5 Questions Every Insurance Agent Should Ask About Their Client’s Cybersecurity

You’re not a cybersecurity professional. Nobody expects you to be. But as a cyber insurance agent, you’re the last checkpoint between a client and a policy that may or may not cover them when things go wrong.

The application asks technical questions. Clients answer optimistically. The policy binds. Then a breach happens, the carrier investigates, and suddenly those optimistic answers become material misrepresentations that void coverage.

You can’t audit your client’s security. But you can ask five questions that reveal whether they’re genuinely insurable or just hoping for the best.

1. “Who manages your cybersecurity, and what’s their background?”

This question reveals more than any technical assessment could. The answer tells you whether security is someone’s dedicated responsibility or an afterthought handled by whoever set up the WiFi.

Green flags: A managed security provider, a dedicated IT team with security expertise, or a virtual Chief Security Officer (vCSO) arrangement.

Red flags: “Our office manager handles IT.” “My nephew set everything up.” “We have a guy who comes in when something breaks.” “Our EHR/accounting software vendor handles security.”

A business with no qualified person responsible for security is a business where application answers are guesses. Everything else flows from this. If there’s no competent security oversight, MFA probably isn’t deployed correctly, backups probably aren’t tested, and the incident response plan probably doesn’t exist.

This isn’t about gatekeeping. It’s about helping the client understand that security needs professional attention, just like their insurance does.

2. “When was the last time someone tested whether your security actually works?”

There’s a critical difference between having security tools installed and having security tools that work. Firewalls get misconfigured. Antivirus gets disabled. Backups fail silently. MFA gets bypassed by exceptions that become permanent.

A client who has never had an independent security assessment—a vulnerability assessment or penetration test—is attesting to a security posture nobody has verified.

What you want to hear: “We had a pen test six months ago” or “Our managed security provider runs quarterly vulnerability scans.”

What you don’t want to hear: “Our IT person says everything looks good” or a long pause.

If the client can’t point to a specific, recent, independent evaluation of their security, the application answers are assumptions. And carriers deny claims based on assumptions that turn out to be wrong.

3. “If ransomware locked every computer in your office right now, what would you do?”

This question tests two things: whether an incident response plan exists, and whether the client can actually recover their data.

What a prepared client says: “We’d call our security provider. Our backups are air-gapped and tested monthly. We practiced a tabletop exercise last quarter. We could be operational within 24–48 hours.”

What an unprepared client says: “We’d probably call our IT guy.” Then silence.

Incident response planning and backup recovery are among the most heavily weighted factors in cyber insurance underwriting. They’re also among the most commonly misrepresented on applications. A client who says “yes” to backup and recovery questions but has never tested a restore is a client who might discover their backups don’t work at the worst possible moment.

This question also naturally opens the conversation about whether the client needs help. “It sounds like having a documented plan and tested backups would put you in a much stronger position for coverage. I can connect you with a firm that helps businesses get there.”

4. “How many of your employees have received cybersecurity training in the last 12 months?”

Over 90% of successful breaches start with a human: a clicked phishing link, a reused password, a response to a social engineering call. Employee training is the single most cost-effective security measure a business can implement, and carriers know it.

What you want to hear: “All of them. We use a training platform with monthly phishing simulations.”

What’s more common: “We sent around an email about password security last year.”

For clients in regulated industries like accounting or dental/healthcare, employee training isn’t just an insurance factor. It’s a regulatory requirement under FTC Safeguards Rule and HIPAA. A client with no training program has both an insurance problem and a compliance problem.

5. “Have you ever had a security incident, even a small one, that you didn’t report?”

This is the uncomfortable question, and it’s the most important one. Unreported incidents are the landmines of cyber insurance. If a client has experienced a breach, a near-miss, or a known compromise and didn’t disclose it on the application, the carrier has grounds to deny any future claim.

Why clients don’t disclose:

– They didn’t recognize it as an incident (BEC attempt they fell for, brief ransomware infection they “fixed”)

– They’re embarrassed

– They’re afraid it will affect premiums

– They handled it internally and moved on

Why non-disclosure is dangerous: Carriers conduct thorough forensic investigations during claims. They find evidence of prior incidents. If those incidents weren’t disclosed, the claim gets denied and the policy potentially voided.

Help the client understand: disclosing a prior incident might affect premiums, but concealing one voids coverage. One costs money. The other costs everything.

Using These Questions

These aren’t gotcha questions. They’re diagnostic tools that help you serve your clients better.

When the answers reveal gaps, you have an opportunity to connect the client with professional security support before binding. A few weeks of remediation can be the difference between a client who’s genuinely covered and one who’s carrying a policy that won’t pay when they need it.

We work with insurance agents to assess, remediate, and manage their clients’ cybersecurity. When your clients are genuinely secure, your applications are accurate, your claims are clean, and your agency thrives.

Want to build a stronger pipeline? Contact us at info@capital-cyber.com or call (571) 410-3066.