A cyber insurance questionnaire is the underwriting form carriers use to price your policy. Insurers want to see MFA, encryption, backups, employee training, and a Written Information Security Plan. A current WISP with live evidence usually lowers your premium and prevents claim denials.
In a hurry? Get your free Compliance Score, then come back to this guide.
Take the Free Quiz View Sample WISPCyber liability insurance for tax and accounting firms is no longer a checkbox purchase. Underwriters have years of loss data on this industry and they price — or decline — accordingly. If you are applying for the first time, or renewing a policy you bought before 2023, the questionnaire in front of you is materially different from what it used to be. This guide walks through what insurers are really evaluating, how your WISP answers most of it, and the five questions where tax firms most often disqualify themselves. For the underlying program requirements behind every carrier question, see the FTC Safeguards Rule checklist and the 2026 WISP requirements brief.
1. What Insurers Actually Look For
Strip away the jargon and the cyber underwriting model is simple: carriers want firms that are hard to compromise and cheap to recover. Every section of the questionnaire ladders up to one of those two questions. The controls that move the needle most are consistent across carriers:
- Multi-factor authentication (MFA) on email, remote access, privileged accounts, and any system holding client data. Missing MFA on email alone is now a frequent decline.
- Endpoint Detection and Response (EDR) on every workstation and server. Traditional antivirus is no longer accepted by most carriers.
- Backup posture: immutable or offline copies, tested quarterly, with documented restore times.
- Email security: anti-phishing, attachment sandboxing, DMARC/SPF/DKIM properly configured.
- Patch and vulnerability management on a defined cadence.
- A written incident response plan with a named coordinator and an external breach counsel relationship.
- A current Written Information Security Plan (WISP) with a named Qualified Individual and a recent annual review.
These items show up under different headings on different applications, but the underlying control list barely varies. If you can defensibly say yes to all seven, you are underwriting as a preferred risk.
2. How a WISP Maps to NetGuard Plus and the Standard Ransomware Supplemental
Tokio Marine HCC's NetGuard Plus application and the industry-standard Ransomware Supplemental Application (used in some form by most major carriers, including Chubb, Travelers, AXIS, and Beazley) are the two documents most tax firms will see. A complete WISP, built to the FTC Safeguards Rule and IRS Publication 5708, gives you direct evidence for almost every section:
- Information Security Governance → WISP designates a Qualified Individual and documents board reporting.
- Risk Assessment → WISP includes a written annual risk assessment.
- Access Controls and MFA → WISP documents MFA scope, least-privilege policy, and account review cadence.
- Data Protection → WISP documents encryption at rest and in transit, plus data classification.
- Endpoint and Network Security → WISP names the EDR product, firewall posture, and patch cadence.
- Training → WISP documents annual training and phishing simulation, with completion logs.
- Vendor Management → WISP lists vendors that touch client data and requires written contracts with security provisions.
- Incident Response → WISP includes a written IR plan, last tabletop date, and breach counsel.
- Backup and Recovery → WISP names the backup product, frequency, immutability, and last successful restore test.
The tactical advantage is that you stop answering 60+ questions from memory. You answer them from a single document and attach an evidence packet. Underwriters love this because it's defensible; brokers love it because it accelerates quotes.
3. Five Questions Where Tax Firms Typically Fail (and How to Fix Them Before Applying)
"Is MFA enforced on email for all users, including admins?"
The most common failure point. Many firms have MFA enabled but not enforced, or enforce it on staff but leave the owner's account exempt because "it's annoying." Underwriters treat exemptions as no-MFA. Fix: enforce MFA tenant-wide via Microsoft Entra Conditional Access or Google Workspace 2SV, with no exempt users and no legacy authentication protocols enabled.
"Are backups immutable or stored offline, and tested quarterly?"
Firms answer yes because they have a backup product, but on follow-up cannot produce a successful restore log or cannot confirm the backups can't be deleted by a ransomware attacker. Fix: turn on object-lock or air-gap features (most major backup vendors have a switch), schedule a quarterly test restore, and save the report.
"Do you have a written incident response plan tested in the last 12 months?"
Most firms have a plan; almost none have tested it. An untested plan reads as no plan. Fix: run a 60-minute tabletop with your IT provider and a breach counsel, document the date, who attended, and three takeaways. That artifact answers the question.
"Do you use a Privileged Access Workstation or dedicated admin accounts?"
Firms answer yes because admins have separate logins, but those admins also check email and browse the web from the same account. Fix: require admin functions only from a separated browser profile or, ideally, a dedicated admin account that has no email access — document the policy in your WISP.
"Is your written information security program reviewed annually with a written report to leadership?"
Firms answer yes because they "look at" the WISP, but cannot produce a dated written report. The Safeguards Rule requires that report — and so does the application. Fix: produce a one-page annual report signed by the Qualified Individual and dated within the last 12 months. Work the annual WISP review checklist end-to-end, and if your current document hasn't changed in years, read why a one-time WISP no longer holds up. WISPWolf generates this report automatically; doing it by hand takes an afternoon.
4. How a Documented WISP Lowers Your Premium
Insurers price tax and accounting firms in tiers — preferred, standard, and surcharged — based on the answers above. The difference between preferred and surcharged is commonly 25–40% on the base premium for the same limits, sometimes more on smaller policies. A current WISP with evidence does three things underwriters reward directly:
- It moves multiple borderline answers from "no" to defensible "yes," shifting the tier you qualify for.
- It demonstrates governance maturity, which carriers use as a soft factor in pricing and capacity.
- It dramatically reduces the warranty risk at claim time, which makes a difference at renewal even when premium is held flat.
Firms that walk into a renewal with a current WISP, an evidence packet, and a one-page Qualified Individual's report consistently report better-than-market renewals — usually flat or modestly up in years when peers are seeing double-digit increases.
Generate both at onceWISPWolf produces your firm-specific WISP and your cyber insurance evidence packet from the same intake — MFA status, EDR deployment, backup tests, training logs, vendor list, IR plan, and the Qualified Individual's annual report. Start with the free Compliance Starter Kit for the underlying document, or take the 15-question Compliance Score to see exactly where your application will weaken before you submit it.
Sources & References
Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.
- IRS Publication 5708 — Creating a Written Information Security Plan
- IRS Publication 4557 — Safeguarding Taxpayer Data
- FTC Safeguards Rule (16 CFR Part 314)
- Gramm-Leach-Bliley Act (GLBA) Safeguards
- IRS Tax Security — Protect Your Clients, Protect Yourself
- NIST Cybersecurity Framework
- Microsoft Security Documentation
Get the free WISPWolf Compliance Starter Kit
Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.
Get Your Free WISP Compliance Score
See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.
IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required