Cyber-Insurance Evidence Guide

How smaller businesses can answer common carrier questions honestly and keep reusable proof for renewals, customer reviews, and owner decisions.

Important: this guide helps you organize evidence. It does not guarantee policy approval, premium changes, or claim outcomes. Your carrier and broker make those decisions.

What carriers commonly ask for

Control area	Plain-English question	Useful evidence
Multi-factor authentication	Is MFA enforced for email, remote access, and admins?	MFA policy screenshot, user coverage export, exception list.
Endpoint protection	Are business devices protected and monitored?	Device coverage report, alert history, unmanaged-device list.
Backups	Can you recover from ransomware or accidental deletion?	Backup job report, restore-test notes, recovery priority list.
Email protection	Do you reduce phishing and spoofing risk?	SPF/DKIM/DMARC status, mailbox rule review, awareness evidence.
Access management	Do you remove access when people leave?	Onboarding/offboarding checklist, admin access review.
Incident response	Do you know what happens in the first day of an incident?	Incident contact list, ransomware/account-compromise playbooks.

How to answer without overclaiming

Answer what is true today. If MFA is enabled for email but not every line-of-business app, say that clearly.
Separate policy from coverage. “We require MFA” is weaker than “MFA is enforced for 48 of 50 users; two exceptions expire on June 30.”
Keep exceptions visible. A short exception register is better than a hidden gap.
Attach a roadmap. If a control is partial, show the owner, due date, and next action.
Avoid promises you cannot prove. Do not claim “all systems monitored” unless the inventory and telemetry support it.

Evidence folder structure

Create a simple folder for each renewal or questionnaire. Keep the most reusable proof at the top so you do not rebuild the packet every year.

01-identity-mfa/ — MFA policy screenshots, coverage exports, admin list.
02-devices-endpoint/ — device inventory, endpoint protection status, patch posture.
03-backups-recovery/ — backup reports, restore test, recovery priority list.
04-email-phishing/ — domain authentication, risky rule review, awareness reminders.
05-incident-response/ — contact tree, decision log template, ransomware/account-compromise steps.
06-roadmap-exceptions/ — known gaps, owner, due date, current status.

30-day evidence sprint

Day 1–3: gather current questionnaire, policy, and renewal deadline.
Day 4–10: export MFA, endpoint, backup, and admin-access evidence.
Day 11–17: validate restore evidence and email-domain posture.
Day 18–24: document exceptions and create a remediation roadmap.
Day 25–30: review with the business owner before sending anything externally.

Do not wait until renewal week. Insurance questions often expose gaps that take time to fix. Treat the questionnaire as an evidence-readiness drill, not a paperwork exercise.