How to Fill Out a Cyber Insurance Questionnaire

July 7, 2026

A cyber insurance questionnaire looks like paperwork. It’s not. It’s a legal attestation, and after a breach, the insurer’s forensics team will check your answers against what was actually running on your systems. Get one wrong, even innocently, and the claim you paid premiums for can be denied.

So the way to fill one out is simple to state and easy to get wrong: verify before you check the box. Here’s what the common questions actually mean, where businesses answer wrong without realizing it, and what to do when the honest answer is “sort of.”

First: who should fill this out

Not the office manager alone, and not you at 9 p.m. the night before it’s due. The questions are technical, and the person signing needs to know what’s actually configured. Not what was set up three years ago, and not what the last IT person said. If someone manages your IT, they should be in the room. If nobody manages your IT, that’s the first finding.

Start 60 to 90 days before renewal. Most gaps these questionnaires expose take days or weeks to close, but not if you discover them the night before.

The questions, decoded

“Is multi-factor authentication enforced for email, remote access, and privileged accounts?”

This is the question that denies more claims than any other. Two things to notice. First, enforced means required for every account with no users excluded, not merely available or optional. Second, it covers all three categories: email, remote access like VPN or remote desktop, and admin accounts. MFA on your bank login is irrelevant. MFA on most employees but not the owner’s email is a no. Business email compromise is the most common small business claim, which is why this is the attestation insurers verify first.

In Microsoft 365, “we have MFA” often means a setup screen was clicked through once. Enforced means a policy requires it for every account, verified in the admin center, not remembered.

“Do you have EDR (endpoint detection and response) deployed on all endpoints?”

EDR is not antivirus. Traditional antivirus matches known malware. EDR watches for attacker behavior (a login at 3 a.m. from overseas, a process encrypting hundreds of files) and can isolate the machine automatically. If your answer is “we have Norton” or “Windows Defender came with it,” the accurate answer to this question is probably no. And note all endpoints: the shop-floor PC and the owner’s home laptop that touches company email both count.

“Are backups encrypted, kept offline or immutable, and tested?”

Three claims in one sentence, and carriers mean all three. Offline or immutable means ransomware that encrypts your network can’t also encrypt the backups. A USB drive plugged in permanently, or a synced folder, fails this test. Tested means someone has actually performed a restore recently and it worked. A backup you’ve never restored from is a hope, not a backup, and “the backup software says success” is not a test.

“Are operating systems and software supported and patched within X days?”

Two traps here. First, end-of-life software: a Windows 10 machine past its support date, an old server, the ancient PC running one legacy application. Carriers ask specifically because unsupported systems can’t be patched. Second, the timeline. “We update when we notice” is not a patching process. The answer they’re looking for is automated, monitored patching with a defined window.

“Do employees receive security awareness training? Do you run phishing simulations?”

Documented and recurring is the standard: a training platform with completion records, not a talk at a staff meeting two years ago. If you can’t produce a record of who completed what and when, treat the answer as no and fix it. Training platforms cost a few dollars per user per month and take an afternoon to set up.

“Do you have a written incident response plan?”

Written is the operative word. “We’d call our IT guy” is a plan in the same way “we’d figure it out” is a fire drill. It doesn’t need to be long. Who gets called, in what order, who talks to clients, and where the cyber policy’s breach hotline number lives. But it needs to exist on paper, and the people named in it need to know they’re in it.

You may also see questions about email authentication (SPF, DKIM, DMARC), encrypted laptops, and how much of your revenue depends on specific systems. Same principle throughout: answer what is true today, verifiably, not what you intend to fix.

When the honest answer is “partially”

This is where most businesses go wrong, because the questionnaire offers yes/no checkboxes and reality is usually messier. MFA on email but not the VPN. EDR on the office machines but not the two laptops. Backups running but never test-restored.

Do not round up. You have two honest options, and both are better than an optimistic yes.

  1. Close the gap first. Most of these controls take days, not months. Enforcing MFA across a Microsoft 365 tenant is configuration work. EDR deploys in an afternoon. A test restore takes an hour. This is exactly why you start 60 to 90 days out.
  2. Answer accurately and disclose. An accurate no may raise your premium or add an exclusion, and sometimes carriers will bind coverage with a documented remediation timeline. That’s a worse rate. It’s still infinitely better than a denied claim, because an inaccurate yes means you paid for coverage you never had. Some carriers now scan applicants’ external systems and rescind policies when the answers don’t match what they find.

Keep the evidence

For every yes, know what document backs it up: the MFA enforcement policy export, the EDR console showing device count, the backup logs and the restore test date, training completion reports. If your IT provider manages these systems, they should hand you this package at renewal time as a matter of course. That paper trail is half of what a managed IT plan buys you.

And if you’re covered by the FTC Safeguards Rule (tax preparers, CPAs, dealerships that arrange financing), notice that this evidence pile and your compliance documentation are nearly the same pile. Build it once, use it for both.

The bottom line

Read every question as if a forensics team will grade it later, because after a claim, one will. Verify, don’t recall. Fix gaps before you sign rather than after a breach. And if any question on the form makes you think “I’m not actually sure,” that uncertainty is the questionnaire doing its job. It found something worth checking.


Got a questionnaire sitting on your desk right now? Bring it to us before you sign it. We’ll go through it question by question, check each answer against your actual systems, and close whatever gaps turn up. Call 352-561-8106 or email hello@intermachine.io. No pressure, no jargon, just accurate answers you can sign your name to.

Frequently asked questions

How do I fill out a cyber insurance questionnaire?

Treat every answer as a legal attestation that will be audited after a claim. Verify each control is actually in place everywhere the question asks about, not just somewhere, before checking yes. Involve whoever manages your IT rather than guessing.

What does the MFA question on a cyber insurance application mean?

Carriers are asking whether multi-factor authentication is enforced on email accounts, remote access, and administrator accounts. All three. MFA on your bank login or on some accounts doesn’t count. If any of the three is unprotected, the honest answer is no. Most denied claims trace back to this question. Business email compromise is the most common small business claim, so it’s the attestation insurers check first.

What if the honest answer to a questionnaire question is 'partially'?

Don’t round up to yes. Either fix the gap before you submit (most of these controls take days, not months, to close) or answer accurately and disclose the remediation timeline. An accurate no raises your premium. An inaccurate yes can void your claim.

When should I start on a cyber insurance renewal questionnaire?

Sixty to ninety days before renewal. That leaves time to verify what’s actually in place, close gaps like enforcing MFA or deploying EDR, and gather documentation, instead of guessing under deadline pressure.

Who can help me answer a cyber insurance questionnaire in Lake County, FL?

Intermachine Systems sits down with the questionnaire, verifies each control against your actual systems, closes the gaps, and gives you the documentation to back every answer. We work with small businesses and professional firms across Lake, Marion, and Sumter Counties.

Schedule Free Consultation

Free phone consultation, you select date and time

Schedule Now

Contact Intermachine

Call text or send an email.

Contact Us