Free resource
The 2026 Cyber Insurance Readiness Questionnaire.
Since 2021, the security-control questionnaire stopped being paperwork and became the underwriting gate. This is that questionnaire — the 10 controls carriers actually score, in their own words, with the quiet answers that get applications declined. Score yourself before an underwriter does.
What's inside
Ten controls. Real carrier language. The gotchas that decline you.
For each control: what carriers actually ask, what answer passes, and the “quiet disqualifier” — the response that looks survivable to you but reads as a hollow control to an underwriter. Plus a 10-item shortlist of the answers that quietly tank applications, and tailored notes for 12 SMB verticals — from law firms and dental practices to real estate, financial services, manufacturing, retail, and auto dealers.
- Multi-factor authentication — on every system, not just the VPN
- Endpoint detection (EDR/MDR) — on servers, not just laptops
- Backups — immutable or MFA-locked, and actually restore-tested
- Privileged access — separate, vaulted, monitored admin accounts
- Email security — a real gateway with sandboxing, not a spam filter
- Patch & vulnerability management — and no internet-facing EOL software
- Incident response — written, with named roles, and tested
- Network exposure — no flat networks, no naked RDP on port 3389
- Funds-transfer controls — out-of-band verification, every time
- Security awareness — phishing simulations, including finance staff
Why it's accurate
Built from the real applications, not generic advice.
Every question, threshold, and gotcha in this worksheet is pulled from current cyber applications and ransomware supplementals issued by Coalition, Corvus by Travelers, Beazley, At-Bay, The Hanover, Fusion / Tokio Marine Kiln, Tokio Marine HCC. The dollar thresholds ($25,000 funds-transfer verification), the recovery-time bars (3-day restore), the deployment ladders that expose servers without EDR — those are the carriers' own words, not our paraphrase. If a control isn't on a real form, it isn't in here.
After the worksheet
Closing the gaps is the work.
The questionnaire tells you where you stand. The Cyber Insurance Readiness Sprint turns your environment into the evidence packet underwriters accept — the Conditional Access exports, the restore-test logs, the tested IR plan — so the application is a paperwork step, not a months-long scramble. CISSP-led, operated end-to-end by Obsidian Ridge.