Cyber Insurance Compliance: What the Industry is Requiring
Written By: Frank Saulsbery
THE LATEST THOUGHTS FROM THE FOUNDER
A running column from Frank Saulsbery. Not a sales pitch, just the way he’d explain it if you pulled up a stool next to him. Meet Frank →
A SNEAK PEEK…
“Sometimes the best move isn’t rushing to check every box. It’s slowing down long enough to understand which ones matter most for your business…”
You get an email from your insurance agent that says something like, “Please complete this cybersecurity questionnaire for your renewal.” You open it up thinking it’ll take a few minutes… and then you start reading the questions. “Do you have tested backups?” “Do you enforce multi-factor login?” “Do you provide employee security training?” ETC
And somewhere around question six, you’re thinking, “I think we do… but I’m not completely sure.”
If you’ve been in that spot, you’re not alone. A lot of business owners feel a little uneasy filling these out. You don’t want to answer incorrectly, but you also don’t want to overthink it. It can feel like one of those forms where you just check “yes” and move on.
But here’s the reality, insurance companies are not in the business of losing money. If they’re going to insure your business against something like a cyber attack, they want to know you’re doing your part to reduce that risk. If not, they’ll either raise your premium, limit your coverage, or sometimes decide not to offer a policy at all.
And those requirements have gotten stricter over time. As cyber attacks have increased, especially with more businesses relying on remote work and cloud tools, insurance companies have responded by asking for more proof that basic protections are in place.
They’re not asking for anything unreasonable. In most cases, they’re looking for things like working backups, up-to-date protection on your computers, secure access to email and data, and some level of employee training. The important part to understand is this: it’s not just about having those things, it’s about being able to prove you have them. That’s where some businesses get into trouble.
I’ve seen situations where someone fills out the form with all “yes” answers, assuming that’s what the insurance company wants to see. But they weren’t completely confident those protections were actually in place or being maintained, that might seem like a harmless shortcut at the time. But if you ever have a cyber incident and file a claim, the insurance company will look closely at what you reported. In many cases, they’ll bring in their own auditors to verify it.
And if what was reported doesn’t match reality, that can affect the outcome of the claim.
That’s not a great conversation to have when you’re already dealing with a stressful situation.
So what does this mean for your business?
It means the goal isn’t to “pass the form.” The goal is to understand what you actually have in place.
For example, it’s one thing to say you have backups. It’s another to know they’ve been tested recently and would actually work if you needed them. It’s one thing to say you have antivirus. It’s another to know it’s active on every device and being updated.
And one area that gets overlooked more than it should is employee training. Many attacks don’t start with technology failing, they start with a person clicking something they shouldn’t. That’s why regular training is often part of both insurance requirements and security best practices. If you step back and look at it, the questionnaire is really just asking, “Are you consistently doing the basics well?”
Now, to be fair, not every business needs every single control right away. Depending on your size and industry, there may be some flexibility. In some cases, answering “no” to a question doesn’t automatically disqualify you. It might just mean a higher premium or a requirement to address that gap over time.
The key is honesty and clarity, it’s far better to say, “No, we don’t have that yet,” than to say “yes” and hope it never gets questioned. At least then you know where you stand and can make a decision about whether it’s worth improving. At the end of the day, cyber insurance is a lot like any other insurance. It’s there to help when something goes wrong, but it works best when the basics are already in place.
So here’s a simple question to think about, if you had to walk through that questionnaire line by line with complete confidence, would you feel comfortable doing it? If not, that’s not a failure. It’s just a sign that it might be worth taking a closer look before your next renewal comes around.
Sometimes the best move isn’t rushing to check every box. It’s slowing down long enough to understand which ones matter most for your business and making sure they’re actually working the way you think they are.
That’s how I see it, anyway, and I’d enjoy hearing how you see it. None of this is a sales pitch. It’s just the kind of thing I’d talk through with you if we were sitting across the table. If it raised a question, or you think I have it wrong, I want to hear about it.
My door is always open. Whether you want to talk this through or just say hello, you can reach me anytime.
Network Solutions Unlimited is a generational managed IT services provider based in Decatur, Illinois, serving businesses and nonprofits with genuine support and decades of trusted relationships. Led by Baily Saulsbery and founded by her father Frank, we're not just your IT provider; we're your neighbors who happen to be really good at technology. Contact us today to experience IT support that actually cares.