Article 3 · Renewal application
Application cheat sheet — answer honestly, score well.
The 2026 cyber insurance application is structurally different from the 2024 version. Seven core questions. Evidence expected for each one. The gap between “yes” on the form and actual posture is where carriers deny claims in 2026 — and where owners and brokers leave premium savings on the table at renewal.
This piece walks through each of the 7 questions, what the carrier is actually checking for, and a sample defensible answer. Then a 6-step prep plan covering the 60 days before renewal.
The application
The 7 questions on a 2026 cyber application
Specific wording varies by carrier. Coalition, At-Bay, and Resilience use longer guided submissions; Chubb, AIG, and Travelers use traditional PDF forms. The seven questions below appear on essentially every 2026 application in some form.
Do you require MFA on all admin accounts?
What carriers are checking:The carrier wants evidence — a screenshot or CSV export from your identity provider showing MFA enforcement is on for admin accounts. "Yes" attestation without evidence is now scored as a soft denial trigger. A clean answer attaches a Microsoft Entra Conditional Access policy export, an Okta admin policy screenshot, or a Google Workspace 2-step verification report covering all admins.
Sample defensible answer
Yes. MFA is enforced via Conditional Access policy on all Microsoft Entra admin roles (Global Admin, Security Admin, Exchange Admin, SharePoint Admin, Compliance Admin) plus all service-principal admin equivalents. Evidence: attached Conditional Access policy export dated [DATE]. All 14 admin accounts covered, 0 exceptions.
Do you have endpoint detection and response (EDR) deployed?
What carriers are checking:Naming the product matters. CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint Plan 2, Sophos Intercept X, Palo Alto Cortex XDR, Trellix Endpoint Security — these score as tier-1 EDR. Webroot, McAfee Total Protection, AVG Business, Bitdefender Antivirus (consumer SKU) no longer count as EDR in 2026 underwriting. Carriers will ask for the product name, the deployment percentage, and the management console screenshot.
Sample defensible answer
Yes. CrowdStrike Falcon Pro deployed on 247 of 251 managed endpoints (98.4% coverage). Remaining 4 endpoints are warehouse scanners not connected to the corporate network. EDR managed by EFROS as our 24/7 SOC partner with a 15-minute response SLA on critical detections. Evidence: attached Falcon console screenshot dated [DATE].
Do you have offline / immutable backups tested within 30 days?
What carriers are checking:Carriers want restore-test logs, not just backup-existence proof. The control that matters in a ransomware scenario is the ability to recover, not the backup itself. A clean answer attaches a restore test log showing a specific file system or database restored to a clean environment in the last 30 days, with a documented restore time objective (RTO) actually met.
Sample defensible answer
Yes. Backups via Veeam to an immutable AWS S3 bucket (Object Lock, 90-day retention). Restore test performed [DATE], restoring SQL Server production database to isolated VPC in 47 minutes (RTO target: 4 hours). Evidence: attached restore-test runbook with timestamped log and screenshot of restored database query.
Do you have a 24/7 SOC?
What carriers are checking:In-house OR contracted MSSP both count. The carrier is checking whether someone is watching the EDR + SIEM + identity logs after business hours, on weekends, and on the federal holidays when threat actors deliberately deploy ransomware. Contract terms matter — a vendor that only responds during business hours doesn't score as 24/7. The carrier will ask for the SOC vendor name, the SLA, and the named-incident response coordinator.
Sample defensible answer
Yes. 24/7 SOC services contracted with EFROS, covering EDR detection triage, identity anomaly review, and on-call incident response. SLA: 15 minutes acknowledgment on critical detection severity, 60 minutes for high. Annual cost: $[X]. SOC coordinator: [NAME]. Evidence: attached SOC services agreement, redacted for pricing.
Have you had a cyber incident in the past 24 months?
What carriers are checking:Carriers cross-check against state breach notification registries (most US states publish breach notifications publicly, searchable), IRS Form 8038 financial-loss disclosures, SEC 8-K filings, federal cyber incident reporting registries, and emerging underwriting databases. Omitting a known incident is the #1 cause of claim denial via material misrepresentation. Disclose everything — including near-misses you investigated and concluded were not breaches — and let the underwriter ask follow-up questions.
Sample defensible answer
Yes — one incident in past 24 months. Date: [DATE]. Incident type: business email compromise affecting one employee mailbox. Detected: via Microsoft Entra anomalous sign-in alert. Containment: account locked, password reset, MFA re-registered, mailbox audited for forwarding rules. Data exposure: none confirmed via forensic review. Notification: state notification not required (no PHI/PII confirmed disclosed). Remediation: rolled out organization-wide MFA on all user accounts in 30 days, completed [DATE]. Forensic report available under NDA.
Do you use AI tools that process customer data?
What carriers are checking:Enumeration required, not yes/no. The carrier wants a list of the AI tools, the data categories each processes, and whether each tool is contracted under a BAA (for healthcare) or DPA (for other regulated data). "We don't really use AI" is a red flag answer in 2026 because the carrier knows you almost certainly do — Microsoft 365 Copilot, Google Workspace Gemini, Salesforce Einstein, Slack AI, ChatGPT Enterprise, Claude for Work, and embedded AI features in 50+ SaaS products are all in scope.
Sample defensible answer
Yes. AI tools currently in use with customer-data exposure: (1) Microsoft 365 Copilot — productivity suite, processes M365 tenant content under our M365 E5 BAA; (2) ChatGPT Enterprise — processes customer support transcripts under our OpenAI Enterprise BAA with Zero Data Retention enabled; (3) Salesforce Einstein — embedded in our CRM, processes customer records under our Salesforce DPA. Consumer ChatGPT, Notion AI, and Perplexity are blocked at the identity layer via Microsoft Entra Conditional Access. Evidence: attached AI inventory dated [DATE].
Do you have a documented incident response plan?
What carriers are checking:Carriers want the document, not just "yes." A 2026-acceptable IR plan is typically 4-12 pages and names: the IR coordinator, the on-retainer IR firm, escalation thresholds, regulator contact information for each US state where you have customers, the breach notification timelines per state, the carrier claim hotline, the cyber broker contact, and the executive escalation chain. A two-paragraph blurb in the employee handbook does not satisfy.
Sample defensible answer
Yes. Incident Response Plan v3.2 dated [DATE], 9 pages. IR coordinator: [NAME, TITLE]. On-retainer IR firm: EFROS (signed retainer dated [DATE], 4-hour engagement SLA). Plan includes: escalation thresholds by severity, breach notification timelines for the 18 US states where we have customers, OCR contact for HIPAA notifications, state AG contact list, FBI IC3 reporting workflow, carrier claim hotline ([CARRIER]), broker contact ([BROKER]), executive escalation chain. Evidence: full plan PDF available under standard application confidentiality.
The honest-answer framework
How to answer honestly without scoring yourself out of coverage
The honest application answer has three components: the binary answer (yes / no / partial), the qualifier (the scope, the percentage, the exception), and the remediation commitment (if not at full coverage today, when you will be). Carriers underwrite the qualifier and the remediation commitment, not just the binary answer.
Example: “MFA on all users? Partial — 87% of users have MFA enforced, remaining 13% are operations staff being migrated from a legacy directory by [DATE], targeting 100% by [DATE + 45 days].” This answer is honest, specific, and defensible. It prices roughly the same as “yes, 100%” in the current market because the carrier sees a competent operator with a documented plan.
The wrong move is to round “87%” up to “yes” on the application. If a credential compromise claim happens through one of the 13% of unprotected accounts, the application answer is now material misrepresentation and the claim is denied. The premium savings from the rounded answer (typically 0-5%) is dwarfed by the claim denial risk.
The improve-don't-lie play
What to do if you're missing a control 60 days before renewal
60 days is plenty of time to materially improve posture before the application is due. The four moves with the highest ROI on both premium and claim defensibility:
- Deploy MFA broadly — Microsoft Entra, Google Workspace, and Okta can roll out MFA to all users within 1-2 weeks if planned. Capture the policy export as evidence.
- Swap legacy AV for tier-1 EDR — CrowdStrike, SentinelOne, and Defender for Endpoint P2 can be deployed to full fleet within 2-3 weeks via existing endpoint management tools. Take a console screenshot as evidence.
- Run an offline backup restore test — Schedule the test, document the runbook, restore one meaningful workload to an isolated environment, and capture the log. Most organizations can complete this within one business week.
- Write a 4-12 page IR plan — Name the coordinator, list the IR vendor on retainer, document escalation thresholds and state breach notification timelines. EFROS and most MSSPs can provide a template adapted to your business in 1-2 weeks.
These four moves together typically reduce renewal premium by 10-25% versus the same business going in without them — and materially improve the claim defensibility of every answer on the application.
60-day renewal prep
From audit to clean submission in 60 days
The six phases. Each one produces a specific artifact for the application file. Run sequentially or in parallel where dependencies allow.
Pull the prior-year application and self-audit
Pull last year's submitted application from your binder. Read every answer. Mark each one as "still true with evidence," "still true but evidence is stale," or "no longer true." The gap between last year's attestations and current state is your remediation list.
Close the easy gaps
Deploy MFA broadly if it's not already. Run a restore test from your offline backups and capture the log. Rip out legacy AV and deploy tier-1 EDR (CrowdStrike, SentinelOne, Defender for Endpoint P2). Write or refresh the IR plan to 4-12 pages with named contacts. These four moves cover most application red flags.
Build the AI inventory
Enumerate every AI tool with customer-data exposure. For each one, document the data categories processed, the BAA/DPA status, and the access-control posture (who can use it, is consumer-tier blocked). Block unauthorized AI at the identity layer (Microsoft Entra Conditional Access, Okta policy, Google Workspace context-aware access).
Compile evidence packets
For each application question, prepare the evidence the carrier expects — Conditional Access export, EDR console screenshot, restore-test log, SOC services agreement, AI inventory, IR plan PDF. Package as a single submission appendix the broker can send with the application. Clean submissions price 5-15% better than thin submissions on identical risk profiles.
Walk through the application with the broker line by line
Schedule 60-90 minutes with your broker. Read every question. Cross-reference each answer to the evidence. The goal is zero answers that are technically true but materially misleading. The broker is also liable for misrepresentation and will push back on weak answers — let them.
Submit clean and ask for written carrier answers on AI clause
Submit the application with the evidence appendix. Ask the broker to get the carrier's written interpretation of the AI exclusion in the binder file (see the AI Clause Decoder article in this hub). Get the IR panel list. Read the policy schedule before binding — the schedule is where the sub-limits, deductibles, and exclusions actually live.
FAQ
Application accuracy — the questions owners ask
What if we're missing a control 60 days before renewal — should we lie on the application and fix it later?
No. Improve, don't lie. 60 days is enough time to deploy MFA, swap EDR, run a restore test, and write an IR plan. The premium delta between attesting to good controls (and having them) versus attesting to controls you don't have and getting denied at claim is on the order of millions of dollars. Spend the 60 days on improvement; the application accuracy follows automatically.
How much does an honest 'no' answer to one application question hurt the premium?
Less than you'd think for a single gap, and more than you'd think for multiple. A clean application with one honest gap (e.g., "MFA on admins yes, all users no, deploying within 90 days") typically prices within 5-10% of perfect. Three or more gaps stacks into the high-risk class with 40%+ premium increases. The single-gap honest answer is almost always the right move.
Our broker fills out the application — am I still on the hook if a control is misstated?
Yes. The application is signed by an officer of the insured organization (usually CEO, CFO, or General Counsel). Signature certifies the accuracy of the application regardless of who filled out the form. Brokers can help interpret questions but cannot transfer signature liability. Read every answer before signing.
What if we don't know the answer to a technical question — for example, our managed IT provider runs the SOC and we don't have direct visibility?
Get the answer from the provider in writing before signing. "We think yes, but our IT provider would know" is not a defensible application answer. If the SOC is contracted to a managed service provider, they should provide a documented attestation of services and SLA terms for your application file. Most reputable MSSPs have a standard one-page attestation document for exactly this purpose.
Three ways to get ready before renewal
Quantify what an incident would cost, run the 5-minute readiness benchmark, or book a 20-minute call where we walk through your application question by question.