Sixty percent of Irish SMEs fail at least one key requirement when renewing their cyber insurance. For businesses in Donegal and Sligo, where local enterprises often manage complex digital operations without dedicated security teams, the renewal questionnaire is more than paperwork. Your answers determine whether your policy pays out when you need it most — not just what you pay each month. Understanding what underwriters are really looking for behind each question is the first step to securing coverage that functions when tested.
Why the Questions Have Changed
Cyber insurance is not like car insurance. Insurers are not just covering damage after an incident — they are increasingly assessing whether you are likely to have one. Every question on a renewal form reflects data about which controls prevent which attacks, and which absences make claims more likely and more expensive.
The market hardened significantly after 2020, when ransomware attacks produced claim volumes that overwhelmed insurer reserves. The response was stricter underwriting — more questions, more specific warranty clauses, and more scrutiny of answers. A business that ticked a box saying "yes, we have MFA" and later suffered an account takeover without MFA enabled on the affected account now faces a warranty dispute, not a straightforward payout. Each question is a commitment with consequences.
The NCSC Ireland has documented the most common attack pathways affecting Irish organisations: credential theft exploiting absent MFA, exploitation of unpatched systems, and social engineering leading to fraudulent payments.[^1] The cyber insurance questionnaire tests exactly these pathways.
When did you last read your cyber insurance application answers against your actual security configuration — and are they still accurate? Book a free 20-minute strategy call — we'll compare your declared posture against your real controls and identify any discrepancies before your next renewal.
"Do You Have Multi-Factor Authentication Everywhere?"
What this question is really asking is: have you closed the single most effective attack pathway against account takeover? MFA requires more than a password to access accounts, adding a verification step that makes stolen credentials alone insufficient. Credential theft is the most common initial access method in Irish cyber incidents according to An Garda Síochána's National Cyber Crime Bureau.[^2]
A strong answer confirms that MFA is enforced — not just available — across all email accounts, cloud applications such as Microsoft 365 or Google Workspace, VPNs, remote access tools, and administrative interfaces. The distinction between "available" and "enforced" matters. An enforced MFA policy means staff cannot bypass it. An available policy means they can choose not to use it.
If you answer no — or "partially" — expect significant pushback. Many insurers treat MFA as a baseline requirement. A no answer can result in a policy denial, a substantially higher premium, or an exclusion clause for incidents arising from compromised accounts where MFA was not enabled.
"Do You Have Endpoint Detection and Response?"
The question behind this question is: can you detect and contain threats that bypass traditional antivirus? Standard antivirus matches known malware signatures. Endpoint Detection and Response tools monitor device behaviour continuously, detecting unusual activity patterns — such as a process encrypting large numbers of files — that precede a ransomware detonation.
For a manufacturing firm in Donegal where operational systems may be connected to the business network, EDR on critical servers is the control that provides early warning before an attack reaches its objective. Insurers view EDR as indicative of a proactive security posture that reduces their likely payout when an incident occurs.
If you answer no, insurers will view it as a significant gap, particularly for ransomware coverage. This can result in a specific ransomware exclusion or a requirement to implement EDR before coverage is confirmed.
"When Did You Last Patch Your Critical Systems?"
Unpatched systems are the second most common attack vector in Irish cyber incidents. Software vulnerabilities are discovered regularly, and vendors release patches to close them. Attackers actively exploit known vulnerabilities — particularly in the days immediately after a patch is released, when many organisations have not yet applied it. Leaving systems unpatched is a warranty risk, because most cyber policies exclude claims arising from attacks exploiting vulnerabilities for which a patch was available.
The answer underwriters want is specific: critical patches within days of release, a documented schedule, and evidence that patch compliance is monitored. For a professional services firm in Letterkenny, the patch schedule for every client-facing application is part of your risk profile and your compliance with the DPC's expectations for technical security measures.[^3]
If you answer "irregularly" or cannot provide a schedule, the insurer has grounds to exclude incidents from unpatched systems — which covers a significant proportion of real-world attacks.
"Do You Have an Incident Response Plan?"
This question assesses whether you know what to do when an attack happens. An incident response plan outlines who detects incidents, who makes decisions, who contacts the insurer, who notifies the DPC under GDPR, and who engages external forensic or legal support. Without a plan, response is improvised — and improvised responses take longer, cost more, and produce higher claim values.
A strong answer confirms a documented plan exists, tested in the past 12 months, with the insurer's notification number as a mandatory first call within 24 hours. An Garda Síochána's National Cyber Crime Bureau handles incidents with a criminal element, and your plan should specify this step.
An incident response plan that is tested under controlled conditions reveals gaps that a real incident reveals under pressure and at far greater cost. A plan on a shelf is not a capability — a practised plan is.
"Do You Have Offline Backups?"
This is the question that determines whether ransomware is a recoverable event or a business-ending one. Online backups connected to your network can be encrypted by ransomware alongside your live data. Offline or immutable backups — stored in a location that cannot be reached from your compromised network — are the recovery path that makes ransom payment unnecessary.
Insurers are not in the business of paying ransoms that could have been avoided. A confirmed "yes" to offline backups, with documented test restoration records, is often what determines whether ransomware is covered or excluded. A business that cannot demonstrate offline backup capability is presenting a significantly higher ransomware claim risk.
The 3-2-1-1-0 backup standard — three copies, two different media, one offsite, one offline, zero unverified restores — is what modern cyber resilience requires. The "zero unverified restores" component is critical: a backup that has never been successfully restored is not evidence of recoverability.
What to Do Before Your Next Renewal
Understanding these questions before renewal — not during the application process — gives you time to close gaps rather than discover them at signing. Three practical steps address the most common failure points.
For each question on your last or current renewal form, compare your written answer against your actual current configuration. MFA — is it enforced on every account, or just most? Patching — do you have records from the past 90 days, or is it informal? Backups — have you run a restoration test this quarter? If the answers have drifted from what you declared, that is a disclosure risk at claim time.
For any question where your answer is currently "no" or "partially," establish a timeline for remediation before your next renewal. The controls that most affect underwriting — MFA, EDR, tested backups, incident response plan — are all implementable within 90 days with IT support. Implementing them before renewal changes your risk profile, not just your questionnaire answers.
Brief your broker on the improvements you have made since your last renewal. Underwriters do not always ask what has changed — but a broker who proactively presents evidence of security improvements on your behalf can negotiate better terms that the standard form would not reflect.
Related Reading
- Cyber Insurance Proactive Insurability
- Cyber Insurance Broker Checklist: What Your Broker Should Ask
- Cyber Insurance Claims Denied: Three Irish SME Scenarios
[^1]: NCSC Ireland — Threat landscape and security control guidance for Irish organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — National Cyber Crime Bureau guidance on credential theft and MFA: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland — GDPR technical security measures and compliance: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.