Cyber insurance applications have become more detailed because insurers want evidence that basic controls are actually in place. For small businesses, the hard part is often not the technology itself. It is proving who owns each control and whether it is working.
1. Multi-factor authentication
Confirm MFA is enabled for email, remote access, admin portals, accounting tools, and any system that stores sensitive customer or employee data. Pay special attention to administrator accounts and shared accounts.
2. Endpoint protection and patching
Insurers may ask whether computers and servers have managed antivirus or EDR, whether alerts are reviewed, and how quickly critical patches are applied. Keep an inventory of devices so unmanaged laptops do not slip through.
3. Backup design and restore testing
A backup is not insurance unless recovery has been tested. Document what is backed up, how often it runs, who receives failures, and when the last restore test was completed.
4. Email security
Review spam filtering, phishing protection, mailbox forwarding rules, SPF, DKIM, and DMARC. Domain authentication is especially important because spoofing and business email compromise remain common claim drivers.
5. Admin access and offboarding
Keep admin roles limited, named, and reviewed. Former employees, old vendors, and unused service accounts should not retain access just because no one owns cleanup.
6. Incident response contacts
Write down who to call during ransomware, mailbox compromise, wire fraud, lost devices, or suspected data exposure. Include IT, insurance, legal, banking, and leadership contacts.
What to do next
Treat the insurance questionnaire as a roadmap. If the answer is unclear, that is a control to review. Start with MFA, backups, endpoint coverage, email authentication, and administrator access because those gaps carry the most operational risk.