top of page
  • LinkedIn
Search

Cyber Insurance Questionnaires: What to Do When the Answer Isn't Yes

A practical guide for small organizations and nonprofits.


For many small organizations, the cyber insurance questionnaire is the first time security shows up as a hard requirement rather than an abstract concern. The questions are technical, the stakes feel real — your premium, your renewal, your coverage — and the temptation is obvious: check "yes" wherever possible and move on.

This is a post about why that temptation is a trap, and what to do instead.


Why accurate answers protect you more than clean ones

Carriers underwrite cyber insurance based on the answers you give. They also verify those answers — and they're getting better at it.

The verification doesn't always happen up front. Some of it does. Carriers may scan your perimeter, check public-facing services, or pull external risk signals. But the more thorough review tends to come after an incident. When a claim gets filed, the carrier looks at what you said you had in place — and compares it to what was actually there.

If those don't match, the claim gets harder. Sometimes it gets denied entirely. Sometimes the policy gets rescinded. Either way, the organization that filed a clean-looking application ends up worse off than the one that filed an accurate one.

The underlying dynamic is simple. Carriers price risk, not perfection. They'd rather underwrite an accurate organization with a plan than a polished one with hidden gaps. Their entire business model assumes some claims will happen. What undermines that model is when an applicant misrepresents what they had in place when the policy was issued.


What an accurate answer actually looks like

Most cyber questionnaires give you three options, even when only two appear on the form: yes, no, and partial.

"Partial" doesn't always show up as a literal checkbox. Sometimes it's a comments field next to a yes/no question. Sometimes you have to write it in by hand. But almost every meaningful security control has edges — places where the implementation is real but not universal.

A few common examples:

Multi-factor authentication (MFA). Most organizations have it on email and admin accounts. Many don't have it on legacy systems, contractor accounts, or backup admin tools. "Yes" overstates. "No" understates. "Partial — covers email, admin, and primary SaaS; remaining systems on roadmap" is accurate.

Backup testing. A lot of organizations run backups. Far fewer test restores on a regular cadence. "Yes, we test backups" — when nobody's actually performed a restore in a year — is a common overstatement.

Endpoint detection and response (EDR). Many organizations have antivirus software. Fewer have EDR, which is a different category of tool. Marking "yes" to EDR when what you actually have is antivirus is a misrepresentation that's easy to spot in a post-incident review.

Security awareness training. A platform subscription with low engagement isn't the same as an active program. If your training is "we cover it in onboarding and send occasional reminders," that's a partial.

Use the comments field where the form gives you one. If it doesn't, attach a short cover note. Carriers generally welcome the context.


The plan that should accompany partial answers

A "partial" with a real plan beats a "yes" the carrier can't verify. But it has to be a real plan.

A real plan has three things: a date, a scope, and an owner. "We're working on MFA" isn't a plan. "MFA coverage: deployed on admin and email accounts; full deployment to general users targeted by end of Q3, owned by IT lead, with budget approved" is a plan.

Carriers respond to this for the same reason any underwriter does: it tells them you understand your own risk. An organization that knows where it's exposed and has a credible path to closing the gap is a better insurance risk than one that claims everything is in place.

That doesn't always preserve the cheapest premium. Sometimes it costs a few percentage points on the rate. What it almost always does is preserve the coverage when you need it.


What to do if you've already overstated

This is the most common situation, and it's usually quietly stressful.

Maybe last year's questionnaire was filled out under time pressure. Maybe someone said "yes" to MFA because it was true for their account. Maybe the questionnaire was technical enough that the person filling it out wasn't sure what some terms meant.

The right move at renewal is to correct it. That doesn't mean leading with a confession. It means treating the renewal as a fresh assessment: answer the current questions accurately, note where things have changed (or where last year's answer was optimistic), and attach a plan for the gaps.

This is uncomfortable. It's also better than the alternative, which is finding out at claim time that the discrepancy invalidates your coverage. Carriers tend to be far more receptive to organizations that correct their own posture than to ones that doubled down on a misrepresentation across multiple renewals.


The bigger picture

Step back from the form for a minute.

A cyber insurance questionnaire is one of several places where someone outside your organization is asking the same underlying question: do you know what you're protecting, and can you describe it clearly?

Funder requirements, client audits, contract clauses, vendor assessments — they all ask versions of this. The format changes. The underlying expectation doesn't.

The organizations that handle these well aren't the ones with the most controls. They're the ones who can describe their security posture accurately, in language that fits the specific audience, with a credible plan for what they don't yet have. That clarity is the actual product. Everything else — the questionnaire format, the rating tier, the contract clause — is a translation.

Build the picture once. Translate as the moment requires.


A practical starting point

If you're looking at a cyber insurance renewal in the next quarter, here's a useful order of operations:

  1. Pull last year's questionnaire and your current answers.

  2. Mark each answer accurately — yes, partial, or no — based on what's in place today.

  3. For each "partial" or "no," note whether closing the gap is realistic before renewal. If not, write a credible plan: scope, date, owner.

  4. Address what you can. Document what you can't with a real plan. Submit accurate answers.

That sequence rarely gets you the cheapest possible premium. It almost always gets you a policy you can rely on — and a clearer view of your own security than you had before.

If working through that picture alongside someone would be useful, that's the kind of conversation LockFort is built to have. No commitment required to start one.

Comments

bottom of page