Guide
Cyber Insurance Questionnaire Guide
What carriers actually ask, what evidence they want, and how to build a documentation folder that makes renewal straightforward — for 5–50 person professional services firms.
How carriers read your answers
Cyber insurance underwriting has shifted from checkbox exercises to evidence-based technical review. “We have it” is no longer sufficient. Carriers want screenshots, reports, logs, and dates. This guide walks through what they ask, what actually satisfies the question, and what to build before renewal.
Multi-Factor Authentication
The question
Is MFA enforced on all email accounts? On all remote access? On privileged admin accounts?
Enforcement — not availability. A carrier will ask whether a user can log in without completing MFA. If the answer is yes for any user class, the answer to the question is effectively no.
Evidence that works
- Microsoft Entra / Azure AD: Conditional Access policy screenshot showing MFA required for all users, with no named exceptions for regular staff
- Google Workspace: 2-Step Verification enforcement report from Admin Console
- Export showing MFA enrollment status per user — every active user enrolled
- Separate confirmation that remote access (VPN, RDP) also requires MFA
Battice
The 2FA audit and enforcement guidance in Baseline Security documents your current MFA state and produces a written summary of gaps and enforcement steps.
Endpoint Detection & Response
The question
Do you have EDR or MDR deployed? What percentage of endpoints are covered? Who reviews alerts?
Behavioral detection, not just antivirus. Carriers distinguish between signature-based AV (which misses novel attacks) and EDR tools that monitor process behavior and can isolate endpoints during an active incident.
Evidence that works
- EDR platform deployment report showing device count, last-seen date per device, and coverage percentage
- Documentation of alerting configuration — who receives alerts, how quickly, through what channel
- Confirmation that the tool is actively managed, not installed and forgotten
Battice
Active Monitoring (Tier 2) includes Wazuh endpoint agent deployment and 24-hour alert triage — with a monthly threat report you can hand directly to your insurer.
Backup & Recovery
The question
How often are backups run? Are they stored offsite or in the cloud? Are they immutable? When was the last successful restore test?
The immutability and restore-test questions are the ones most firms fail. Attackers specifically target backups in ransomware attacks — an on-site backup on the same network is frequently encrypted alongside the production data.
Evidence that works
- Backup configuration screenshot or report showing frequency, retention period, storage location, and immutability settings
- Restore test log: date of test, scope of what was restored, outcome (success or failure), any gaps identified
- Identification of who is responsible for monitoring backup completion and investigating failures
Battice
The IT Documentation package includes a backup record template — current state, retention policy, restore test date — that feeds directly into insurer documentation.
Incident Response Plan
The question
Do you have a written incident response plan? Has it been tested in the last 12 months?
A written plan and evidence it was reviewed or exercised. A policy document that was written once and never opened doesn't satisfy this — carriers increasingly want evidence of a tabletop exercise or annual review.
Evidence that works
- Written IR plan with: defined roles (who declares an incident, who communicates externally, who contains it), escalation contacts with after-hours numbers, step-by-step procedures for the most likely scenarios (ransomware, BEC, credential compromise)
- Tabletop exercise notes: date, attendees, scenario tested, findings, action items assigned
- Annual review signature or meeting notes if no tabletop occurred
Battice
Managed Security (Tier 3) includes compliance documentation support that covers incident response plan documentation and annual review evidence.
Patch Management
The question
How frequently are OS and software patches applied? Who is responsible? Can you show a report?
A documented process with evidence it ran — not just a verbal confirmation that patching happens. The question is about cadence and accountability, not perfection.
Evidence that works
- RMM or endpoint management report showing last-patch date per device
- Operating system version report across all enrolled devices
- Written patch policy: frequency (monthly minimum for most firms), who is responsible, what happens when a patch fails
Battice
The vulnerability scanning service includes monthly reports showing patch status per device that can be pulled directly for insurer evidence requests.
Security Awareness Training & Phishing
The question
Has security awareness training occurred? Do you run phishing simulations? Can you show documentation?
Documented training — not just a policy that says training should happen. Phishing simulation results (click rates, report rates) are increasingly requested as evidence of an active human-layer defense program.
Evidence that works
- Training attendance records with dates — who attended, when, what was covered
- Phishing simulation results: platform used, simulation date, click rate, report rate
- Evidence of post-simulation follow-up — communication to staff about what was tested and what to watch for
Battice
Baseline Security includes monthly phishing simulations with click/report tracking and results reports formatted for insurer review.
Vendor Risk
The question
Do you have a vendor risk management process? Are critical vendors assessed for security?
Evidence that you know who has access to your systems and data, and that you've done some review of their security. Even a basic documented vendor list with data access scope satisfies this at the SMB level.
Evidence that works
- Vendor inventory: vendor name, what data or systems they access, contract review date
- Any security documentation received from critical vendors (SOC 2 reports, security questionnaire responses)
- Contractual security language in vendor agreements — data processing agreements, security addenda
Battice
The IT Documentation package includes a vendor list template that documents critical vendors, access scope, and contact information.
The practical test
“If your insurer called tomorrow and asked for proof of MFA enforcement, EDR coverage, and your last backup restore test, could you produce all three in under five minutes?”
If yes — you're in reasonable shape. If not, that's the gap. Not because the controls aren't there, but because the evidence isn't organized.
Need help building the evidence folder?
Battice builds the documentation that answers these questions
A 30-minute consultation is enough to map your current controls against the evidence each category requires, identify the gaps, and discuss whether our Compliance Readiness or Managed Security tier makes sense for your renewal timeline.