Preparing Clients for Cyber Insurance Questionnaires

TL;DR

Preparing clients for cyber insurance questionnaires should start before the renewal form lands in their inbox.

The MSP's job is not to guess yes/no answers under deadline pressure. The useful job is to help the client collect evidence, spot weak controls, record exceptions, and understand who owns each answer before the form goes back to the broker or carrier.

Cyber insurance questionnaires often touch MFA, backups, endpoint security, patching, email security, incident response, access control, vendor risk, and security awareness training. The awareness layer is only one part of that picture, but it is one of the easiest to make repeatable across a client base if the MSP has clean reporting.

The safest operating model is simple: evidence first, answer second.

What preparing clients for cyber insurance questionnaires really means

Cyber insurance questionnaire prep is not copywriting.

It is evidence assembly.

A client may see the questionnaire as paperwork. The MSP should see it as a control-status snapshot. Every answer creates a record of what the client said it had in place at a point in time.

That matters because many questionnaire questions are not asking whether a control sounds sensible. They are asking whether the control is active, enforced, tested, documented, and in scope.

For example, "Do you use MFA?" is usually too broad to answer safely without context.

A better prep question is:

• MFA for which users?
• MFA for which systems?
• Is it enforced for Microsoft 365?
• Is it enforced for remote access?
• Is it enforced for admin accounts?
• Are break-glass accounts excluded?
• Is there a policy screenshot or export?
• Who owns exceptions?

That is the difference between filling a form and preparing a client.

The same pattern applies to backups, incident response, training, access control, endpoint protection, and reporting. The MSP helps the client move from "we think so" to "here is the evidence, here are the gaps, and here is who accepts the risk."

Why cyber insurance questionnaires matter more now

Cyber insurance has become a security conversation, not only a policy conversation.

Coalition's cyber insurance requirements guidance says insurers commonly look for controls such as MFA, cybersecurity training, backups, identity access management, and data classification before agreeing to provide coverage. CISA's Cyber Essentials points small businesses toward practical readiness areas including staff awareness, asset knowledge, MFA, backups, and incident response. The FTC's small-business cybersecurity guidance also points to MFA, backups, regular staff training, incident response planning, and the NIST Cybersecurity Framework as practical foundations.

None of that means an MSP can promise a lower premium.

It does mean the questionnaire is a useful forcing function. It turns fuzzy security posture into specific questions:

• Is MFA really enforced?
• Are backups tested?
• Do staff know how to report phishing?
• Is there an incident response plan?
• Are access rights limited?
• Can the client prove the answer?

MSP-facing insurance-readiness sources from Pax8, Compliance Scorecard, SeedPod Cyber, Phin Security, and IRONSCALES point in the same direction: clients need help connecting controls to evidence an insurer, broker, or auditor can understand.

The MSP should be careful with this.

Cyber insurance is a legal and risk-transfer product. The client, broker, and carrier own the policy decision. The MSP should not answer business-risk questions from instinct, make coverage promises, or state that a client meets a control without evidence.

The MSP can still do valuable work.

It can make the client more prepared.

What cyber insurance questionnaires usually ask about

The exact form varies by carrier, broker, industry, revenue, and risk class, but the themes are familiar.

Questionnaire area	What the form is trying to learn	Evidence the MSP can help collect
MFA	Whether access is protected beyond passwords	Conditional access screenshots, MFA enrolment exports, remote-access settings, admin-account policy
Backups	Whether the client can restore after ransomware or data loss	Backup job status, recovery-test record, retention policy, offline or immutable backup note
Endpoint protection	Whether managed devices have protection and monitoring	EDR/AV coverage report, unmanaged-device list, exception log
Patching	Whether known vulnerabilities are being reduced	Patch compliance report, unsupported software list, remediation plan
Email security	Whether phishing and malicious mail are being filtered	Mail security settings, DMARC/SPF/DKIM status, phishing-reporting path
Security awareness	Whether staff receive training and know how to report suspicious activity	Training assignment report, completion report, topics covered, overdue users, exception notes
Incident response	Whether the client knows what happens during a breach	Incident response plan, contact list, tabletop record, escalation path
Access control	Whether users have only the access they need	Admin-user list, privileged-account review, leaver process, shared-account exceptions
Vendor risk	Whether third-party access and dependencies are understood	Vendor inventory, MSP responsibility matrix, supplier access notes
Governance	Whether security ownership is clear	Policy register, risk owner, board or leadership acknowledgement, renewal decision record

Use this prep map before the client's renewal window, not the afternoon the form is due.

Step-by-step workflow for preparing clients

1. Start with the renewal date and owner

The first thing to find is the deadline and the decision owner.

Ask:

• When is the policy renewal or application due?
• Who owns the insurance relationship?
• Which broker or carrier is involved?
• Who can approve answers?
• Who can approve remediation work?
• What happens if evidence is missing?

This prevents the MSP from becoming the silent signer of someone else's risk.

The client should own the final submission. The MSP should own the technical evidence it can verify.

That line matters.

2. Ask for the form early

Clients often bring the MSP in after they are stuck.

That is too late.

Ask for the questionnaire as soon as renewal planning starts. Even a draft or prior-year version helps. If the broker will not share the exact form yet, use the MSP prep map above to build the evidence pack anyway.

The MSP should look for questions that require:

• binary yes/no answers;
• scope qualifiers;
• control frequency;
• evidence uploads;
• business-owner sign-off;
• planned remediation dates;
• policy or procedure names;
• details about outsourced IT.

Those are the questions that create friction if the client answers from memory.

3. Build a control evidence folder

Do not scatter evidence across tickets, inboxes, screenshots, and technician notes.

Create a controlled evidence folder or workspace for the client renewal.

At minimum, include:

• questionnaire copy or prior-year form;
• control evidence checklist;
• MFA evidence;
• backup and recovery evidence;
• endpoint coverage;
• patching status;
• email security status;
• training evidence;
• incident response plan;
• access-control notes;
• exceptions and gaps;
• final answer review notes.

The FTC's guidance is useful here because it treats cybersecurity as an operating discipline: back up files, use MFA, train staff, create an incident response plan, and use the NIST CSF to organise work across Govern, Identify, Protect, Detect, Respond, and Recover.

That is also a sensible evidence-folder shape.

4. Separate confirmed controls from planned controls

This is where many questionnaire conversations go wrong.

A planned control is not an active control.

"We are rolling out MFA" is not the same as "MFA is enforced for all users and admin accounts." "We run training" is not the same as "all in-scope users were assigned training, 94% completed, and exceptions are recorded." "Backups exist" is not the same as "restores are tested."

Use simple labels:

• Confirmed: evidence exists and matches the question.
• Partial: control exists but not for all required scope.
• Planned: work is approved but not active.
• Gap: no evidence or no control.
• Client-owned: MSP cannot verify without client input.

These labels protect both sides.

They keep the client from over-answering. They keep the MSP from becoming the source of a statement it cannot prove.

5. Map the awareness evidence layer

Security awareness training often appears as one small section in the questionnaire, but it can create a lot of manual work if the MSP has to chase records client by client.

Useful evidence should show:

• who was in scope;
• what training was assigned;
• when it was assigned;
• what topics were covered;
• who completed;
• who is overdue;
• which users are excluded;
• what reminders were sent;
• what report was shared with the client.

CISA Cyber Essentials names staff awareness as part of a culture of cyber readiness and calls out phishing and business email compromise. The SBA's small-business cybersecurity guidance tells businesses to train employees on phishing, safe browsing, suspicious downloads, authentication tools, and protecting sensitive information. NIST SP 800-50 is specifically about building an information technology security awareness and training program.

The questionnaire answer should not be "annual training, yes" if the only proof is a stale slide deck.

It should be tied to records.

For MSPs, that is where automated reports, multi-tenant management, and white-label delivery matter. The MSP needs evidence by client, not a blended spreadsheet that takes an hour to clean every time a renewal appears.

6. Record exceptions instead of hiding them

Exceptions are normal.

The problem is invisible exceptions.

Common examples:

• an executive delayed training;
• a shared mailbox appears as a user;
• a contractor is out of scope;
• a client-owned SaaS app does not have MFA turned on;
• a legacy device cannot run the endpoint agent;
• a backup job failed last week;
• an incident response plan exists but has not been tested.

The MSP should not bury these in a private ticket.

Use an exception log:

Exception	Scope	Current risk	Owner	Target date	Evidence note
MFA not enforced on 3 break-glass accounts	Microsoft 365 admin access	High if unmanaged	MSP + client approver	2026-06-05	Conditional access export attached
Training overdue for 8 users	Awareness evidence	Medium	Client manager	2026-05-30	Reminder report attached
Restore test not recorded this quarter	Backup evidence	Medium	MSP backup owner	2026-06-12	Backup status attached, test pending

That table does not make the client perfect. It makes the status honest.

7. Review answers with the client before submission

The MSP should not be the only reviewer.

Set a review call with the person who owns the policy. Walk through every answer that depends on technical controls. Show the evidence. Show the gaps. Mark anything that requires business judgement.

Use 3 buckets:

1. Ready to answer: evidence supports the response.
2. Needs client decision: technical facts are known, but risk acceptance or business wording belongs to the client.
3. Needs remediation: control or evidence is missing.

This keeps the MSP in the right lane.

Technical evidence is MSP work. Final insurance statements are client work.

8. Turn the process into a renewal playbook

If the MSP repeats this process from scratch every year, the work will not scale.

Build a renewal playbook:

• 90 days before renewal: request form, confirm owner, open evidence folder.
• 75 days before renewal: pull MFA, backup, endpoint, patching, email, and awareness reports.
• 60 days before renewal: review gaps and exceptions with client.
• 45 days before renewal: complete remediation items that are already approved.
• 30 days before renewal: review draft answers.
• 14 days before renewal: final evidence check and client sign-off.
• after renewal: update the evidence pack and record lessons for next year.

This is not only about cyber insurance.

It also supports QBRs, compliance conversations, and security roadmap planning.

What good looks like for MSPs

Good questionnaire prep is evidence-led, tenant-separated, repeatable, and clear on ownership.

Each client should have its own records, scope, reports, and exceptions. The MSP should explain technical status. The client should approve final insurance statements.

Avoid premium promises. Better evidence can reduce renewal friction and support a better-prepared submission, but the carrier decides coverage, terms, exclusions, and pricing.

The better MSP promise is operational:

You can answer from evidence instead of memory.

Mistakes to avoid

Treating the questionnaire as admin

The form looks like admin.

It is not.

It is a risk statement. If the client says a control exists and later discovers it did not, the problem is bigger than a messy spreadsheet.

Answering yes without scope

"Yes, MFA is enabled" is weak if it only covers some users.

Scope matters:

• all users or only privileged users;
• cloud apps or only VPN;
• admin accounts or ordinary users;
• contractors and external users;
• legacy exceptions.

If scope is unclear, write it down before the client answers.

Using stale screenshots

Evidence ages quickly.

A 6-month-old screenshot may not show current status. Use fresh exports where possible, date them, and name the system they came from.

Hiding gaps until renewal week

Clients dislike bad news at the last minute.

The MSP should surface gaps early and plainly. A missing restore test, incomplete MFA rollout, or weak training record is much easier to discuss 60 days before renewal than 6 hours before submission.

Over-selling security awareness training

Security awareness training is not a magic control.

It does not replace MFA, backups, endpoint protection, access control, incident response, or patching. It supports the human-risk and evidence layer. That is enough.

Over-claiming weakens trust.

Where security awareness fits in the questionnaire

Security awareness usually helps answer a specific slice of the form.

It can support questions like:

• Do employees receive security awareness training?
• Is phishing covered?
• Is social engineering covered?
• Are new employees trained?
• Is training recurring?
• Can completion be reported?
• Are overdue users followed up?
• Do employees know how to report suspicious activity?

The best answer is not only yes.

The best answer has evidence.

An MSP-friendly evidence pack should include:

• training policy or standard;
• active campaign list;
• topics covered;
• assignment scope;
• completion report;
• overdue-user report;
• reminder record;
• exception notes;
• client-ready summary.

This is why SAT that works for one internal IT team may still be painful for an MSP. The MSP needs to repeat the evidence workflow across many clients.

Defendwise compliance reporting and automated reports are built for that recurring evidence job. Automation helps keep training, reminders, and reporting from becoming one more manual renewal task.

How Defendwise fits

Defendwise does not replace the cyber insurance process.

It helps MSPs handle the security awareness evidence layer in a way that fits MSP delivery:

• flat-rate SAT for unlimited users;
• white-label delivery under the MSP brand;
• multi-tenant client management;
• automated training workflows;
• automated branded reports;
• AI-native content generation for fresher training topics.

For cyber insurance questionnaire prep, that means the MSP can avoid rebuilding awareness evidence by hand every time a client needs proof.

The practical next step is simple:

Pick one client renewal. Build the evidence checklist. Pull the awareness report. Record exceptions. Then decide whether the process is clean enough to repeat across the client base.

FAQ

How should MSPs start preparing clients for cyber insurance questionnaires?

Start with evidence, not the form. Confirm the renewal date, the client owner, the broker or carrier path, and the current evidence for MFA, backups, endpoint protection, patching, awareness training, incident response, and access control.

What evidence do cyber insurance questionnaires usually ask for?

They commonly ask about MFA, backups, endpoint security, patching, email protection, incident response, security awareness training, access control, and vendor risk. The exact questions vary by carrier, industry, revenue, and client risk profile.

Should the MSP answer the questionnaire for the client?

The MSP can help with technical evidence and control status. The client should approve final answers because the questionnaire is part of an insurance application. If the MSP cannot verify an answer, it should label the item as client-owned or unconfirmed.

Does security awareness training help with cyber insurance?

It can help with the awareness and human-risk section of the questionnaire. It is strongest when the MSP can show assignment scope, completion, topics, reminders, overdue users, and exceptions. It does not replace technical controls.

How early should MSPs start cyber insurance renewal prep?

Start 60-90 days before renewal where possible. That gives the client time to collect evidence, fix obvious gaps, and review answers without rushing. A last-week scramble usually produces weaker evidence and more unsupported answers.

Can Defendwise help MSPs prepare awareness evidence?

Defendwise can help MSPs deliver white-label, multi-tenant awareness training with automated reports and flat-rate pricing. That supports the awareness evidence layer for cyber insurance questionnaires, while the client's broader technical controls and insurance decisions remain outside SAT.

Source notes

1. https://www.coalitioninc.com/topics/5-essential-cyber-insurance-requirements
2. https://www.sba.gov/business-guide/manage-your-business/strengthen-your-cybersecurity
3. https://www.ftc.gov/business-guidance/small-businesses/cybersecurity
4. https://www.cisa.gov/resources-tools/resources/cyber-essentials
5. https://www.nist.gov/cyberframework
6. https://csrc.nist.gov/pubs/sp/800/50/final
7. https://www.pax8.com/blog/preparing-for-cyber-insurance/
8. https://compliancescorecard.com/2025/05/msp-compliance-services-making-clients-cyber-insurance-ready/
9. https://www.phinsecurity.com/blog/how-msps-meet-compliance-and-cyber-insurance-requirements-with-cybersecurity-awareness-training
10. https://seedpodcyber.com/cyber-insurance-requirements-the-minimum-controls-checklist-for-smbs-msps/
11. https://ironscales.com/blog/where-does-the-msp-fit-in-a-clients-cyber-insurance-process
12. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf