Before you can fill out a cyber insurance application, you’ll need to gather some basic information about your business and how you handle technology and security. Think of it like a health checkup for your IT environment: the insurance company wants to know what you have in place to protect yourself before they agree to cover you.
Use this cyber insurance policy checklist to gather answers before you start the application.
Customer Profile
1. Legal Structure & Ownership Details
Prepare your legal entity type, ownership, locations, and any subsidiaries. Include annual revenue and headcount because size affects expected claim costs.
2. How You Make Money & Deliver Services
Describe your products or services and how clients pay. Note if you provide custom integration, programming, or ongoing managed services.
3. Compliance & Regulated Obligations
List any requirements tied to your industry or clients. Stricter obligations can raise your risk profile and increase scrutiny during underwriting.
4. Data Types You Store Or Process
Document the kinds of sensitive data you handle, where it lives, and who can access it. Include customer records, employee data, financial data, and authentication data. Be specific about where a data breach could expose sensitive data.
5. Payment Processing & Card Exposure
State whether you accept credit card payments and how they are processed. Clarify if card data stays with a third-party processor or ever touches internal systems.
6. Vendor List & Access Scope
Create a list of key providers and note whether any party vendor has privileged access to your network, backups, or admin tools. Include key contracts and notification obligations because vendors can expand risk.
Operational Environment
7. Edge Security & Network Controls
Document firewall use, remote access methods, and network segmentation. Carriers want to see controls that reduce cyber threats and limit lateral movement.
8. Endpoint & Email Security
List your endpoint tooling and monitoring approach, plus email protections. Underwriters link these controls to reduced data breaches and lower IT support costs after an event.
9. Identity Controls/Access Governance
Confirm multi-factor authentication for remote access and privileged accounts. Include password policies, least privilege, and how you remove access when someone leaves.
10. Backups & Recovery Readiness
Explain what you back up, how often, where backups are stored, and whether you test restores. Note offline or immutable backups and your approach to data restoration because recovery capability directly affects business interruption losses.
11. Monitoring, Logging, & Evidence Retention
Summarize logging coverage and retention periods. These details matter when you need forensic investigation to confirm scope, timeline, and affected systems after a data breach.
12. Documented Incident Response Process
Include roles, escalation steps, legal and insurance contacts, and how you coordinate communications during cyber incidents.
13. On- & Offboarding Controls
Document how access is granted and removed for employees, contractors, and vendors. If you work with an MSP, keep an MSP onboarding and offboarding checklist that covers controls.
Risk History
14. Prior Events & Near Misses
List any past cyber incidents, including suspected compromise, credential theft, malware, or a confirmed data breach. Even “small” events often trigger follow-up questions.
15. Ransomware & Extortion History
Disclose any ransomware attacks, including whether encryption occurred, whether you paid, what data was affected, and what remediation followed.
16. Claims, Lawsuits, & Exposures
Report prior claims, lawsuits, and demand letters connected to security events. This helps the carrier understand whether losses are recurring.
Getting your information organized before you start the application makes the whole process faster and less stressful. More importantly, it gives you a clearer picture of where your business stands from a security standpoint, which is valuable whether you’re buying insurance or not. We can run a structured risk assessment to clarify your risk profile and validate security measures.
If you’d like assistance working through this checklist or want to get started, TechKnowledgey is here to help. We can run a structured risk assessment to clarify your risk profile and validate security measures. The result is a clearer view of your cyber risks, fewer surprises in underwriting, and a more defensible story if a data breach or other cyber incident ever happens.
