What You Actually Attested To: The Cyber Insurance Questionnaire That Can Void Your Policy

The ransomware note hit on a Tuesday. By Friday, the Houston manufacturing company’s lawyer was on the phone with their cyber insurer, expecting a payout. Instead, the carrier sent back a single paragraph that gutted the whole policy: on last year’s renewal application, the owner had checked “yes” next to a question about multi-factor authentication on remote access. The forensics report showed the VPN had no MFA at all. The insurer called it a material misrepresentation and denied the claim. The owner wasn’t lying — he genuinely thought his IT was set up that way. The policy still didn’t pay.

That gap — between what an owner believes is true and what is actually deployed — is where cyber insurance claims go to die. And it almost always traces back to one document most owners barely read before signing.

The questionnaire isn’t paperwork. It’s a sworn statement.

When you apply for or renew a cyber liability policy, the insurer hands you a security questionnaire. It looks like a checklist. It is not a checklist. It is a legal attestation — a set of statements you are swearing are true, and that the carrier relies on to decide whether to insure you and at what price.

Here’s the part that catches owners off guard. If you attest “yes” to a control you don’t actually have, and a breach happens, the insurer can do one of two things:

• Deny the specific claim — they argue the loss is tied to the control you misrepresented (no MFA, no backups, etc.).
• Rescind the entire policy — they unwind the contract from day one, refund your premium, and treat you as if you were never covered at all.

To be clear, we’re not your attorney and we’re not your carrier — how a specific policy gets interpreted is a legal question for them. But the pattern we see in the field is consistent: the claim that gets denied is almost always the one where the attestation didn’t match reality. The questionnaire was honest in spirit and wrong in fact.

What the questions really mean — and what “actually having it” looks like

Below are the controls insurers ask about most. For each one, here’s the trap: the question sounds simple, the “yes” feels safe, and the reality is usually more complicated than the owner knows.

1. Multi-factor authentication (MFA) — “everywhere” means everywhere

The question usually reads something like: “Do you require MFA for email, remote network access, and administrative accounts?” Owners check “yes” because they got the Microsoft 365 prompt on their phone last week. But the carriers mean all three, with no exceptions:

• Email — every user, not just the owner and the bookkeeper.
• Remote access — the VPN, remote desktop, and any tool a tech or vendor uses to reach machines from outside the office. This is the one that’s most often missing.
• Admin accounts — the privileged logins that can change everything. These are frequently exempted “for convenience” and that exemption is exactly what an attacker exploits.

The killers are the corners: a legacy line-of-business application that only supports a password, an old VPN appliance, a service account with MFA disabled. If MFA is off anywhere that touches your network, your “yes” is shaky. Real MFA is something you can prove with a configuration report, not something you assume because you saw a prompt once.

2. Endpoint Detection & Response (EDR) on all endpoints

Carriers increasingly ask for EDR — not the free antivirus that shipped with Windows, but managed detection that watches behavior, catches ransomware in progress, and alerts a human. The attestation says “on all endpoints.” In practice we find it installed on most workstations but missing on the warehouse PC, the reception machine, the server nobody logs into, or the laptop that left with an employee two years ago. “All” means all — and one unprotected machine is usually how the whole network falls.

3. Backups that are tested and kept separate — untested backups don’t count

This is the most dangerous false “yes” of all, because owners are certain they have backups. The questionnaire is more specific than that. It typically asks whether backups are:

1. Kept offline or immutable — stored so that ransomware can’t reach in and encrypt them too. A backup sitting on a drive the network can write to gets encrypted right alongside everything else.
2. Tested with regular restores — meaning you have actually pulled data back and confirmed it works. A backup job that’s been silently failing for eight months is not a backup. It’s a green checkmark hiding a disaster.

If you’ve never done a test restore, you cannot honestly attest that your backups work — you can only attest that the software says it ran.

4. Email filtering and anti-phishing

Most business email gets compromised through a convincing message, not a movie-style hack. Carriers ask whether you have advanced email filtering that blocks malicious links and impersonation attempts beyond the basic spam filter. “We have Office 365” is not the same answer as “we have layered email security that’s configured and monitored.”

5. No end-of-life or unsupported systems

If you’re still running an unsupported version of Windows, an out-of-warranty server, or software the vendor stopped patching, you’re running a door with no lock. Insurers ask about this directly, and an unsupported system on the network can sink both your premium and your claim. “It still works fine” is not the standard — “it still receives security updates” is.

6. A patch-management cadence

The question isn’t “do your computers update?” It’s “do you have a defined process that applies critical patches on a regular, documented schedule?” Leaving every machine to update itself whenever it feels like it is not a cadence. Attackers move on known holes within days of disclosure; insurers know that, and they expect you to have a real rhythm for closing those holes.

7. Security awareness training for staff

Your people are the most attacked part of your business. Carriers ask whether employees receive regular security awareness training — ongoing, tracked, with simulated phishing — not a one-time video from 2019. “We told everyone to be careful” does not satisfy this attestation.

Why honest owners check the wrong box

Almost nobody lies on these forms on purpose. The misrepresentation happens for ordinary, human reasons:

• You assume your setup does these things because it sounds like the kind of thing IT handles.
• The questions are technical, and “yes” feels safer than admitting you don’t know.
• Something was true once — MFA was deployed, then a new app or appliance quietly created an exception nobody flagged.
• Nobody verified the answers against the actual configuration before the form was signed.

The fix is not to answer “no” out of fear — that drives your premium up or gets you declined. The fix is to make the “yes” true and provable before you sign.

How to answer honestly — and close the gaps first

Here’s the plain-English process we walk Houston clients through before a renewal:

1. Treat the questionnaire as a checklist for an audit, not a quiz. Every “yes” needs evidence behind it — a report, a screenshot, a policy document.
2. Verify MFA on all three fronts — email, remote access, admin — and hunt specifically for the exceptions: legacy apps, the VPN, service accounts.
3. Confirm EDR is on every endpoint, then reconcile that list against your actual inventory of machines. The mismatch is where the risk lives.
4. Run a real test restore and confirm your backups are immutable or offline. If you can’t restore, you don’t have backups — you have hope.
5. Inventory for end-of-life systems and either replace, upgrade, or formally isolate them before you attest.
6. Document your patch cadence and training program so “yes” is backed by a process, not a memory.
7. Close the gaps, then answer. When the control is genuinely in place, “yes” is the correct, honest, defensible answer — and your coverage actually protects you.

This is the core of what we do. Our network security controls put MFA, EDR, email filtering, and tested immutable backups in place — the exact things the questionnaire asks about — and our managed IT services keep patching and end-of-life systems under control so nothing quietly drifts out of compliance between renewals. Our compliance service is where we tie it all together: the technical controls, the documentation that proves them, and the monitoring that keeps your “yes” true all year long — not just on the day you sign.

We’re not a law firm or an insurance auditor, and we won’t pretend to be. We make the underlying security real so that when your attorney, carrier, or auditor looks, the answers hold up. The goal isn’t to scare you off cyber insurance — it’s to make sure the coverage you’re paying for actually pays when you need it.

Before you sign that renewal

If your cyber policy is up soon, don’t check those boxes on faith. Let’s find out together whether your “yes” answers would survive a claim. Book a free 15-minute discovery call at /discoverycall/ and we’ll talk through where your real gaps are and what it takes to close them. The discovery call is the only thing we do for free — the work that follows is professional, billed at our standard rates, and worth every dollar the first time a claim actually pays. When you’re ready to make compliance real instead of theoretical, start at /compliance/.

Aspendora Technologies provides cybersecurity, managed IT, and expert on-premise & open-source solutions to Houston-area small businesses since 2010.