Cyber insurance
The cyber insurance renewal checklist for boards
A board-level checklist for the weeks before a cyber insurance renewal: the controls underwriters now require, the evidence to gather, and the questions leadership should confirm before anyone signs the questionnaire.
Cyber insurance has shifted from a price conversation to an evidence conversation. Underwriters no longer take a "yes" at face value: they want documented proof that the controls are real, and they will void cover if the renewal questionnaire turns out to have overstated reality. That makes the questionnaire a board-level document, not an IT chore. This checklist sets out what leadership should confirm in the sixty to ninety days before renewal.
Why the board should care about a form
The renewal questionnaire is a legal declaration. Under the Insurance Act 2015 the company must fairly present its risk, and a material misstatement, such as confirming company-wide multi-factor authentication that is in fact only partial, can void the policy at the point of claim. The downside is asymmetric: a wrong answer saves nothing now and can cost the company everything later.
Because the consequence lands on the company and its partners, someone senior needs to have read and stood behind the answers. The most common failure is leaving the form entirely to IT, who answer the technical questions accurately but have no visibility of, or authority over, the business commitments the form also contains.
The five controls underwriters now expect
Across UK underwriters, five controls drive both premium and whether cover is offered at all. Confirm each is genuinely in place, not aspirationally so:
- Multi-factor authentication, enforced for all privileged accounts, all remote access and all email, with phishing-resistant methods preferred and exceptions documented.
- Endpoint detection and response (EDR) across workstations, servers and mobile, with someone actually watching and triaging the alerts.
- Immutable, isolated backups that have been restore-tested in the last twelve months. Untested backups do not count.
- An incident response plan that names the first actions in the first hour and has been exercised, or a retainer with a named provider.
- Supplier risk management: a register classified by criticality, with controls evidence for the critical tier.
A clean, evidenced answer on these five is usually the difference between a flat renewal and a double-digit increase or an exclusion.
The evidence pack to assemble
Underwriters increasingly read the evidence before the questionnaire. A short, well-organised pack is worth more than a long form. Gather:
- A conditional access export showing which users require MFA and how exceptions are handled.
- An EDR coverage report plus a sample of triaged alerts from the last quarter.
- A backup configuration showing immutability, and a restore-test record.
- The incident response plan and the date of the last tabletop exercise.
- A few real rows of the supplier register, with criticality and last review date.
If gathering this pack surfaces a gap, and it usually surfaces at least one, that gap is a finding to fix, not a line to fudge.
The renewal calendar
T-minus 90 days: start the questionnaire, review last year's answers, confirm what has changed. T-minus 75: gather the evidence pack. T-minus 60: brief the broker and decide whether to shop the market. T-minus 45: markets quoting and asking follow-ups. T-minus 21: quotes back, decision made. T-minus 14: terms bound and wording reviewed. Compressing this into four weeks is how companies end up renewing by default at the incumbent's terms.
How this connects to the rest of the programme
The questionnaire is the most useful annual security review most companies get for free. The gaps it exposes belong on the company's improvement roadmap, and the evidence it requires is exactly what continuous compliance keeps current year-round, so next year's renewal is a quick export rather than a scramble. For a line-by-line read of the questions themselves, see what insurers are asking in 2026.
Note that we help companies meet and evidence the controls insurers require; we do not broker insurance or advise on policy terms, which stays with your broker. If you would like the board-level checklist as a single page, send a note. To talk through a specific renewal, book a 30-minute call and bring the questionnaire.
Frequently asked
Questions readers ask before getting in touch.
- Three things: that every answer on the questionnaire is true and evidenced, that the controls the insurer requires (MFA, EDR, tested immutable backups, an incident response plan and supplier risk management) are genuinely in place, and that someone senior has read the questionnaire rather than leaving it to IT to complete unsupervised. An inaccurate answer can void cover at the moment of claim.
- Yes. Under the Insurance Act 2015 the company must give a fair presentation of risk. A material misrepresentation on the renewal questionnaire, such as claiming MFA is fully deployed when it is not, can void cover when you claim. This is precisely when the company needs the cover most, which is why board oversight of the answers matters.
- Sixty to ninety days before expiry. Underwriters take longer to quote than they used to, gathering controls evidence takes time, and a real buffer lets the broker shop the market rather than defaulting to the incumbent's terms. Companies that start at four weeks out renew on whatever terms are easiest, usually the most expensive.
- It satisfies the technical control attestation for most UK underwriters and shortens the questionnaire, because an independent assessor has already verified the core controls. It does not answer the separate questions on backup, training, incident response and supplier management, so it is a strong foundation rather than a complete answer.
Talk to us
Want to talk through how this applies to your company?
A 30-minute call with a senior advisor. No pitch. We will read your situation against what is in this piece and tell you the smallest sensible next step.