If you have a cyber insurance renewal coming up, the application is probably longer than the one you filled in last time. It’s also more specific. Each new question maps to a control that, if missing, allowed a major 2023 or 2024 claim to escalate. The wording reflects how carriers responded to losses they paid in 2023 and 2024, and how you answer the form matters more than it used to.
This post covers why the application got longer, what each new section is asking, how to answer honestly without overstating your controls, and what to fix in the 30 days before submission. The expensive mistake on a cyber insurance application is rescission, where a future claim is denied because the carrier finds that the controls you declared were not in place at the time.
Why the renewal application got longer
The current generation of cyber insurance applications was shaped by three specific claim events from 2023 and 2024.
The MOVEit supply-chain breach surfaced on May 28, 2023, when Progress Software received the first reports of unusual activity from customers. The Cl0p ransomware group had been exploiting a previously unknown vulnerability in Progress Software’s MOVEit Transfer file-sharing tool, with activity detected by some researchers as early as February of that year. By late 2023, more than 2,650 organizations and over 66 million individuals had been affected, with totals rising further into 2024. Carriers paid claims across that footprint, and the experience reshaped how underwriters ask about third-party software risk.
Then the Change Healthcare ransomware incident in February 2024 froze US healthcare claims processing for weeks. The attacker gained network access on February 12, 2024, and deployed ransomware on February 21, with downstream impact on pharmacies, providers, and patients across the country. HIPAA Journal’s coverage noted that the absence of multifactor authentication on a key entry point made the initial intrusion possible. Industry analysts have estimated the cyber insurance loss from this single event at over $250 million, and the response was tighter questions about backup immutability and incident response readiness.
The Arup deepfake wire fraud, also from early 2024, reframed how underwriters approach social engineering. A finance employee at the engineering firm’s Hong Kong office transferred $25.6 million across 15 wires after a video call with what appeared to be the company’s CFO and other executives, all of whom were AI-generated deepfakes. The fraud went undiscovered for about a week, until the employee contacted Arup headquarters about a “secret transaction.” Out-of-band callback verification for wire transfers is now on every underwriter’s checklist.
If you run an e-commerce store handling cardholder data, a healthcare practice with PHI, an accounting firm or law firm moving client funds, or a real estate brokerage handling escrow, your application is the longest of all. You sit in the loss categories carriers got burned on.
The backup question changed
The backup question on cyber insurance applications has tightened materially since 2023. What used to be a single yes/no question now asks whether those backups are immutable or air-gapped, when they were last tested, and whether they can be deleted by your domain administrator credentials.
Expect wording on your form like: “Are backups stored in an immutable or air-gapped state, tested for restoration within the past 12 months, and inaccessible to domain administrator credentials?”
An immutable backup is one that nobody can delete or alter during a fixed retention window, including someone using stolen administrator credentials. Air-gapped means the backup copy sits on infrastructure that cannot be reached from your production network. CISA’s Stop Ransomware Guide lists immutable, tested backups as a baseline control, which is the same standard most cyber insurance carriers now apply.
“Microsoft 365 backup” is no longer a passing answer on its own. Native Microsoft 365 retention isn’t a backup in the sense the carrier means. Third-party backups that share the same identity perimeter as your production tenant can be wiped by a compromised global admin.
For the immutable backup question, the strongest answer references a backup platform with object lock or write-once-read-many storage enabled, an immutability window of at least 14 days (with 30 days now preferred), credentials separated from your production admin accounts, and a recent successful restore test. Weaker answers describe daily backups to a NAS on the same network with no recent restore test, which typically triggers follow-up underwriting and sometimes a premium adjustment. Answers that leave the immutability question unclear are the ones most likely to push a renewal toward sub-limits or non-renewal.
MFA questions go deeper than one checkbox
MFA was once captured as a single yes/no question on most applications. The current generation asks whether MFA is enforced on email, VPN, remote desktop (RDP), all administrator accounts, and privileged service accounts. The answer needs to be yes on all five for a clean pass.
SMS-based MFA is now treated as a weaker control. SIM-swap attacks and SS7 vulnerabilities have made text codes the weakest authentication factor available. Several carriers ask specifically whether your MFA uses an authenticator app, hardware token, or push with number matching, rather than SMS. If you’re still on SMS for admin accounts, expect a follow-up question or a premium adjustment.
The privileged access management (PAM) question is the one most owners haven’t seen before. PAM is a category of tool that keeps administrator credentials out of regular password managers. A PAM platform vaults privileged credentials, rotates them on use, and logs every session, which means a stolen admin password can’t be used unnoticed for weeks before someone catches it.
A strong PAM answer describes a vaulting tool with credentials rotated on use and session logging enabled. Weaker answers, like admin passwords stored in a shared password manager with annual rotation, will usually trigger follow-up underwriting. Shared admin accounts that never rotate and produce no audit log of who used them are the configuration most likely to result in sub-limits or non-renewal.
Will cyber insurance be denied if you don’t have MFA everywhere? Not always denied outright. Expect significant premium increases, sub-limits on ransomware coverage, or exclusions for any incident that traces back to the unprotected entry point.
The wire transfer and deepfake verification questions
After the Arup case and a string of business email compromise losses, carriers added callback verification questions to their applications. Callback verification means that before sending any wire above a defined threshold (commonly $10,000 or $25,000), the person authorizing the transfer calls the recipient at a phone number previously verified and stored, not the number on the request email.
Expect wording like: “Does your organization require out-of-band verification using a previously known phone number for all funds transfer requests above [threshold], including requests appearing to come from executives?”
Several current applications now ask separately whether staff have been trained on AI voice cloning and deepfake video risks. The Arup case made that question relevant for every carrier writing in professional services.
Accounting firms, law firms with escrow or trust accounts, and real estate brokers will see this section scrutinized most carefully. Anyone moving other people’s money is a soft target and an expensive claim when wire fraud lands.
A strong answer references a written wire transfer policy requiring callback verification to a verified number for transfers above a stated threshold, dual approval, and annual social engineering training that includes deepfake awareness. Informal verification practice without a written policy will usually be flagged for follow-up. Wire transfers authorized by email approval alone are the configuration carriers are now declining to cover at all.
EDR, MDR, and the end of the “we have antivirus” answer
Traditional antivirus scans files against a list of known threats. Endpoint Detection and Response (EDR) watches behavior on each device and flags suspicious activity, such as a process trying to encrypt files or escalate privileges. Managed Detection and Response (MDR) is EDR plus a 24/7 team watching the alerts and responding when something fires at 2am on a Sunday.
Current applications ask whether you have EDR deployed, whether it covers 100% of endpoints including servers, and whether a 24/7 security operations center (SOC) monitors and responds to alerts. The MDR question is increasingly yes or no, and the no answer has pricing consequences.
If you don’t have MDR yet but plan to add it, say so plainly with a timeline. Underwriters can work with “MDR deployment scheduled for Q2 with vendor selected.” They cannot work with vague answers about future plans.
The vendor risk questions
Supply chain questions used to be a single yes/no item. After MOVEit and Change Healthcare, carriers now want a full section on the software vendors holding your data.
Expect questions like: “List your top five software vendors with access to sensitive data and confirm whether each provides a SOC 2 Type II report or equivalent.” If you’ve never asked your practice management software vendor for a SOC 2 report, that conversation is overdue.
You’re not expected to audit every vendor’s security program in detail. The carrier wants to see that you know who your top vendors are, what data they hold, and that you’ve asked the basic questions like SOC 2 attestation. An honest “we’ve identified our top five vendors and requested SOC 2 reports from three, with two outstanding” reads better than a confident answer that falls apart in discovery.
The mistake to avoid: misrepresentation and rescission
The most expensive answer on a cyber insurance application is the one that overstates the security controls you have in place. Cyber insurance applications are warranty documents. If a forensic investigation after a claim finds your environment didn’t match what you declared, the carrier can rescind the policy.
Rescission means the policy is treated as if it never existed, your claim is denied, and any prior payouts under the same policy term can be clawed back. Some courts have found that the carrier doesn’t need to prove a direct link between the misrepresentation and the loss. The misrepresentation itself is enough.
The cleanup approach is direct. If a question asks about MFA on all admin accounts and you have a gap, declare the gap and include a remediation date. Carriers reward honest gaps with a plan more than they reward polished answers that don’t survive forensic review.
Checking “no” or “in progress” on the form may raise your premium or tighten your coverage terms. That cost is predictable. Misrepresentation discovered after a claim can void the policy entirely, and the timing means you absorb the full incident cost yourself.
The 30-day pre-renewal checklist
Work through this in order. Most items are achievable in a month if you start now.
Week 1. Confirm MFA on email, VPN, remote desktop, all administrator accounts, and any service accounts that support it. Move admin MFA off SMS to an authenticator app or hardware token.
Weeks 1 to 2. Verify your backups are immutable or air-gapped. Run a test restore, and document the result with date and screenshots.
Week 2. Write a one-page wire transfer policy requiring callback verification to a previously verified phone number for any transfer over your chosen threshold. Get it signed by anyone who can authorize payments.
Weeks 2 to 3. Confirm EDR is deployed on every endpoint and server. If you only have traditional antivirus, get quotes for EDR or MDR now so you can answer with a deployment timeline.
Week 3. Identify your top five software vendors and request SOC 2 reports or equivalent attestations. Note who responded.
Weeks 3 to 4. Document or update your incident response plan, then run a 60-minute tabletop exercise with your leadership team. Keep the notes. That’s your “tested in the past 12 months” evidence.
Week 4. Sit down with the application and answer honestly. Flag anything you couldn’t fix, with a specific remediation date.
Frequently asked questions
What does rescission mean on a cyber insurance policy?
Rescission means the carrier voids the policy from inception after discovering material misrepresentation on the application. The policy is treated as if it never existed, the current claim is denied, and any prior payouts under the same policy term can be clawed back.
Will my cyber insurance be denied if I don’t have MFA on everything?
Not always denied outright. Expect a significant premium increase, sub-limits on ransomware coverage, or exclusions for incidents that trace back to the unprotected entry point. The most common gap is MFA on privileged or service accounts.
What is the difference between EDR and MDR on an insurance application?
EDR (Endpoint Detection and Response) is the technology that watches device behavior and flags suspicious activity. MDR (Managed Detection and Response) is the same technology plus a 24/7 team watching the alerts and responding. Carriers increasingly want both, and the application often asks about each separately.
Why are cyber insurance renewal applications longer than they used to be?
Carriers added detailed sections in response to specific 2023 and 2024 losses, including the MOVEit supply-chain breach, the Change Healthcare ransomware incident, and the Arup deepfake wire fraud. Each event drove changes to backup, MFA, vendor risk, or wire transfer questions on subsequent applications.
Can my cyber insurance claim be denied if I answered the application incorrectly?
Yes. Material misrepresentation on a cyber insurance application can trigger rescission, which voids coverage retroactively. Many courts have found that the carrier does not need to prove a causal link between the misrepresentation and the specific loss.
What does immutable backup mean on a cyber insurance application?
A backup that cannot be modified or deleted for a defined retention period, even by someone using stolen administrator credentials. Cloud object lock and write-once-read-many storage are common implementations. Most carriers want a window of at least 14 days, with 30 days now preferred.
Sources and further reading
- Cybersecurity Dive: MOVEit breach timeline — detailed timeline of the 2023 vulnerability exploitation and the scale of the affected population.
- Fortune: Arup deepfake $25M fraud — coverage of the January 2024 Hong Kong deepfake wire fraud and how it unfolded.
- HIPAA Journal: Biggest healthcare data breaches of 2024 — analysis of the February 2024 Change Healthcare incident and its industry-wide impact.
- CISA: Stop Ransomware Guide — federal guidance on the security controls cyber insurance applications now ask about.
If you have a cyber insurance renewal coming up and the gap between where your controls are and where the form wants them to be feels wider than 30 days, your IT provider should be able to walk through the application with you and identify what’s fixable in the time you have. And if you don’t have an IT provider, feel free to reach out to us and we’ll help you sort it.
—