If your cyber insurance renewal showed up this year looking twice as long as the one you filled out before, you’re not imagining it, and you didn’t do anything wrong. The application got longer because the people writing the checks got burned, and they’re asking sharper questions now. None of it is exotic. Most of what they want to see is boring, basic hygiene — the same stuff that actually keeps a small business out of trouble in the first place. Here’s what changed and how to answer it straight.
Why your renewal application got longer
The current crop of cyber insurance applications came out of three specific claims from 2023 and 2024.
The MOVEit breach surfaced on May 28, 2023, when Progress Software got its first reports of odd activity from customers. The Cl0p ransomware group had been quietly exploiting a then-unknown flaw in Progress Software’s MOVEit Transfer file-sharing tool — some researchers picked up activity as early as February that year. By the end of 2023, more than 2,650 organizations and over 66 million people had been caught up in it, and the totals kept climbing into 2024. Carriers wrote a lot of checks. After that, they started asking a lot more about the software vendors who touch your data.
Then came the Change Healthcare ransomware attack in February 2024, which froze US healthcare claims processing for weeks. The attacker got into the network on February 12, 2024, and set off the ransomware on February 21, and the fallout hit pharmacies, providers, and patients nationwide. HIPAA Journal’s reporting pointed to one detail that mattered more than the rest: there was no multifactor authentication on a key way in, and that’s how the intruder got the first foothold. Analysts have put the cyber insurance loss from that single event north of $250 million. The carriers’ response was tighter questions about whether your backups can survive an attack and whether you’d actually be able to recover.
The Arup deepfake fraud, also early 2024, changed how underwriters think about social engineering. A finance employee at the engineering firm’s Hong Kong office wired out $25.6 million across 15 transfers after a video call with what looked like the company’s CFO and a few other executives. Every person on that call was an AI-generated fake. Nobody caught it for about a week, until the employee reached out to Arup headquarters asking about a “secret transaction.” Now “do you call people back on a known number before you send money” is on every underwriter’s list.
Here’s where you land in all this. If you run an online store handling card data, a healthcare practice sitting on patient records (PHI), an accounting or law firm moving client money, or a real estate brokerage holding escrow, your application is the longest one in the pile. Not because anyone thinks you’re careless — because those are the exact buckets where carriers took losses.
The backup question changed
The backup question has tightened a lot since 2023. It used to be one yes/no box. Now it wants to know whether your backups are immutable or air-gapped, when you last tested a restore, and whether someone with your domain administrator password could delete them.
You’ll see wording on the form like: “Are backups stored in an immutable or air-gapped state, tested for restoration within the past 12 months, and inaccessible to domain administrator credentials?”
Let me translate. An immutable backup is one nobody can change or delete for a set window of time — including someone holding a stolen admin password. Air-gapped means the backup lives somewhere your everyday production network simply can’t reach. CISA’s Stop Ransomware Guide lists immutable, tested backups as a baseline control, and that’s the same bar most cyber insurance carriers now hold you to.
“We back up Microsoft 365” doesn’t clear it on its own anymore. The retention built into Microsoft 365 isn’t a backup in the way the carrier means the word, and a third-party backup that lives behind the same logins as your production tenant can be wiped by one compromised global admin.
The strongest answer points to a backup platform with object lock or write-once-read-many storage turned on, an immutability window of at least 14 days (30 is the preferred number now), credentials kept separate from your production admin accounts, and a restore test you actually ran recently. A weaker answer — daily backups to a NAS on the same network, no recent restore test — usually kicks off follow-up questions and sometimes a higher premium. The answers that leave immutability fuzzy are the ones most likely to push your renewal toward sub-limits or a flat non-renewal.
MFA questions go deeper than one checkbox
MFA used to be a single yes/no. Now the form wants to know whether it’s turned on for email, VPN, remote desktop (RDP), every administrator account, and your privileged service accounts. You need a yes on all five to pass clean.
Text-message MFA is now treated as the weak option. SIM-swap attacks and SS7 flaws have made codes sent over text the softest factor on the menu. A lot of carriers ask specifically whether your MFA runs through an authenticator app, a hardware token, or push with number matching, rather than SMS. If your admin accounts are still on text codes, expect a follow-up question or a bump in price.
The one most owners haven’t run into is the privileged access management (PAM) question. PAM is a tool that keeps your administrator passwords out of the regular password manager. It locks those credentials in a vault, swaps them out each time they’re used, and logs every session — so a stolen admin password can’t quietly run loose for weeks before anyone notices.
A strong answer describes a vaulting tool with credentials rotated on use and session logging on. A weaker one — admin passwords in a shared password manager, rotated once a year — usually triggers follow-up. Shared admin accounts that never rotate and leave no record of who used them are the setup most likely to land you in sub-limits or non-renewal.
Will they deny you cyber insurance if you don’t have MFA everywhere? Not always outright. What you’ll see instead is a real premium increase, sub-limits on ransomware coverage, or an exclusion for anything that traces back to the gap you left open.
The wire transfer and deepfake verification questions
After Arup and a long run of business email compromise losses, carriers put callback verification questions on the application. Callback verification just means that before money goes out above a set amount (often $10,000 or $25,000), the person sending it calls the recipient on a phone number you already had on file — not the number sitting in the request email.
You’ll see wording like: “Does your organization require out-of-band verification using a previously known phone number for all funds transfer requests above [threshold], including requests appearing to come from executives?”
A lot of current applications also ask, separately, whether your staff have been trained on AI voice cloning and deepfake video. Arup is the reason that question now shows up for anyone writing coverage in professional services.
If you’re an accounting firm, a law firm with escrow or trust accounts, or a real estate broker, this is the section they’ll read hardest. Anyone moving other people’s money is an easy target and an expensive claim when wire fraud connects.
The strong answer points to a written wire transfer policy: callback verification to a known number for anything over your stated threshold, two people approving the transfer, and yearly social-engineering training that covers deepfakes. An informal “we usually check” with nothing written down gets flagged for follow-up. Wires approved on an email reply alone are the setup carriers are now refusing to cover at all.
EDR, MDR, and the end of the “we have antivirus” answer
Old-school antivirus checks files against a list of known bad ones. EDR — Endpoint Detection and Response — watches how each device behaves and flags the weird stuff, like a process trying to encrypt your files or grab admin rights it shouldn’t have. MDR — Managed Detection and Response — is that same technology plus a real team watching the alerts around the clock and stepping in when something fires at 2am on a Sunday.
The application wants to know whether you’ve got EDR deployed, whether it covers 100% of your devices including servers, and whether a 24/7 security operations center (SOC) is watching and responding to the alerts. The MDR question is more and more a straight yes or no, and a no costs you on price.
If you don’t have MDR yet but you’re planning to add it, say that plainly and give a date. An underwriter can work with “MDR scheduled for Q2, vendor already chosen.” They can’t do anything with a vague “we’re looking into it.”
The vendor risk questions
Supply chain used to be one yes/no line. After MOVEit and Change Healthcare, carriers want a whole section on the software vendors holding your data.
Expect something like: “List your top five software vendors with access to sensitive data and confirm whether each provides a SOC 2 Type II report or equivalent.” If you’ve never asked your practice management or case management vendor for a SOC 2 report, that’s a conversation that’s overdue.
Nobody expects you to audit every vendor’s security program line by line. The carrier wants to see that you know who your top vendors are, what data they’re holding, and that you’ve at least asked the basic question — do you have a SOC 2. An honest “we’ve identified our top five and requested SOC 2 reports from three, two still outstanding” reads a lot better than a confident answer that falls apart the minute someone checks.
The mistake that can cost you everything: misrepresentation and rescission
This is the one to pay attention to. The most expensive answer on a cyber insurance application is the one that claims a control you don’t actually have.
A cyber insurance application is a warranty document. That’s a legal way of saying every box you check is a promise. If a forensic investigation after a claim finds your environment didn’t match what you wrote down, the carrier can rescind the policy.
Rescission means the policy is treated as if it never existed. Your claim is denied, and any earlier payouts under that same policy term can be clawed back. And here’s the part that catches people: some courts have ruled the carrier doesn’t even have to show that the thing you misrepresented caused the loss. The misrepresentation by itself is enough.
So the fix is simple, even if it doesn’t feel good in the moment. If the form asks about MFA on all admin accounts and you’ve got a gap, say so, and add a date you’ll have it fixed. Carriers will take an honest gap with a plan over a polished answer that won’t survive a forensic review.
Checking “no” or “in progress” might raise your premium or tighten your terms. That’s a known, predictable cost. A misrepresentation found after a claim can wipe out the whole policy, and by then you’re carrying the full cost of the incident yourself. I’d take the higher premium every time.
The 30-day pre-renewal checklist
Work through this in order. Most of it is doable in a month if you start now.
Week 1. Confirm MFA is on for email, VPN, remote desktop, every administrator account, and any service accounts that support it. Move admin MFA off text codes and onto an authenticator app or a hardware token.
Weeks 1–2. Check that your backups are immutable or air-gapped. Run a test restore, and document it — date and screenshots.
Week 2. Write a one-page wire transfer policy: callback verification to a known phone number for any transfer over your chosen threshold. Have everyone who can authorize a payment sign it.
Weeks 2–3. Confirm EDR is on every device and every server. If all you’ve got is traditional antivirus, get quotes for EDR or MDR now so you can answer with a real timeline.
Week 3. Identify your top five software vendors and request SOC 2 reports or equivalent attestations. Write down who answered.
Weeks 3–4. Document or update your incident response plan, then run a 60-minute tabletop exercise with your leadership team. Keep the notes — that’s your proof you “tested in the past 12 months.”
Week 4. Sit down with the application and answer honestly. Flag anything you couldn’t fix, with a specific date you’ll have it done.
FAQs
What does rescission mean on a cyber insurance policy?
Rescission means the carrier voids the policy from day one after finding a material misrepresentation on your application. The policy is treated as if it never existed, your current claim is denied, and any earlier payouts under the same policy term can be clawed back.
Will my cyber insurance be denied if I don’t have MFA on everything?
Not always outright. What’s more common is a significant premium increase, sub-limits on ransomware coverage, or an exclusion for any incident that traces back to the unprotected entry point. The gap that trips most people up is MFA on privileged or service accounts.
What is the difference between EDR and MDR on an insurance application?
EDR (Endpoint Detection and Response) is the technology that watches how a device behaves and flags suspicious activity. MDR (Managed Detection and Response) is that same technology plus a 24/7 team watching the alerts and responding. Carriers increasingly want both, and the application often asks about each one separately.
Why are cyber insurance renewal applications longer than they used to be?
Carriers added detailed sections in response to specific 2023 and 2024 losses — the MOVEit supply-chain breach, the Change Healthcare ransomware incident, and the Arup deepfake wire fraud. Each one drove changes to the backup, MFA, vendor risk, or wire transfer questions on later applications.
Can my cyber insurance claim be denied if I answered the application incorrectly?
Yes. A material misrepresentation on a cyber insurance application can trigger rescission, which voids your coverage retroactively. Many courts have found the carrier does not need to prove a causal link between the misrepresentation and the specific loss.
What does immutable backup mean on a cyber insurance application?
It’s a backup that can’t be modified or deleted for a defined retention period, even by someone using stolen administrator credentials. Cloud object lock and write-once-read-many storage are the common ways to do it. Most carriers want a window of at least 14 days, with 30 days now preferred.