Three years ago a cyber-insurance renewal for an SME looked a lot like a motor renewal. A two-page form, a tick-box section on backups, a premium that moved a few percent either way. We had clients who genuinely didn’t know what their cyber cover paid out for, because nobody had ever needed to find out.
That world is gone. We’ve sat in on around forty renewal conversations across the last eighteen months, some as the IT firm answering the technical sections, some as the people asked to explain why the previous answer wouldn’t fly any more, and the shift has been steady and one-directional. Underwriters have got serious, the questionnaires have got longer, and the answers that were acceptable in 2023 are now the reason a premium doubles or a quote doesn’t come back at all.
Where the questionnaire is now
The current generation of underwriter questionnaires asks about seven or eight technical controls in real detail. The big ones, in roughly the order they cause trouble:
multi-factor authentication (MFA, needing a code as well as a password) on every external service. Email, VPN (virtual private network, the encrypted tunnel staff use to reach office systems from outside), remote desktop, the lot. “Most users” doesn’t pass any more. Underwriters want to know what enforces it, what the exceptions are, and how exceptions get reviewed.
Privileged access separation. Admin accounts shouldn’t be the same accounts people read email with. Two years ago this was a nice-to-have; now it’s a yes/no question with consequences.
Endpoint detection. Traditional antivirus isn’t enough. Underwriters want extended detection and response (XDR, a category of security tool that watches your endpoints, network and cloud for suspicious behaviour) or managed detection and response (MDR, the same thing run as a service by a security firm). If the answer is “we have Defender and we hope”, the premium reflects it.
Backups, with a wrinkle. It isn’t enough to have backups; they need to be tested, immutable or air-gapped (kept on a system the rest of the network can’t reach), and recoverable inside a window the underwriter believes. The wrinkle is the recovery-time question, and it’s a hard one to answer honestly without having done a restore.
Patching cadence. Specifically for internet-facing systems. Underwriters now ask how long between a critical CVE (common vulnerabilities and exposures, the public ID assigned to a specific software flaw) landing and the patch being applied. Anything over fourteen days gets pushed back on.
Email security stack. Domain authentication (SPF, DKIM, DMARC, the three email-authentication settings that tell other mail servers your messages are genuine), inbound filtering, and now increasingly something that flags impersonation.
Incident response plan. Not just “we have one”, but tested, dated, with contact lists that have been refreshed inside the last twelve months.
The volume isn’t the problem so much as that any of those answers being weak now flows directly into the premium, and a couple of weak answers flowing together gets the renewal declined.
What changed
Two things, mostly. The first is that insurers paid out a lot of money between 2021 and 2024, ransomware claims in particular, and the actuarial side of the house caught up with the marketing side. The second is that there’s now enough public reporting on how breaches actually happen for underwriters to know which controls matter. They’ve stopped asking about firewalls and started asking about MFA enforcement gaps, because that’s what the post-mortem reports keep saying.
The other shift is who’s writing the questionnaires. Three years ago it was an underwriter with a glossary. Now it’s an underwriter with a security advisor on speed-dial, and the questions are good enough that you can tell. We’ve had questionnaires this year that probe for the specific failure mode, “describe how a compromised admin credential would be detected within 24 hours”, rather than the control name, which is a different conversation.
What’s coming next
A few patterns we think are about to become standard, based on what the bigger broker conversations are starting to surface:
Evidence, not attestation. The current model is still mostly “we attest that we do X”. The next model wants screenshots, config exports, or a third-party assessment. For SMEs this is going to be uncomfortable; the answer to “show us your conditional access policy” (the rules in Microsoft 365 that decide who can sign in from where) is a real piece of work if you haven’t documented it.
Continuous validation. A handful of insurers are piloting external scanning that runs through the policy period, not just at renewal. If your perimeter develops a new exposed service in October, the insurer knows in October, and the renewal in March reflects it.
Tiering of MDR providers. Underwriters are starting to differentiate between MDR services. Some get a discount, some don’t move the needle. The “we have an MDR” answer alone isn’t going to be enough by 2027.
AI exposure questions. Brand new this year, a few questionnaires now ask about AI tooling, which models, what data goes into them, whether prompts can leak customer data. Most SMEs don’t have a clean answer. We expect this to harden fast.
What we see on the ground
The clients who renew smoothly aren’t the ones with the biggest security stack. They’re the ones who treated the questionnaire as a planning document twelve months before the renewal, not a form to fill in three days before.
The ones who get caught out share two patterns. The first is having a control “in principle” but not in evidence: MFA is on, but six executive mailboxes have it disabled because the executives complained. The second is having no view of what their external footprint looks like: a forgotten test VPN on a router that hasn’t been touched in two years, a remote-desktop port left open after a one-off support call in 2022.
Both of those are findable in a morning; they just need somebody to look.
Practical implication for SMEs
If your renewal is more than three months out, treat the questionnaire as a project, not an admin task. Pull last year’s answers, walk through each one with somebody who knows what current underwriters expect, and triage. The expensive failures aren’t in the questions you got wrong; they’re in the questions where the honest answer is “we don’t know”.
If renewal is sooner than that, the priority is reducing surprises. An external footprint scan, an MFA-coverage audit, and a fresh look at the backup-restore answer will catch most of what’s about to embarrass somebody.
That’s our Security Solutions practice. We sit on the technical side of the renewal conversation, help with the questionnaire, and close the gaps that would otherwise show up as a premium hike or a declined quote.
The clients who leave this until the last fortnight end up with the worst of both outcomes: a premium that’s gone up because the answers are weak, and no time to fix the answers before the policy expires. A declined renewal is harder to come back from than a higher one, because the next broker wants to know why the last one walked away. Three months of preparation is the difference between renewing on your terms and renewing on the underwriter’s, and the clock is the part of this you can’t buy back.
Renewal coming up and the questionnaire looks different to last year’s? Drop us a note at info@jmopartners.co.uk. One of us will read it.
JMO|Partners · Enterprise IT, sized for SMEs.