cybersecurity insurance topic overview; NAIC Cybersecurity (H) Working Group, Cyber Insurance Report, noting tightened underwriting, improved cyber hygiene expectations, and policy terms that may require insureds to maintain specific security controls; CISA, Cross-Sector Cybersecurity Performance Goals; NIST, Cybersecurity Framework; Coalition, Essential Cyber Insurance Requirements, an example of controls a single carrier publicly discusses. Requirements vary by carrier, policy, organization, industry, limits, and risk profile, and the insurer retains the underwriting decision. Nothing in this article is legal or insurance coverage advice.