You Received a Cybersecurity Questionnaire From Your Insurer… Now What?

If you’re a small or mid-sized business owner, nothing makes your stomach drop quite like an email from your insurance broker that says: “Please fill out this ransomware supplemental application." You click the attachment, and suddenly you’re staring at pages of technical questions about MFA, backups, endpoint monitoring, patching cadence, privileged accounts, and terms you may have never heard before.

So, what is this questionnaire, and why are you suddenly responsible for understanding it?

Why You’re Being Asked to Fill This Out

Cyber insurers are no longer in the business of writing policies without understanding your security posture. Ransomware attacks have exploded over the last few years, and claims are expensive, six and seven-figure losses are no longer uncommon.

To protect themselves (and to ensure they aren’t insuring a business that’s one click away from a disaster), insurers now require detailed cybersecurity questionnaires. Beazley’s ransomware supplemental form is one of the most common, but nearly every carrier has something similar.

The purpose is simple:

They want to know how well you’re protecting your business, and how likely you are to get hit with ransomware.

The catch?

You must answer accurately.

Guessing or embellishing can lead to claim denials later. If you say you have MFA, but an incident reveals you didn’t have it everywhere, the insurer may walk away entirely. This questionnaire isn't a “pass/fail exam”, it’s a diagnostic. If your answers show gaps, that’s your signal to talk to your insurance broker and an IT consultant about solutions.

Breaking Down the Common Ransomware Supplemental Application (Plain English Edition)

Below is a walk-through of the major sections you’ll typically see in a Beazley-style ransomware application, translated into what they really mean for your business.

1. Multi-Factor Authentication (MFA)

You’ll see questions like:

• Do you have MFA for remote access?

• Do you have MFA for admin accounts?

• Do you have MFA for your email platform?

What this means: The insurer wants to know if hackers can log into your systems using only a stolen password. If MFA isn’t in place across critical systems, the insurer sees you as high-risk. MFA involves a 3rd factor to log in (ex. SMS Code, Push Notice, Authenticator App, etc.)

Plain guidance: If you can access something important from the internet, you should have MFA on it.

2. Backups

You’ll see questions about:

• Backup frequency

• Offline/immutable backups

• How long backups are kept

• Whether backups are tested

What this means: Ransomware destroys or encrypts your data. Insurers want to be sure you can recover without paying the ransom, and that your backups aren’t easily corrupted by attackers.

Plain guidance: You need backups that hackers can’t modify, and you need to test them regularly so you know they work.

3. Endpoint Security (Antivirus/EDR/XDR)

Typical questions:

• Do you have modern endpoint detection and response tools?

• Is it installed on all servers and workstations?

• Is someone actively monitoring alerts?

What this means: Legacy antivirus is no longer enough. Insurers expect real-time threat detection and response tools that can stop active attacks.

Plain guidance: EDR is the new baseline for cyber insurance. If you don’t have it, expect pushback.

4. Privileged Access Management

Questions like:

• How many users have admin rights?

• Do admins use separate accounts for day-to-day work?

• Do you review admin access regularly?

What this means: Attackers love admin accounts. Too many admin users equals a higher chance of an admin account breach, leading to ransomware spread everywhere.

Plain guidance: Admins should be few, tightly controlled, and rarely used.

5. Patching and Updates

Expect questions about how quickly:

• Servers are patched

• Workstations are updated

• Critical vulnerabilities are addressed

What this means: Unpatched systems are one of the top causes of ransomware. Insurers want to see a structured patching process, not a “we update when we remember.”

Plain guidance: Patching needs to be automated and consistent, ideally weekly.

6. Remote Access

Typical questions:

• Do you use RDP (Remote Desktop)?

• Can you access your desktop from outside the office?

• Is your VPN secured with MFA?

• Do third parties access your systems?

What this means: Remote access is a common entry point. Insurers want assurance that nobody is logging in through unsecured channels.

Plain guidance: If something is open to the internet, it MUST be properly secured or removed.

7. Email Security

You’ll see questions about:

• Phishing protection

• SPF/DKIM/DMARC

• Employee awareness training

What this means: Email is still the #1 way ransomware gets in. Insurers want safeguards and training in place. Some of these require advanced settings in your email platform and DNS, if you rely on out of the box settings you are lacking in security.

Plain guidance: Spam filtering + user training is non-negotiable.

Minimum Requirements Most SMBs Need to Qualify for Cyber/Ransomware Coverage

While each carrier differs, the industry has generally settled on a common baseline. If you are missing any of the following, expect:

• Increased premiums

• Coverage restrictions

• Outright declines

Here are the minimum requirements for most SMB cyber policies today:

• Mandatory

  • Multi-Factor Authentication (MFA)

    • Email accounts

    • Remote access

    • Admin accounts

  • Endpoint Detection & Response (EDR) on all systems

  • Offline or immutable backups

  • Regular patching (servers and workstations)

  • Enforced password policies

  • Privileged access controls

  • Email filtering (phishing protection)

  • Security awareness training

  • Supported operating systems (Windows 11+, Server 2022+)

  • Incident response plan (even a basic one)

• Highly Recommended (and increasingly required)

  • SOC or 24/7 security monitoring

  • Geo-blocking for unnecessary countries

  • Vulnerability scanning

  • Business continuity plan

  • Third-party vendor access controls

If you’re missing even two or three items from this list, you may struggle to secure ransomware coverage at all.

Why Accuracy Matters (Really Matters) on the Cybersecurity Questionnaire

Insurance underwriters don’t expect perfection, but they DO expect honesty.

Answering “yes” to something you’re not actually doing can result in:

• Claim denials

• Policy cancellations

• Financial liability for misrepresentation

Think of the questionnaire as your business’s cybersecurity health check. If the insurer sees a pre-existing issue and you pretended nothing was wrong, they won’t pay for the claim.

What To Do If You’re Not Meeting Requirements

If you discover gaps while filling out the application, that’s not a failure, that’s your opportunity.

Talk to your insurance broker

They can explain what the carrier is looking for and how strict the requirements are.

Talk to an IT expert like Hudson

A qualified MSP or cybersecurity advisor can help you:

• Understand what each requirement means

• Prioritize fixes

• Implement compliant solutions

• Create policies and documentation insurers expect

This is also where an SMB advisor (like me) can step in, someone who understands both the insurance world and the technology landscape.

Final Thoughts

Cyber insurance has changed, and these questionnaires are here to stay. They may feel overwhelming, but they actually help you strengthen your business against an attack that could otherwise shut you down.

Approach the questionnaire as a roadmap, not an obstacle.

Every requirement represents a control that reduces real risk to your business.

If you’re unsure how to complete it, or discover gaps that you don’t know how to solve, have a conversation with your insurance broker and a trusted IT expert. With the right guidance, you can meet insurer expectations and dramatically improve your overall cybersecurity posture.