TL;DR
- Many current cyber insurance questionnaires rely on standard compliance-based questions
- These often fail to reveal the true operational risks within an organisation’s environment
- A more effective approach is to ask about exceptions, areas where controls may not apply or are known to be weaker
- This approach encourages transparency and provides a clearer picture of how risk is actually managed
Introduction
I’ve been advising on cyber risk in the insurance sector for over a decade. It still surprises me how many proposal forms include questions that offer very little insight into the actual risk being underwritten.
I’ve seen a proposal form that asks if the prospective insured has anti-virus software and firewalls in place. In 2025, that feels a bit behind the curve. If they weren’t in place already, there wouldn’t be a business in place to be insured – it would probably already have been destroyed by automated malware.
Turn it on its head – look at exceptions
When trying to understand IT & systems risk in an insurance underwriting context, it is exceptions that interest me most. Ask questions that will make the IT department really think.
If you ask ‘do all of your systems have strong, unique passwords’ you are very likely to get a ‘yes’ from whoever was completing the form. They were probably thinking about their Active Directory password policy, which likely complies.
Were they thinking about local admin credentials, database connector passwords, room booking systems, HVAC controls etc etc?
Down the line, a breach happens and propagates internally via a system or service that somehow had a password that didn’t comply with the policy stated in the proposal form.
There’s now a very difficult situation whereby the insurer quite reasonably feels that the insured has materially misrepresented their security.
Had they known about these potential security issues at the point of setting the insurance premium, it could have influenced pricing, conditions, or even eligibility for cover. That said, there is a tendency to pay out in the cyber insurance market, so long as mistakes are genuine rather than intentionally misleading. The narrative that underwriters don’t pay is very misleading.
Framing the right questions helps everyone
To get to the truth, I prefer to ask such questions in a different way:
“How many systems on your network have blank, default, reused or easily guessed passwords?”
It is almost unheard of in our experience for at least one set of credentials in an environment not to be weak. There may be very valid business reasons, such as a legacy software package that relies on this.
If that’s the case, then we would want to know about the compensating controls built around this software.
The goal here isn’t to catch people out, but to get a clearer picture of the known risks and how they’re managed.
Every network has unpatched systems, the question is why
“Which systems on your network do you NOT update/patch on a monthly basis, and why don’t you patch them?”
Again, you can guarantee that some systems on the network will be missing critical security updates. Why? Because they fell over last time they were patched and impacted critical business operations.
As a result, no-one in IT was brave enough to feel the wrath of the Board again, so it was easier to just leave them unpatched. The scale of change required to resolve the issue wasn’t one that the Board was prepared to fund, probably because they didn’t fully understand it.
Hence, rather than asking whether patching happens, it’s often more useful to ask where it doesn’t and what controls are in place to mitigate
Ask where encryption isn’t, not just where it is
“Which applications on your network store customer data WITHOUT encryption?”
Don’t ask if all customer data is encrypted, ask which data ISN’T encrypted. A business that’s on top of its security will know what is and isn’t encrypted. It will know where and how the keys are stored, renewed and revoked.
It will also know where data is processed in plain text, even for microseconds.
MFA is a great start, but go deeper
“Do you have MFA in place for all remote access?”
Again, this answer will get the IT team thinking about their users who have remote access to work from home or elsewhere. “Yes” they say, as all regular users have MFA in place, and it works well.
What about the backup system that is present just in case the MFA platform fails? The one that IT can use to get MFA back up and running again?
What controls are in place to mitigate risk to that ‘break glass’ system?
Whilst we’re on the subject of MFA, it’s also worth asking if MFA push is disabled to prevent push message fatigue leading to breaches.
Asking about exceptions makes risk clearer, not worse
In cyber insurance, simply confirming the presence of security controls is no longer sufficient. A more effective approach is to ask where those controls do not apply and understand why. By focusing on exceptions rather than blanket policies, underwriters gain a more accurate view of the risk, and insureds have the opportunity to explain known issues and demonstrate how they are managed.
This shift in approach doesn’t create more risk, it brings existing risk into clearer focus. Ultimately, asking the right questions supports better underwriting, strengthens trust between parties, and encourages meaningful improvements in cyber resilience before incidents occur.
