Cyber Insurance Application Checklist for Small Firms

Cyber insurance applications have shifted from one-page checkboxes to multi-page security questionnaires with evidence requests. This checklist covers what carriers consistently ask — and how a small firm (tax preparer, CPA, EA, bookkeeper, insurance agency, or any small business) can answer with confidence and documentation.

For the deeper context on questionnaire format, see the cyber insurance questionnaire guide for tax preparers.

The twelve controls underwriters consistently ask about

1. Multi-factor authentication on email, remote access, privileged accounts, and tax/financial software.
2. Endpoint detection & response (EDR) on every workstation and laptop.
3. Backups — 3-2-1 with at least one immutable/off-site copy and tested restores.
4. Patching — operating systems, browsers, and tax suite kept current.
5. Security awareness training at hire and annually with completion records.
6. Data encryption at rest and in transit (TLS, full-disk).
7. Written Information Security Plan — see the WISP pillar guide.
8. Incident response plan — see the IRP template.
9. Vendor controls — written diligence and contract clauses for any third party handling client data.
10. Access reviews — periodic review of who has access to what.
11. Email security — anti-phishing, DMARC/SPF/DKIM, banner warnings.
12. Network segmentation — guest Wi-Fi separated from production.

Checklist: what to gather before you start the application

• Current WISP — see the WISP template guide.
• Most recent risk assessment.
• Incident response plan and breach playbook — pair with the breach response checklist.
• MFA enforcement screenshots or admin reports.
• EDR vendor name and console screenshot.
• Backup vendor, frequency, immutability, last successful restore test.
• Training platform and most recent completion report.
• Vendor list with SOC 2 or security attestation status.
• Encryption confirmation (BitLocker/FileVault status reports).
• Annual WISP review approval — see the annual review checklist.

Common questionnaire pitfalls

• Answering "yes" to MFA when it is only on email, not on remote access.
• Claiming "encrypted backups" without immutability — ransomware targets backups first.
• Listing a WISP that has not been reviewed in over a year.
• Missing a written incident response plan — increasingly a hard requirement, not optional.
• No documented vendor management — underwriters will ask for the list.

How WISPWolf helps answer these questions

WISPWolf produces a living WISP, a current Compliance Score, and an evidence pack mapped to the standard cyber insurance questionnaire. The same evidence supports IRS Publication 5708, IRS Publication 4557, the GLBA Safeguards Rule, and the FTC Safeguards checklist. We do not promise premium reductions or coverage; we make it easier to defend the answers you submit.

Educational content, not legal or insurance advice. Coverage decisions are made by your broker and carrier.