Insurance carriers and brokers are doing their best to calculate your cyber risk, so they can offer policies with appropriate terms and costs. As part of the insurance application process, you should expect requests to complete surveys and interviews with cyber experts, asking for evidence that your security controls are in place and working as expected. You can’t wait until you start shopping for an insurance policy or negotiate your renewal to make sure you can answer their questions.

Unfortunately, there’s no industry-wide regulation like HIPAA or PCI-DSS to provide consistency. Rather, in our research of more than a dozen cyber insurance questionnaires, we found many variations because each insurer chooses its path to assess risk. This can make it more difficult for you to navigate the choppy waters.

To help, this report aggregates questionnaires from leading insurance companies and highlights the common questions. Specifically, it examines increasingly stringent insurer requirements for Privileged Access Management (PAM), including Multi-Factor Authentication (MFA), password management, access control, privilege elevation, session management, least privilege, and zero trust policies.