The cyber insurer wants evidence, and your SME does not have it

Belgian SMEs increasingly receive a detailed questionnaire at the annual renewal of their cyber policy. Forty to fifty items is no longer unusual, and the message at the end is clear: "Please complete by [date], otherwise we cannot quote at comparable conditions."

For many smaller organisations, that is new. Last year a short declaration was enough, this year every control gets probed. Below: why this is happening, where it usually breaks down, and what to do before your next renewal.

Insurers are recalibrating

Between 2020 and 2023, cyber insurers internationally took heavy losses on smaller clients. Ransomware claims routinely run into the hundreds of thousands of euros, also for SMEs under 100 staff. For insurers, that is an unsustainable risk on standard policies.

The result: renewals are scrutinised much harder. Questions that used to be optional ("Do you have MFA on administrator accounts?") are now hard requirements. One "no" or "I don't know" and the premium doubles, or the policy is not renewed.

The three blocks that usually break

We see the same three blocks in questionnaires trip clients up over and over:

1. MFA on all administrator accounts. Not only Microsoft 365. Also your firewall admin, your remote access, your backup portal. Many SMEs have this partly arranged, but not centrally enforced.
2. Proof of tested backup restores. Not "we have backups." Rather: "on date X we fully restored system Y, these were the steps, this was the duration, this person was responsible."
3. An endpoint detection solution with central logging. For most SMEs that means either a paid EDR, or a self-hosted Wazuh or similar. The built-in Microsoft Defender Antivirus that ships with Windows often does not count without a central management layer on top.

The quiet evidence requirement

What really worries us is what is not in the questionnaire but increasingly clear in the policy small print: when you claim, you must be able to demonstrate that on the date of the incident you actually met what you declared. No logs? No payout. No documentation of the incident response process? No full coverage.

This is not theory. An organisation can have all technical controls properly configured and still lose a claim because the logs are not findable or not properly dated for the adjuster. One missing log file or an MFA status that cannot be shown historically can make the difference between a payout and none.

What to do now

Three actions that cost no money and do move the needle:

1. Ask your insurer for the current questionnaire. Not last year's version, the one they use at renewal today. You then have black-on-white what you must meet.
2. Document what you already have. For every 'yes' in that questionnaire: one file or screenshot proving it, dated, in a central folder.
3. Test one restore per quarter. Write down what you did, how long it took, what you observed. Four short quarterly notes are already half the evidence work.