What Do Cyber Insurance Companies Ask?
4 min read
5 Key Questions You Need to Be Ready For (And What They Say About Your Risk)
Like many business leaders, you may be considering purchasing cyber liability insurance. If so, you’re probably wondering what it is (and just as importantly, what it’s not), how much it could cost, and what questions you’ll need to answer during the application process.
At Novatech, we’ve helped businesses in all industries prepare for these applications. We’ve also been through the process ourselves. That’s why in this article, we’re sharing the Top 5 questions you’re likely to be asked, why insurers ask them, and what they’re worried about when they do.
This content includes insight from cybersecurity insurance expert Mike Piergallini of Evans, Pires & Leonard, along with our firsthand experience as both applicants and IT support providers.
1. Do You Use Multi-Factor Authentication (MFA)?
Why they ask:
MFA is one of the most effective ways to stop unauthorized access. A password alone is easy to steal or guess — MFA requires something you know (password) and something you have (like a code from your phone). It dramatically reduces the success rate of phishing attacks.
What they’re concerned about:
If you don’t have MFA in place, you’re leaving the front door wide open. Insurers see this as a baseline control — skipping it tells them your business might not take basic security seriously.
What you should do:
Enable MFA for all critical applications, especially email, file sharing, and remote access tools. If you don’t know how to roll it out company-wide, talk to your IT provider.
2. Do You Provide Security Awareness Training for Employees?
Why they ask:
Over 90% of breaches start with human error. Phishing emails, bad password practices, or accidental data sharing can all be avoided with proper training.
What they’re concerned about:
Insurers know that tools alone can’t stop threats. If your employees aren’t trained to recognize scams, you’re at high risk of a breach — which increases the chance of a costly claim.
What you should do:
Schedule quarterly training, simulate phishing attacks, and document participation. This shows insurers you’re creating a strong human firewall.
3. Do You Back Up Your Data (and Test Restores)?
Why they ask:
Backups are your last line of defense. If ransomware hits or data is corrupted, the ability to restore from a clean backup can mean the difference between a bad day and total disaster.
What they’re concerned about:
Insurance won’t cover everything — especially if you’ve failed to take basic steps like creating and testing data backups. They need to know you’re capable of recovery.
What you should do:
Use automatic, cloud-based backups and run recovery drills. Backups should be encrypted, offsite, and separated from your production environment.
4. Do You Have Endpoint Detection and Response (EDR) or Antivirus?
Why they ask:
Endpoints (like laptops, phones, and workstations) are the easiest place for attackers to gain access. EDR tools detect suspicious behavior, isolate infected devices, and help stop attacks before they spread.
What they’re concerned about:
If you’re using only traditional antivirus or nothing at all, insurers will assume you can’t detect or respond to active threats — which increases both risk and payouts.
What you should do:
Invest in a managed EDR solution that offers real-time threat detection, response, and reporting. Bonus: This often helps reduce premiums.
5. Do You Have a Documented Disaster Recovery Plan?
Why they ask:
Being hit by a cyberattack is bad — but not being prepared is worse. Insurers want to see that you have a plan to recover operations quickly and minimize losses.
What they’re concerned about:
Without a DR plan, you’re likely to scramble, make costly mistakes, and prolong downtime — all of which increase the impact (and cost) of an incident.
What you should do:
Build a written recovery plan. Include contact lists, system priorities, recovery time goals (RTO), and assign team roles. Test it on a routine schedule.
Bottom Line: Insurers Want You to Be Resilient
Cyber insurance isn’t a silver bullet. It’s designed to support businesses that already take security seriously. The questions above aren’t meant to trip you up — they’re designed to measure how resilient your organization truly is.
If you’re unsure how to answer any of these questions confidently, we’re here to help. At Novatech, we specialize in helping small to mid-sized businesses become cyber-insurable — and more secure in the process.
Want help preparing for a cyber insurance application?
Schedule a Cyber Readiness Assessment with our team.
We’ll walk you through each question and identify any gaps — no pressure, no jargon.
