The five control families every application covers
- Multi-factor authentication — on email, on remote access, and (the one that catches people) on administrator accounts. “Mostly deployed” is not “yes.”
- Endpoint detection and response — carriers now name EDR/MDR specifically; plain antivirus stopped satisfying this question years ago.
- Backups — offline or immutable copies, separation from production credentials, and whether restores are actually tested. Some applications ask for your tested recovery time.
- Security awareness training — phishing simulations and documented completion, not a policy PDF nobody read.
- Incident response — a written plan, and increasingly whether it’s been exercised.
Around those five, expect questions on patching cadence, email authentication (SPF/DKIM/ DMARC), remote-access architecture, end-of-life software, prior incidents, and vendor risk.
Why accuracy matters more than the answers
An application is a representation the policy is issued on. When a claim arrives, the carrier’s first move is comparing what you said against what your environment shows — and courts have allowed carriers to rescind or deny where the application claimed controls (most famously MFA) that weren’t actually in place. A checked box you can’t evidence is worse than an honest “no”: the “no” prices the premium; the false “yes” prices the claim.
The renewal treadmill
Requirements tighten most years. Controls that earned standard pricing at your last renewal may be minimum eligibility at the next one. The businesses that find renewals easy are the ones whose evidence is collected continuously instead of reconstructed every spring.
How to prepare
- Pull your current application and read every attestation as a claim you’d defend.
- For each “yes,” locate the evidence — a screenshot, a report, a config export.
- Fix the gaps before renewal, or answer honestly and let the premium reflect reality.
- Keep the evidence file current so next year is paperwork, not archaeology.
How Z1 helps
This is literally our lead offer: the free cyber insurance gap analysis reviews your application line by line against your actual configuration and gives you a plain-English gap list. For clients, every control we run maps back to the application, with quarterly evidence — so the answer to every question is “yes, and here’s the proof.”