Hard2bit
Practical guide Updated · July 2026 We do not sell insurance

Cyber insurance for businesses: what insurers require and how to arrive prepared

Before issuing a cyber policy, the insurer will ask for MFA, EDR, disconnected backups, patch management, an incident response plan and staff training — and will condition your cover on what you declare in a questionnaire. This guide explains what cyber insurance covers (and what it does not), how that questionnaire works, and why answering it inaccurately can leave you paying premiums for cover that never responds.

  • 6 typical questionnaire controls
  • 10 min approx. read
  • 0 policies sold: technical preparation only
  • Jul 2026 last revised
01

What is cyber insurance and what does it cover?

Cyber insurance (or cyber risk insurance) is a policy that transfers to the insurer part of the financial impact of a security incident: ransomware that halts operations, a breach of client data, fraud through email impersonation. It does not prevent the incident; it spreads its cost.

The exact cover varies between policies — the wording always governs — but the usual families are these:

  • First-party losses: incident response costs, forensic analysis, restoration of systems and data, and loss of profit through business interruption.
  • Third-party liability: claims from clients or partners affected by the breach of their data or by the unavailability of your service.
  • Crisis management: legal advice, communications, notification of affected individuals and of the data protection authority where required.
  • Cyber extortion: handling and negotiation in ransomware incidents, within legal limits and the policy's own terms.
  • Response services: many policies include access to a panel of incident response providers appointed by the insurer.

One important nuance: insurance arrives after the incident. Everything that happens before — detecting, resisting, containing — still depends on your controls. That is exactly why insurers require them to exist.

02

What does cyber insurance NOT usually cover?

Exclusions are the part of the policy people read least and the part that produces the most surprises. Without replacing a careful read of the wording — every policy differs — these are the exclusions and limits worth looking for explicitly:

  • Breach of the conditions you declared: if you declared controls that did not exist or stopped existing, your cover is at risk. It is the most important exclusion of all, and section 05 is devoted to it.
  • Incidents predating the policy: breaches already present or known before inception are normally excluded.
  • Infrastructure betterment: the policy restores what you had; it does not pay for modernising the systems the incident exposed as inadequate.
  • Long-term reputational damage: the loss of clients and trust after an incident is rarely fully indemnifiable.
  • War and hostile acts: many policies exclude cyberattacks attributed to state actors or treated as acts of war — an area under active debate in the market.
  • Administrative fines: the insurability of fines (for instance, under the GDPR) is legally debated in Spain; what tends to be covered are defence costs. Get it confirmed in writing.

The real risk. The scenario that repeats most often is not "the policy was bad", but "the policy was reasonable and the claim went wrong because what the questionnaire declared did not match the company's technical reality".

03

Which businesses need cyber insurance?

There is no general legal obligation to buy it, but there are three profiles where the decision is almost always sensible:

Profile 1

Operational dependence on digital

If a week without systems — invoicing, production, logistics, customer service — means serious financial damage, business interruption cover alone justifies considering a policy. This is the typical case for industrial SMEs, retail and professional services.

Profile 3

Contractual requirement

More and more contracts with large clients, regulated supply chains and public tenders require a cyber policy with minimum cover. Here insurance stops being a risk decision and becomes a commercial key.

And who can still consider not buying it? Businesses with very low digital dependence and no relevant third-party data. They are fewer every year, and even then the right conclusion is not "do nothing", but "prioritise the controls before the policy".

04

What does the insurer require before covering you?

After years of rising ransomware losses, insurers have tightened underwriting: today it is common for a policy not to be issued — or to be issued with loadings and exclusions — unless you can evidence a set of baseline controls. The ones that appear again and again in questionnaires are these six:

1. Multi-factor authentication (MFA)

On remote access (VPN, remote desktop), corporate email and administrator accounts. It is the most universal requirement: many insurers treat it as a condition of entry, not a scoring extra.

2. EDR or managed antivirus

Endpoint protection with detection and response capability — unattended traditional antivirus is not enough. The questionnaire usually asks which product, on what percentage of the estate and who reviews the alerts.

3. Disconnected or immutable backups

Backups that an attacker with control of the domain cannot encrypt or delete: offline, immutable, or with real credential separation. And tested: the typical question is not "do you back up?", but "when was your last restore test?".

4. Patch and vulnerability management

A defined process for applying security updates within maximum timeframes, especially on internet-facing systems. A continuous vulnerability management programme is exactly what this part of the questionnaire wants to see.

5. Incident response plan

A document defining who decides, who contains, who gets called and how you communicate when something happens. Insurers ask for it because it directly reduces the cost of a claim: a business that responds in an orderly way costs them less money. A professional incident response service gives that plan real substance.

6. Staff training and awareness

A periodic awareness programme, ideally with phishing simulations. Email remains the most common entry point, and the questionnaire asks how often staff are trained. Role-based cybersecurity training covers this point and, along the way, genuinely reduces the risk.

How Hard2bit helps

These six controls are the script for our pre-insurance gap analysis: we check which ones you actually have in place, which are half-implemented and which are missing, and we prioritise closing the gap before you answer the questionnaire. See the security audit

05

How does the underwriting questionnaire work?

The underwriting questionnaire is the document the insurer uses to assess your risk before issuing the policy. It usually combines closed questions ("Is MFA enforced on all remote access? Yes/No") with requests for detail (products, scope, frequency, owners). For larger risks it may be complemented with technical interviews or an external scan of your public attack surface.

The essential thing is to understand its legal nature: it is not a sales form, it is a declaration of the risk. Insurance contract law imposes on the policyholder a duty to declare accurately the circumstances they know that bear on the risk. The policy is issued, priced and — come a claim — interpreted on that declaration.

The real risk: a denied claim. If you declared MFA "everywhere" and the forensics show the compromised account did not have it, or you declared immutable backups that turned out to be encryptable, the insurer may reject or reduce the payout for misrepresentation. The worst possible outcome: years of premiums for cover that fails exactly when you need it.

Three practical consequences:

  • Answer with reality, not intent. "We are rolling out MFA" is not "we have MFA". If a control is half-implemented, declare it half-implemented — or close it before signing.
  • Keep evidence of what you declare. Configuration screenshots, policies, restore test reports. If there is a claim tomorrow, that evidence is your defence.
  • Maintain what you declared for the life of the policy. The questionnaire is not a snapshot that expires at signature: switching off a declared control can compromise cover at renewals and in later claims.
06

How does your security posture affect the premium?

We will not quote discount percentages, because none exist in general terms: each insurer prices with its own models. What is consistent across the market is the direction of the effect — security maturity influences three things:

Mature, demonstrable posture

More market, better terms

With the baseline controls in place and evidenced, more insurers are willing to quote, on relatively better terms: higher limits, more reasonable excesses and fewer bespoke exclusions. Underwriting is also faster, with fewer rounds of clarification.

Weak or undemonstrable posture

Loadings, exclusions or refusal

Without MFA or protected backups, the usual outcome is one of these: the insurer declines the risk, applies loadings, imposes high excesses, carves ransomware out of the cover, or conditions issuance on implementing the controls within a deadline. Insurability itself becomes the problem.

The operational conclusion is uncomfortable but useful: the best money you can spend before buying cyber insurance is the money that closes your control gaps. It improves the premium, improves the cover and — unlike the policy — also reduces the likelihood of suffering the incident.

07

Checklist before buying cyber insurance

An actionable sequence for arriving at the questionnaire with your homework done:

  1. Inventory what you have. Assets, systems, the data you hold and whose it is. Without an inventory you cannot declare the risk accurately — or choose cover limits sensibly.
  2. Audit your real position against the 6 controls. MFA, EDR, backups, patching, response plan and training: what is implemented, what is half-done, what is missing. Here an external security audit brings objectivity and independence.
  3. Close the gap before answering the questionnaire. Every control you implement before underwriting improves your insurability; every control you declare without having is a time bomb in the file.
  4. Prepare evidence for every answer. Configurations, policies, the report from your last restore test, training records. Only declare what you can prove.
  5. Read the exclusions and the maintenance obligations. What is out of scope, which controls you commit to maintaining, what notification deadlines you accept when reporting a claim.
  6. Choose limits and excess with a realistic scenario. Estimate the cost of your days of downtime and the volume of data you hold, and discuss limits with your broker — who is the right person to advise on the insurance side.
  7. Schedule the upkeep of what you declared. Periodic checks that the controls remain active and evidenced, especially before each renewal.
08

What mistakes do businesses make when buying cyber insurance?

The same patterns repeat in businesses of every size:

  • Lying or exaggerating on the questionnaire. The most expensive mistake. Often it is not even bad faith: the person signing does not know that MFA only covers half the workforce. The result is the same — the risk of a denied claim for misrepresentation.
  • Buying without an inventory. Without knowing which systems and data you have, you can neither declare the risk rigorously nor size the limits. The resulting policy is a bet, not cover.
  • Assuming insurance replaces security. "We're covered now" is the sentence that precedes cutting controls. Besides raising the likelihood of the incident, it degrades the declared conditions — and with them, the cover itself.
  • Not reading the exclusions. Discovering mid-claim that ransomware carried a reduced sub-limit, or that the fine was not insurable, is as common as it is avoidable.
  • Letting declared controls lapse. The EDR that was uninstalled "temporarily", the restore test that was never repeated. What you declared must be maintained for as long as the policy lives.
  • Confusing the roles. The broker advises on the policy; your team or technical provider answers for whether what you declared is true. When nobody takes the second role, the questionnaire gets filled in by hearsay.
09

How does Hard2bit help? (We do not sell insurance)

First, the declaration of interests: Hard2bit is not a broker, does not sell insurance and receives no commission from any insurer. We technically prepare your business for the process. Choosing the policy is up to you and your broker; our job is making sure you reach that conversation with a security posture that is real, demonstrable and truthfully declared.

In practice, that means four things:

  • A security audit focused on the control gap. We assess your real position against what underwriting questionnaires typically require (MFA, EDR, backups, patching, response plan, training) and prioritise closing the gaps by risk and by impact on insurability.
  • Evidence for the questionnaire. We document what is in place — configurations, policies, restore tests — so that every answer you sign is backed up. If there is a claim tomorrow, that documentation is your defence against an allegation of misrepresentation.
  • Remediation of what is missing. From deploying specific controls to a continuous vulnerability management programme and staff training with phishing simulations.
  • Incident response as the policy's complement. A 24/7 incident response retainer turns the questionnaire's "response plan" into an actual capability: activation in minutes, containment, forensics and coordination — including the notification deadlines the policy itself sets.
10

Frequently asked questions

Is cyber insurance mandatory for businesses in Spain?

There is no general legal obligation to buy cyber insurance. What increasingly happens is that the requirement arrives through contracts: corporate clients demanding it in their vendor due diligence, public tenders listing it among the requirements, and engagement contracts setting minimum cover. In practice, for many businesses the question is not whether the law requires it, but whether their next big client will.

Does cyber insurance replace cybersecurity measures?

No, and this is the most dangerous misunderstanding. Insurance transfers part of the financial impact of an incident; it does not prevent the incident, does not restore your reputation, does not bring back exfiltrated data and does not, by itself, get operations running again. Moreover, insurers condition cover precisely on security controls being in place: without measures, either there is no policy, or the policy does not respond when you need it.

What happens if I answer the underwriting questionnaire incorrectly?

It is the most serious risk in the whole process. Insurance contract law imposes on the policyholder a duty to declare the risk accurately, and cyber policies are underwritten on what the questionnaire declares. If you state that MFA covers every remote access and the post-incident forensic analysis proves it did not, the insurer may reject or reduce the payout on grounds of misrepresentation. You would be paying premiums for cover that, in practice, does not exist.

Does cyber insurance cover GDPR fines?

It depends on the policy, and it is legally delicate ground: the insurability of administrative fines is a debated question in Spain. What policies do tend to cover clearly are legal defence costs, handling of the proceedings and the cost of notifying affected individuals. Before assuming a fine would be covered, review the policy wording with your broker and get the inclusion or exclusion in writing.

Does Hard2bit sell cyber insurance or earn commission from any insurer?

No. Hard2bit is not a broker, does not sell insurance and receives no commission from any insurer. Our role is strictly technical: auditing your real situation, closing the gap between what the insurer requires and what you have, and preparing truthful evidence for the questionnaire. Precisely because we do not sell the policy, we have no incentive in which cover you choose.

How much does cyber insurance cost for a business?

We will not give you a figure, because it would be made up: the premium depends on turnover, sector, the limits and excess you choose, claims history and — increasingly — the maturity of the security controls you declare and can demonstrate. The insurer sets it after assessing the underwriting questionnaire. What is in your hands is arriving at that assessment with the strongest demonstrable security posture possible.

Get started

Arrive at the questionnaire with your homework done

We audit your gap against the controls insurers require, close the missing pieces and prepare the evidence — so that what you declare is true and the policy responds. We do not sell insurance: we prepare your business to buy it well.

Hard2bit S.L. · Spanish cybersecurity company based in the Region of Madrid · 13 years of experience · ISO 27001 and ISO 9001 certified · ENS High Category accredited.