Cyber Insurance Readiness: What Small Businesses Need to Know Before Their Next Renewal

A business owner reached out to me a few months ago. Her cyber insurance renewal was coming up and her broker had just forwarded the questionnaire. She called it three times longer than last year's.

She wasn't wrong.

She ran a small professional services firm out of the DMV area. No IT staff on payroll. Microsoft 365 for email, a NAS her team had been using for shared file storage for years. She'd never had a problem. She'd been renewing the same policy, answering the same short list of questions, and moving on. This year was different.

"I don't even know what half of these are asking," she told me.

That conversation is why I wrote this. Because she's not the only one. I work with small businesses across Maryland, Northern Virginia, Pennsylvania, Delaware, West Virginia, and throughout the country, and I'm seeing the same situation play out over and over. Business owners who have cyber insurance, think they're covered, and have no idea that the ground shifted under them.

What Cyber Insurance Carriers Are Actually Asking For Now

A few years ago, getting cyber insurance was pretty painless. You answered maybe a dozen questions, confirmed you had antivirus and backups, paid your premium, and called it done. Those days are gone.

Carriers got hit hard by ransomware claims. They responded by completely rebuilding how they evaluate risk. The questionnaires that used to take fifteen minutes now run sixty to a hundred and fifty questions. And the standard shifted from "do you have these controls?" to "can you show us they're working?"

Self-attestation isn't enough anymore. Carriers want screenshots. Policy exports. Sign-in logs showing who accessed what and when. Proof that backups ran and that someone actually tested a restore. If you can't produce that documentation at renewal, you're looking at higher premiums, sublimits on what the policy will actually pay out, or a denial.

For a small business in Columbia, MD or a law firm in Northern Virginia running without dedicated IT staff, that's a hard spot to be in.

There's a Framework Behind the Questionnaire

The questions on your renewal application don't come from nowhere. Most of them trace back to a recognized security framework called CIS Controls Implementation Group 1, or CIS IG1 for short.

CIS stands for the Center for Internet Security. IG1 is their baseline standard: 56 safeguards that any organization, regardless of size or budget, should have in place. Carriers have been quietly mapping their underwriting criteria to this framework. You don't need to know the name to feel the impact. But knowing it helps you prepare.

The Controls That Show Up on Every Renewal Application

Here's where it gets practical. These are the specific areas that appear on renewal questionnaires consistently, explained in plain language so you know what you're actually being asked.

Asset Inventory

You need to know what's on your network. Every laptop, every desktop, every server, every NAS, every device that touches company data. Not a rough mental list. A documented one.

Carriers ask this because you can't protect what you don't know exists. And they ask the follow-on questions too: are those devices patched, are they protected, are they monitored? If you can't answer the first question, none of the follow-on questions go well either.

Identity Controls: The Number One Source of Claim Denials

This is the area I spend the most time on with clients, and it's the one that causes the most problems at renewal. "Identity controls" is the term carriers use for how you manage who has access to what and whether you can prove it.

For a small business, that breaks down into a few specific things.

Individual accounts, not shared logins. 

If multiple people are logging into your file server or NAS with the same username and password, you have no way to tell who did what. If a file gets deleted, modified, or exfiltrated, you can't show the carrier who had access. Carriers want individual accounts tied to individual people. It doesn't require enterprise software. It requires making sure everyone has their own credentials.

MFA enforced on everything that matters.

 Multi-factor authentication on email, cloud platforms, remote access, admin accounts. Not "available." Enforced. Carriers want screenshots proving it's actually required, not just turned on and optional. According to data from Coalition's 2024 Cyber Threat Index, 82% of claims involved organizations without MFA properly in place. That number is why it shows up on every single application.

Disabled accounts for people who've left. 

A former employee's account still active with sign-in enabled is a real exposure. It can be targeted, and if it gets compromised, nobody's watching it because nobody's logging in to notice. Carriers ask whether you have a process for disabling accounts when someone leaves. Most small businesses don't have a formal one.

Least privilege access. 

Your front desk doesn't need access to payroll. Your field tech doesn't need admin rights on the server. Limiting access by role is something underwriters look at. If everyone in your organization has access to everything, that's a flag.

None of this is complicated. It's about paying attention to who has accounts, what those accounts can reach, and whether that still makes sense today.

Vulnerability Management

Are your systems patched? Are you running anything end-of-life?

EOL software is increasingly written into policies as a flat exclusion. Windows 10 reached end of support on October 14, 2025. If you have machines still running it and you file a claim, some carriers won't pay. Not because they're being difficult. Because unpatched systems are how most attackers get in, and the policy was priced assuming you'd keep things current.

I see this with small businesses in the construction and trades industries across Maryland and Pennsylvania especially. Older machines, older operating systems, running just fine until they're not.

Audit Log Management

This one surprises people more than almost any other.

Carriers want to know if you're keeping logs. Who logged into what, when, from where. Not just on your cloud platforms. On your file server. Your NAS. Your network gear. Individual logins, not shared credentials. Logs kept long enough to be useful, typically ninety days at minimum.

Most small businesses have nothing here. The NAS has been running for five years and logging was never configured. The file server keeps no access history. If something happens and the carrier asks to see access records from the week before the incident, the answer is "we don't have that." That answer matters both for the claim and for the next renewal.

Email Protections

SPF, DKIM, and DMARC records on your domain. Anti-phishing protection. Spam filtering. External email warning banners.

Business email compromise is one of the most common cyber insurance claims filed right now. Attackers use domains without proper authentication records to spoof your address and trick your clients or vendors into sending money to the wrong place. Carriers ask about email authentication specifically because of it. If your domain records haven't been reviewed since you set up your email years ago, there's a good chance something's misconfigured.

Malware Defenses

Not just "do you have antivirus." Carriers want to know if it's next-generation endpoint protection, actively managed, and running on every device. A free antivirus installed during setup and never touched again doesn't answer the question they're actually asking. EDR, endpoint detection and response, is the standard underwriters look for now.

Data Recovery

The backup question. And it's more specific than most people expect.

Carriers want immutable or offsite backup copies. They want tested restores, not just scheduled backup jobs. They're starting to ask for the date of your last successful restore test. A backup that runs every night but has never been verified could be completely useless. "We have backups" is not the same answer as "we tested a restore on this date and here's what we confirmed."

Security Awareness Training

Annual training. Phishing simulations. Documented completion records.

A lot of small businesses do this once during onboarding and never follow up, or skip it entirely because things are busy. Carriers ask for training records at renewal. Dates, who completed it, what was covered. Not a verbal confirmation.

The Platform Gap Most Small Businesses Don't Know About

Here's what I see consistently when I audit environments for small businesses across the DMV, Virginia, Delaware, and beyond: the platform your business runs on shipped with default settings. Defaults get you operational. They don't protect you.

Microsoft 365

M365 is the most common platform I work in. It's also the most commonly misconfigured one, because there's a lot of surface area and most businesses only touched email and Teams when they first set it up.

What I find in almost every tenant I audit: Conditional Access policies sitting in report-only mode, meaning they're watching but not actually enforcing anything. Old employee accounts with sign-in still active. MFA required by policy but a handful of users who never finished setup and slipped through. Enterprise applications in Entra ID with permissions nobody can explain. Intune enrolled on devices but no compliance policies pushed out.

Defender for Office 365 included in the license and never configured.

And the one that still surprises people every time: Microsoft 365 is not a backup.

It's a collaboration platform. Microsoft's retention handles accidental deletion inside a window. It doesn't protect you from ransomware tearing through SharePoint and OneDrive. It doesn't cover data corrupted by a bad sync. It doesn't give you point-in-time recovery. If files get encrypted or wiped in an attack, built-in retention may not get them back. Third-party backup for M365 data isn't optional. Every client I work with has this conversation with me.

Google Workspace

Google Workspace has a simpler admin console than M365, but the same categories of problems show up. Default sharing settings in Drive that let anyone with a link access files. Guest accounts from old vendors nobody cleaned up. MFA switched on at the org level but never verified at the user level. Email authentication records configured when the domain was set up and untouched since.

Same backup gap. Google doesn't back up your data the way most people assume. Drive, Gmail, shared drives: if files get deleted, corrupted, or encrypted in a ransomware event, Google's native tools have real limits on what they can recover and how far back they can go. Most Google Workspace clients I talk to haven't thought about this at all.

File Servers and NAS Devices

This is the piece that gets left out of most cyber insurance conversations, and it's the one that catches small businesses most off guard when they read the questionnaire carefully.

Plenty of businesses are still running a local file server or NAS. Law offices. Construction companies. Medical practices. Accounting firms. Small manufacturers. The files have been there for years, everyone knows how to get to them, it works. The problem is that most of those setups were built to work, not built to be defensible under a carrier audit.

Shared logins are the first thing I look at. Multiple people using the same NAS credentials means no record of who accessed what or when. Carriers ask whether access is tied to individual accounts. Shared credentials is a no.

Logging is the second thing. Whether the NAS is configured to record who logged in and what they touched. Whether those logs are actually stored somewhere and for how long. If your NAS has never had logging configured, you're answering no to a specific underwriting question, and you probably didn't know it was being asked.

Network placement is the third thing. A NAS sitting on the same flat network as every workstation has no protection if ransomware starts on one laptop. Everything on that segment is reachable. Carriers ask about network segmentation because it directly affects how bad an incident gets and how fast you can recover.

Active Directory

If your business is running an on-premises Active Directory environment, that's a whole separate layer carriers are looking at. And it's one a lot of small businesses forget to mention because it's been running quietly in the background for years.

Active Directory is the system that manages user accounts, computer accounts, and permissions across your network. It's the foundation of identity for businesses that have a Windows Server on-site. If it's not maintained, it becomes one of the most dangerous things on your network.

Here's what I find most often. Domain admin accounts being used for everyday tasks instead of a separate standard account. Service accounts with passwords that haven't been changed in years, sometimes never. Stale user objects for employees who left six months ago, still sitting in the directory with no expiration. Password policies so old they predate modern security standards. No audit logging on the domain controller, so there's no record of who authenticated, what they accessed, or when.

Ransomware groups specifically target Active Directory. If an attacker can escalate to domain admin, they own every machine on your network. It's not a side door. It's the front door.

Carriers are asking about privileged access management, password policy enforcement, and account hygiene. If your AD environment is a mess, those questions don't go well. And if you're running an on-prem server in Maryland, Pennsylvania, Virginia, or anywhere else, this is part of what needs to be documented before your renewal.

Cyber Insurance Readiness for Small Businesses: What the Assessment Actually Covers

I offer a flat-rate Cyber Insurance Readiness Assessment at $1,750.

This is a CIS IG1-aligned review of your entire security posture. Not just the Microsoft or Google side. Everything: your cloud platform, your on-prem file server or NAS, your endpoints, your backup configuration, your email authentication, your access controls, your training documentation, your incident response readiness. Whether you're in the DMV, working remotely from Pennsylvania, running a practice in Northern Virginia, or managing a team spread across multiple states, the assessment covers what carriers are actually looking at.

The deliverable is a complete evidence package. Findings documented against the controls your carrier is most likely to ask about. A walkthrough of your renewal questionnaire so you know how to answer each question accurately, with documentation behind it.

For businesses on a managed agreement with SNL-Tech, annual renewal reviews run $750/year. For businesses not on a managed plan, that review is $1,000/year. Renewal cycles come around whether you're ready or not.

Tenant Audits for Microsoft 365 and Google Workspace

If you want to start with the platform before the full assessment, I offer a flat-rate Tenant Audit for Microsoft 365 and Google Workspace at $995 each.

I go through your entire admin environment, document what's configured and what isn't, flag the gaps against the CIS IG1 controls that map to your renewal questionnaire, and deliver a written findings report with a prioritized remediation list. You know exactly where you stand and what order to fix things in.

If you move forward with hardening after the audit, the $995 credits toward that work. You're not paying twice.

The report is also documentation. Screenshots, policy exports, evidence of what's in place. That's the package your carrier or broker is looking for, and most small businesses can't produce it because nobody ever pulled it together.

Services I Provide for Cyber Insurance Readiness

Working with small businesses across Maryland, Virginia, Pennsylvania, Delaware, West Virginia, and nationally, here's what I bring to this specific problem:

• Cyber Insurance Readiness Assessments aligned to CIS IG1 controls

• Microsoft 365 Tenant Audits and security hardening

• Google Workspace Tenant Audits and security hardening

• File server, NAS, and Active Directory access control review and logging configuration

• MFA enforcement and identity controls implementation

• Email authentication setup and verification (SPF, DKIM, DMARC)

• Third-party backup configuration for M365 and Google Workspace data

• Security awareness training programs with documented completion records

• Incident response plan development

Frequently Asked Questions About Cyber Insurance Readiness

What is a cyber insurance readiness assessment?

A cyber insurance readiness assessment reviews your entire security environment against the controls that carriers most commonly ask about at renewal. It documents what's in place, identifies gaps, and produces an evidence package you can hand directly to your broker or underwriter. For small businesses in Maryland, Virginia, Pennsylvania, Delaware, West Virginia, and across the country, it's the clearest way to walk into a renewal knowing exactly where you stand.

What is CIS IG1 and why does it matter for cyber insurance?

CIS IG1 stands for CIS Controls Implementation Group 1, published by the Center for Internet Security. It's a set of 56 foundational security safeguards designed for small and mid-sized businesses without dedicated security staff. Carriers have been aligning their renewal questionnaires to this framework. You don't need to know the name to be affected by it, but aligning your environment to these controls is the most direct way to prepare for what underwriters are actually evaluating.

Does Microsoft 365 back up my data?

No. Microsoft 365 is a collaboration and productivity platform, not a backup solution. Microsoft's built-in retention handles accidental deletion inside a defined window, but it doesn't protect against ransomware encrypting your SharePoint and OneDrive data, files corrupted by a bad sync, or intentional deletion. Businesses running M365 need a separate third-party backup solution for their cloud data. This is one of the most common gaps I find in small business environments across the DMV, Northern Virginia, and beyond.

Does Google Workspace back up my data?

Not in the way most people assume. Google Workspace doesn't provide true backup for Drive, Gmail, or shared drives. If files are deleted, corrupted, or encrypted in a ransomware event, Google's native recovery tools have real limits on what they can restore and how far back they go. Third-party backup is just as necessary for Google Workspace clients as it is for Microsoft 365 clients.

What do cyber insurance carriers consider a claim denial risk?

The gaps that most commonly result in denied claims or non-renewal are: no MFA on email and cloud platforms, shared login credentials with no individual account accountability, no tested backup restore process, end-of-life operating systems still in use, no documented incident response plan, and no security awareness training records. These aren't obscure technical requirements. They're basic controls that carriers expect any business to have in place.

I have a file server or NAS. Does that affect my cyber insurance?

Yes, and it's the piece most small businesses don't expect. Carriers ask about individual user accounts, audit logging, and network segmentation for on-premises storage, not just cloud platforms. If your NAS is running shared credentials, has no logging configured, or sits on a flat network with every workstation, those are specific gaps that show up in underwriting. I work with small businesses across Maryland, Pennsylvania, Delaware, and Virginia who are surprised to learn their file server configuration affects their insurance posture.

Does Active Directory affect my cyber insurance renewal?

Yes, significantly. If your business runs an on-premises Windows Server with Active Directory, carriers are looking at how well it's maintained. Privileged account management, password policy enforcement, stale user accounts, audit logging on the domain controller: these all map directly to the identity controls section of renewal questionnaires. Active Directory is one of the primary targets in ransomware attacks because compromising it gives an attacker access to everything on your network. If yours hasn't been reviewed in a while, that's a gap worth addressing before your renewal, not after.

How much does a cyber insurance readiness assessment cost?

SNL-Tech Services offers a flat-rate Cyber Insurance Readiness Assessment at $1,750. This covers your full environment including cloud platforms, on-prem storage, endpoints, backup, email security, access controls, and training documentation. Microsoft 365 and Google Workspace Tenant Audits are available separately at $995 each, with the audit fee crediting toward hardening work if you move forward. Annual renewal review services are available for both managed and non-managed clients.

Do small businesses outside Maryland need this kind of assessment?

Cyber insurance requirements are consistent nationwide. Whether you're running a small business in Northern Virginia, a law firm in Delaware, a medical practice in Pennsylvania, a construction company in West Virginia, or a professional services firm anywhere in the country, the same carrier questionnaires apply and the same CIS IG1 controls are what underwriters are evaluating. SNL-Tech Service works with businesses locally across the DMV region and remotely with clients throughout the United States.

How often should I review my cyber insurance readiness posture?

At minimum, before every renewal. Carrier requirements change, your environment changes, and a posture that passed last year's questionnaire may not pass this year's. Annual reviews are the standard I recommend. For businesses on a managed agreement with SNL-Tech Services, I track this as part of the ongoing engagement so renewal doesn't sneak up on you.

What's the difference between a tenant audit and a cyber insurance readiness assessment?

A tenant audit focuses specifically on your Microsoft 365 or Google Workspace admin environment, documenting configuration gaps and hardening recommendations. A cyber insurance readiness assessment covers your entire security posture: cloud platforms, on-prem storage, endpoints, backup, training, incident response, and network. The tenant audit is a good starting point if you know your platform is the primary concern. The full assessment is the right choice if you want to walk into your renewal with a complete evidence package.

Walk Into Your Next Renewal Prepared

The business owner I mentioned at the start went through both the tenant audit and the full readiness assessment. We documented her M365 environment, reviewed the NAS configuration, closed the gaps we found, and had the evidence package ready before her renewal date. Her broker told her it was the most prepared he'd seen a client her size come in.

She didn't get better terms because she asked nicely. She got them because she could show the carrier exactly what was running in her environment.

That's what the questionnaire is really testing. Not whether your policy says the right things. Whether your environment backs it up.

If your renewal is coming up, or if you've never had someone look at your environment through this lens, I'd be glad to help. I'm based in Columbia, MD and work with small businesses across Maryland, Northern Virginia, Pennsylvania, Delaware, West Virginia, the DMV area, and with clients throughout the United States.

Contact me today to schedule a cyber insurance readiness review for your small business.