The cyber-insurance questionnaire that caught everyone by surprise

The renewal that arrived with twenty-eight questions and a fortnight to answer them.

The questionnaire landed on a Friday. The renewal was due in twelve working days. The finance director forwarded it to the operations manager, who forwarded it to us with a single line in the body: “Can you have a look at this, most of it is gibberish to me.”

It wasn’t gibberish, but a 28-question cyber-insurance proposal form from a mainstream UK insurer, asking the kinds of things insurers were asking in 2022 plus a few they weren’t. MFA (multi-factor authentication, needing a code as well as a password) on all admin accounts. EDR (endpoint detection and response, security software that watches the laptops and tablets people work on) on all endpoints. Offline backups. Privileged access management (PAM, tight controls on who can do admin-level things). Email filtering with link-rewriting. Incident response plan. Tested in the last twelve months.

The client had four of the things on the list, though they thought they had eight. The gap was the conversation we then had with the finance director on the following Monday morning.

The pull-back habit

Three of the gaps had been on a security roadmap we’d written for them eighteen months earlier. Phishing-resistant MFA had been quoted. EDR had been quoted. A Cyber Essentials Plus (CE+, the UK government’s baseline cyber-hygiene certification) renewal, which they’d lapsed the year before, had been quoted.

Each of those quotes had been pulled back at budget review, not rejected outright. The reasoning was always the same and was always reasonable. “We haven’t had a problem.” “The current setup seems to work.” “Let’s revisit in six months.” Six months turned into eighteen. Then the insurance form arrived.

This isn’t a client failing so much as a pattern. Security spend that protects against something that hasn’t happened is some of the easiest to push out a quarter. Penetration testing, where somebody is paid to try to break in so you can find the gaps before an attacker does, gets deferred. CE+ gets deferred. MFA rollout gets deferred to “after the project”. The result of deferral is the same as the result of doing it, until one specific day when somebody asks a specific question and the result is suddenly very different.

What the insurer was really asking

The 28 questions on that form weren’t 28 things the insurer wanted you to have, but 28 things the insurer would price differently based on whether you had them.

If you had MFA on everything: standard premium. If you had MFA on admin accounts but not user accounts: 30-40 per cent uplift. If you had no MFA at all: declined, or premium so high it became a refuse-in-effect.

The same shape applied to backups (offline, tested in the last 90 days, restored from successfully, three separate questions), to EDR (deployed, monitored, alerts going somewhere a human reads them), and to email filtering (filtering plus link-rewriting plus impersonation protection, treated as three layers not one).

You could pass the form on paper by being generous with your answers. We’ve seen brokers wave that through. The trouble is, the answers come back to you if there’s a claim. “You said you had MFA on all admin accounts. The breach was via an admin account without MFA. Claim denied.”

So the form isn’t a procurement exercise; it’s a declaration, and the prep work is making sure the declaration is one you can stand behind a year later when somebody’s reading it back to you with an open laptop on the desk.

Twelve working days

We took the twelve working days. We didn’t get the client from four out of twenty-eight to twenty-eight out of twenty-eight, and we never claimed we would. We got them to thirteen on paper, though only four of the new nine were fully implemented in the window; the other five were credibly in flight with a remediation plan we’d put in writing by the time the renewal landed. We had a clear written note against the remaining fifteen explaining what was in flight, what was being deferred, and what wouldn’t be done in this insurance cycle.

The broker, to her credit, took that to underwriting and got the renewal through at a 12 per cent uplift instead of the 60 per cent it would otherwise have been. Underwriters are usually happier with a partial honest answer plus a remediation plan than they are with a perfect-looking form that doesn’t survive a phone call.

Three months later we landed the MFA rollout. Six months later, the EDR. Nine months later, the CE+ certification. None of it had got cheaper; the questionnaire just made it real.

The wider lesson

The insurance form is one trigger of several. The same dynamic shows up when a customer asks for a security questionnaire as part of onboarding. When a regulator changes the rules; cyber-insurance underwriters started asking these questions in earnest from 2024-25 onwards. When a peer firm gets breached and the board gets nervous. When a new contract has a security schedule attached.

In every case the deferred-security work catches up, and the variable is whether it does so on your timetable or somebody else’s.

If you’re going to defer (and sometimes deferral is genuinely the right call) defer with a date in the calendar and a written reason. “Deferred to Q3 2026, accepted as low-likelihood by FD on the basis of current threat profile” is a defensible note, where “decided not to do it” is the version that hurts later.

Where this lands with us

This is our Security Solutions practice doing the most useful version of itself: not running a pen test, not deploying a tool, just sitting on a Teams call going through an insurance form line by line and being honest about what each line means.

We do that work as a discrete engagement. A fixed-fee questionnaire review. Two days of our time, a written gap analysis, a short letter you can hand to your broker. It tends to pay for itself many times over in the insurance premium, never mind in the breach that doesn’t happen.

The form arrives on a Friday with the renewal twelve days away, and the cost of getting it wrong isn’t only the premium uplift; it’s a denied claim if you’ve fluffed an answer, a fortnight of unbillable hours pulled off whatever the team was supposed to be doing this month, and a board conversation you didn’t want to have about why nobody was watching the renewal calendar. None of those line up in your favour at the same time. We’d rather have the conversation now than then.

Renewal coming up and the questionnaire’s giving you pause? Drop us a note at info@jmopartners.co.uk. One of us will read it.

JMO|Partners · Enterprise IT, sized for SMEs.