Cyber Insurance Preparation Checklist
A practical checklist designed to help organizations prepare for cyber insurance applications, renewals, or broker discussions by clarifying what is currently in place and where assumptions may exist.
Purpose
This checklist helps organizations prepare for cyber insurance applications, renewals, or broker discussions by clarifying what is in place today and where assumptions may exist.
It is not legal advice, not a guarantee of coverage, and not a substitute for insurer or broker guidance. Use this checklist to align internal understanding and reduce surprises.
How to Use This Checklist
For each item answer:
“Not Sure” is useful — it highlights the exact areas that commonly create confusion later.
Understanding Your Environment (Baseline Clarity)
- Do we know which core systems and applications are critical to operations?
- Do we know where key business data lives (cloud platforms, internal systems, devices)?
- Do we know who has administrative access to our core systems and cloud platforms?
- Do we have an accurate understanding of which technology responsibilities are handled internally vs by external partners?
Identity & Access Practices (Common Insurance Focus Area)
- Is multi-factor authentication (MFA) enforced for email and core business systems?
- Do we know whether MFA enforcement is consistent across all users (not just some)?
- Are accounts reviewed when people change roles or leave the organization?
- Do we avoid shared accounts where possible, or at minimum control and track their use?
Backups & Recovery Readiness (The “Can You Continue Operating?” Test)
- Do we know what data is backed up and how often?
- Are backups tested to confirm recovery works under real conditions?
- Do we know approximately how long it would take to restore operations after a major disruption?
- Are backups protected from accidental deletion, misuse, or being impacted during an incident?
Monitoring, Alerts, and Ownership (The “Would You Know?” Test)
- Do we know how suspicious activity would be detected (devices, accounts, email, cloud services)?
- Is there a clear owner responsible for reviewing security alerts and acting on them?
- Do we have clarity on who coordinates response if multiple systems are affected?
- Do we know how quickly we would be notified if a serious issue is identified?
Patch, Updates, and Change Discipline
- Are devices and systems kept reasonably current with security updates?
- Do we have a consistent process for applying critical updates (not just ad hoc)?
- Are technology changes evaluated in context so they don’t introduce new gaps or conflicts?
Incident Readiness (The “If Something Happens” Test)
- Do we know who we would contact first if we suspect a security incident?
- Is there a basic, documented process for responding to incidents (even if simple)?
- Do we know what information would be needed for brokers or insurers after an incident?
- Have we considered who would manage communications and decision-making during an incident?
Application & Renewal Hygiene (Avoiding Misalignment)
- Are we confident our insurance application answers reflect how controls operate today?
- Do we revisit and update answers when systems or practices change?
- Do we avoid “guessing” on technical questions by confirming with responsible parties?
- If we use third parties, do we know which controls they manage vs which remain our responsibility?
How to Interpret Your Answers
This checklist is not about passing.
- “Not Sure” items often indicate where clarification, documentation, or ownership is needed.
- The biggest risk is typically the gap between what is stated on paper and what is operating in practice.
The goal is to reduce uncertainty before renewal, application, or incident response.