If you renewed a cyber insurance policy recently, you may have had this experience: you open the questionnaire, scroll through it, and realize you cannot confidently answer half the questions. Do you have EDR? Are your backups immutable? Do you have DMARC configured? The form is not asking whether your business is safe in any general sense. It is asking about specific controls, by name, and expecting a clear yes or no.
That is the part that catches most small business owners off guard. Not the length of the form. The vocabulary.
Before I go further, a quick note: I am not an insurance agent, and nothing here is insurance advice. Talk to your broker about coverage questions. What I can speak to is the security side of the questionnaire.
Why the questionnaire looks the way it does
Years of heavy ransomware claims have pushed cyber insurers to tighten their policies. Coverage used to be close to a checkbox. Today, insurers want evidence that your business has specific security controls in place, and many of them are aligning their questionnaires to the CIS Controls, an industry framework published by the Center for Internet Security. The questions are not arbitrary, and they reflect what the broader security community considers a reasonable baseline for a business your size.
Think of it like auto insurance
Insurers price coverage based on risk, and risk is shaped by the safeguards already in place. Auto insurers charge less for a car with airbags, anti-lock brakes, and a driver with a clean record. Cyber insurance is similar. The safety features built into your business directly affect whether you can get a policy and what you pay for it. Adding controls costs money, but the math often works in the owner’s favor: a lower premium and a business that is harder to attack. For many small businesses, the savings on the premium can offset the entire security investment.
Knowing what you have
Here is where owners can get stuck. The questionnaire asks about controls in technical language, and it can be tricky to understand whether your business has them. A few examples of what tends to feel out of reach but usually isn’t:
- EDR (endpoint detection and response). Modern protection on laptops and servers that watches for suspicious behavior, not just known viruses. Readily available, and in many cases already bundled in software you own, but it has to be deployed and configured.
- Immutable or offline backups. Backups that ransomware cannot reach back and encrypt. Often a configuration change in a backup product you already own.
- SPF, DKIM, and DMARC. Settings that stop attackers from impersonating your domain in email. These live in your DNS and can usually be configured in an afternoon.
- MFA on admin accounts and remote access. Frequently already available in the tools you pay for, but you need to enforce it.
The pattern is the same across most of the list. Patching, encryption on endpoints, secure remote access, removing former employees’ accounts, and security awareness training with phishing simulations are all common practices that close gaps and strengthen your defenses. None of these are exotic, enterprise-only technologies.
This is exactly the kind of work an MSP is built to handle. A good provider can take the questionnaire, walk through it line by line, tell you what you already have, what is a quick configuration change, and what genuinely requires new investment. What feels overwhelming on paper can be broken down into a manageable project plan.
Before your next renewal
Start ninety days early. Walk through the questionnaire with your IT provider before you submit it. Identify the gaps, decide which ones to close, and ask your broker to quote the policy both before and after the upgrades. You may find that closing the gaps drops your premium enough to pay for the work itself and leaves you with a business that is genuinely safer.
The bigger picture
Cyber insurance has quietly become a forcing function for small business security. The questionnaire is the clearest signal most owners get about where their defenses actually stand. The vocabulary can be intimidating, but the controls behind the vocabulary are within reach for almost any business in the 5 to 50 employee range. Treat the questionnaire as paperwork and you will keep paying more for less coverage. Treat it as a roadmap, get the right help, and you can end up with stronger security, better coverage, and a smaller bill at the end of it.
