Here's something that comes up a lot in conversations with partners

I was talking to a partner a few weeks ago, and he mentioned that one of his longest-standing clients had nearly lost their cyber insurance renewal. Not because their security was bad. Because when the questionnaire arrived, they couldn't produce the documentation the insurer was asking for. The controls were there. The evidence wasn't. Does that resonate with you? Because from what I've seen across the channel, it's one of the most common and most avoidable problems MSPs encounter with clients in this area.

Cyber insurance has changed a lot in a fairly short time. Two or three years ago, a lot of these questionnaires were fairly high-level: do you have antivirus, do you have backups, do you have a firewall. Ticking yes and moving on was often enough. What I've seen over the past 18 months is that insurers have gone considerably deeper. They want specific controls evidenced in specific ways, and the questionnaires that land on your clients' desks at renewal time reflect that shift.

The reason I mention this is that the shift creates a genuine opportunity for MSPs. Your clients are going to need help with this. And the MSPs who are ready to provide that help, in a structured way, are going to find that cyber insurance becomes one of the most reliable entry points and retention mechanisms in their portfolio.

What insurers are asking for now

Multi-factor authentication

MFA is no longer a nice-to-have on insurer questionnaires. Most insurers now require MFA to be enforced across all accounts, with no exceptions for senior users who find it inconvenient. What tends to trip clients up here is the distinction between MFA being enabled and MFA being enforced. A client who has MFA available but not mandatory across all accounts, including shared mailboxes and service accounts, may not meet the insurer's threshold.

The evidence an insurer wants to see is not a screenshot of an MFA setting. It's a report showing coverage across all accounts. For Microsoft 365 environments, that means pulling an Entra ID conditional access policy review that shows which accounts are in scope and which are not. If you're already doing this as part of a regular security review, that evidence exists. If you're not, the renewal conversation is where that gap becomes visible.

Privileged access management

Insurers are increasingly asking about how clients manage administrator accounts. The specific questions tend to cover whether admin accounts are separate from day-to-day user accounts, whether admin access requires step-up authentication, and whether there is a process for reviewing and revoking admin rights when they're no longer needed. For most SMB clients, this is an area where what exists in practice and what gets documented are two quite different things.

Endpoint detection and response

Most insurers now require active EDR rather than traditional antivirus. The questionnaire distinction matters: AV and EDR are not the same thing, and insurers have become more specific about which they require. What I've found is that many clients have moved to EDR without fully understanding the difference, which means they tick the right box but have less certainty about what the control is actually doing. The controls insurers focus on most in terms of claim rejection are the ones where the client answered yes but couldn't demonstrate active coverage when it mattered.

Backup integrity and recovery testing

Backup is the area where I see the biggest gap between what clients believe and what they can evidence. Most clients have backups running. Far fewer have tested recovery within the last 12 months and can produce documentation of that test. Insurers are asking specifically about backup frequency, offsite or cloud storage, and whether recovery has been tested and the results recorded. A backup that has never been tested is an assumption, not a control.

Incident response planning

Insurers want to see that clients have a documented incident response plan that has been reviewed in the last 12 months. The plan doesn't need to be complicated. But it needs to exist, it needs to name specific roles and responsibilities, and it needs to have a review date. From what I've seen, what tends to get flagged in renewal questionnaires more than any other single item is the incident response plan, either because it doesn't exist or because the last review date is several years old.

The evidence problem

Here's the thing about all of these controls: most of your clients probably have most of them in place. The problem is not the controls. The problem is the evidence. An insurer asking for MFA coverage across all accounts needs to see a report, not a conversation. An insurer asking about backup testing needs to see a test record with a date, not a general assurance that it gets done.

What I've seen work well is treating the insurance questionnaire as a standing audit rather than an annual event. If you're producing a monthly security summary for your clients that covers MFA status, EDR coverage, backup test results and any incidents detected and resolved, then when the questionnaire arrives you already have 12 months of evidence to draw from. The threat detection and response monitoring your SOC runs produces that evidence as a byproduct of normal operations. The question is whether it's being packaged in a way that's retrievable when the client needs it.

The reason I mention compromised credentials in this context is that it's one of the most common claim triggers, and it's also one of the areas where continuous monitoring produces the most useful evidence. An insurer reviewing a claim wants to see that credential monitoring was active, that alerts were generated and acted on, and that there's a record of how incidents were handled. That's exactly the kind of evidence that a well-run monitoring service produces naturally.

Where the MSP conversation goes next

The commercial opportunity here is worth naming directly. Cyber insurance renewals happen every year. The questionnaire arrives, the client panics a bit, they look for help, and whoever helps them becomes more embedded in the relationship. The MSP who is already producing structured monthly security reporting is the one who turns that annual panic into a smooth process. The MSP who is not producing that reporting gets a call asking for things they don't have.

What I've seen work is positioning the monitoring and reporting service explicitly as insurance-readiness infrastructure, not just as security. Selling these services without getting technical is much easier when the framing is practical and client-side: we keep your insurance evidence ready throughout the year so you're never scrambling at renewal. That's a message that lands well with business owners who don't particularly want to think about security but do want their insurance to pay out when they need it.

Does that make sense as a commercial framing? Because from what I've seen, it's one of the most effective ways to have the security conversation with clients who aren't naturally security-engaged.