The Proposal Form That's Building a Landmine Under Your Business
Tuesday 7 April 2026
Hello, I’m Graham Falkner. And I want to talk to you about a document you probably filled in without nearly enough care, handed to your broker, and have not looked at since.
Your cyber insurance proposal form.
I have sat in on enough post-incident conversations to know how this tends to play out. The MD says the broker filled it in. The broker says they just tidied up what IT sent over. The IT person says they thought everyone knew they were making an educated guess. Nobody lied, exactly. And yet here we are, six months after a ransomware attack, with a forensic team going through the network and a coverage dispute that could take months to resolve.
The proposal form is not a formality. It is exhibit A if you ever make a claim. Understanding what it is actually asking, and answering it with precision, is one of the most important things you can do to protect your business before a breach happens.
Important note. This article is for information and educational purposes only. It does not constitute regulated insurance advice. For advice on your specific policy or coverage position, speak with a qualified, FCA-authorised insurance broker.
Why the Form Matters More Than You Think
After a breach, the insurer or their appointed investigators will use your proposal form in two specific ways.
First, they will compare your answers against the technical reality of your network at the time of the attack. If you said you had MFA on all remote access, they will look at your VPN logs, your Active Directory configuration, and your cloud platform audit trails to verify that. Every user. Every system. Every access point.
Second, they will apply what they find to the legal tests established by the Insurance Act 2015 and the FCA’s ICOBS 8.1 guidance. Was there a misrepresentation? If so, was it innocent, negligent, or deliberate? Was a policy condition breached in a way that is connected to the loss?
The answers to those questions determine how much, if anything, you get paid.
The Questions That Kill the Most Claims
Based on the pattern I see most often in cyber claim disputes, there are five question categories that account for the vast majority of problems.
1. Multi-factor Authentication
This is the single biggest source of claim denial in the UK market. Coalition’s 2024 data found that 82% of denied claims involved organisations without MFA fully implemented.
The typical question looks something like: “Do you have multi-factor authentication enabled for all remote access, email, and privileged accounts?”
Most businesses with Microsoft 365 and a VPN will tick yes, because they have turned on MFA for the main services and they are bored of the form. What the question actually means is: every user, every account, every access path, every service, without exception.
The problems I see repeatedly:
Partial enforcement. MFA is on for most users, but a couple of directors got a permanent exemption because they found it inconvenient. Or a legacy application could not support it and the exception was never documented.
Legacy systems under the radar. The main VPN has MFA. But there is also a remote desktop service that was set up two years ago for a specific application, running without MFA, that nobody thought to include.
Unregistered users. MFA was deployed, but six months later the logs show that 30% of user accounts never completed enrolment. The intent was there. The reality was not.
If any of these describes your situation, you have a gap between what you said and what the forensic team will find.
2. Backups
The typical question is: “Do you maintain regular, tested backups of critical data, including at least one copy that is isolated from your main network?”
The critical word is “tested.” Many businesses have a backup running. Far fewer have a documented record of testing a restore. That distinction matters enormously in a ransomware claim, because the insurer’s implicit logic is: if your backups work and are isolated, you do not need to pay a ransom, so the claim is smaller. If your backups were encrypted along with everything else, the claim is much larger. Proof that you had working isolated backups makes the overall claim position more defensible.
What I see most often: backups that run to a network share rather than to a logically isolated or cloud-immutable destination, and restore tests that happened once two years ago and have not been repeated since.
3. Patching
The typical question: “Are critical security patches applied within 14 days of release?”
This is where aspirational answers cause the most damage. A lot of businesses apply patches when they can, not when they should. That might mean three or four weeks for servers because the warehouse does not want downtime. It might mean months for certain legacy applications because patching requires a full system test.
If the ransomware that hit you exploited a vulnerability for which a patch had been available for six weeks, and your proposal form says you patch within 14 days, you have a problem.
4. Incident Response Plans
The typical question: “Do you have a documented and tested incident response plan?”
The uncomfortable truth is that most SMBs do not. They might have an informal understanding of who calls who. They rarely have a written document that names specific people, defines their roles, includes emergency contact numbers, and sets out the first actions to take.
If you answered yes to this question without having an actual document, that is a misrepresentation. One you can fix right now, before a breach makes it expensive.
5. Data Classification and Access Controls
Questions about whether sensitive data is encrypted, whether access to customer records is controlled and logged, and whether you know what data you hold and where it lives.
Most SMBs do not have a formal data map. They have a rough idea. The proposal form is not the place for rough ideas.
The Optimism Problem
There is a structural incentive problem in the way these forms get filled in, and I want to be direct about it.
Your broker wants to get you a quote. A lower premium is easier to sell. Answers that suggest a stronger security posture produce better quotes. So there is a subtle pressure, not always conscious, to present the most favourable interpretation of each question.
Your IT provider or managed service company does not want to make you look bad, or to have a difficult conversation about gaps they should have fixed. So their input to the form tends to describe the intended state rather than the verified state.
You, the business owner, do not want to pay a higher premium. So you accept the optimistic version.
Nobody in that chain is deliberately lying. But the result, when a forensic team compares proposal with reality, looks a lot like negligent misrepresentation. And negligent misrepresentation gives the insurer tools to reduce your payout.
What to Do If Your Form and Reality Have Drifted Apart
This is the part that most articles do not cover: what to do when you read your proposal form, check it against your actual IT environment, and realise there are gaps.
Step one: do not panic, and do not try to quietly fix things and hope nobody notices. If a breach happens between now and your next renewal, the forensic team will be looking at the state of your network at the time of the attack, not how it looked after you rushed to implement MFA the week before.
Step two: contact your broker. Tell them you have reviewed the form and found that your current position does not match some of the answers provided. Ask what the process is for making a material disclosure or correcting an inaccuracy before renewal.
Step three: fix what you can now. Even if you cannot correct the historical record, improving your controls today reduces your risk of a breach in the first place. And a genuine, documented improvement effort demonstrates good faith.
Step four: at renewal, answer the new form with extreme care. Go through it with your IT provider, line by line, and insist on answers you can verify. “We have MFA on email, VPN, and all admin accounts, and here is the documentation to prove it” is infinitely better than “yes, we have MFA.”
The Evidence You Should Be Keeping
If you do everything right, you need to be able to prove it. That means maintaining a running file of evidence:
- Screenshots or exports of MFA policy configurations, showing enforcement settings and which accounts are enrolled
- Backup logs showing completion, destination (isolated/offsite/immutable), and the date of your last restore test
- Patch management reports showing which updates were applied and when
- Your incident response document, with a version date
- Any contracts with managed service providers that define what security controls they are responsible for
That folder of evidence is not bureaucracy. It is what stands between you and an insurer saying “you told us you had these controls, but we can’t find any evidence they existed.”
How to Turn This Into a Competitive Advantage
Being able to demonstrate to a customer, a procurement team, or a partner organisation that your cyber insurance reflects your actual security controls, not your aspirational ones, is a mark of genuine operational maturity.
Larger organisations are increasingly requiring evidence of cyber cover from suppliers, along with confirmation that the policy is in good standing. Being one of the few SMBs that can say “yes, we have cover, we meet our policy conditions, and here is the documentation” is a differentiator most of your competitors cannot match.
How to Sell This to Your Board
Financial exposure. If your insurer denies a claim because of a misrepresentation on the proposal form, you are paying every penny of recovery from operating cash. For most SMBs, that is a terminal event. The cost of conducting a proper proposal form review is negligible by comparison.
Legal risk. A deliberate misrepresentation on a proposal form can, in extreme cases, expose individuals, not just the company, to legal consequences. That is a board-level risk that deserves board-level attention.
Renewal risk. If a breach exposes a gap between your proposal form answers and your actual security posture, your insurer may refuse to renew. Or they will renew at a premium that reflects the actual risk, which may be significantly higher than what you have been paying.
What This Means for Your Business
Go and find your proposal form. The most recent one. Read every security-related question out loud. For each one, ask honestly: can you prove this is true today, across your entire business?
If the answer is yes, document the evidence.
If the answer is sort of, you have work to do before your next renewal.
If the answer is no, call your broker today.
This is one of those rare tasks that takes two hours and could save your business.
Listen to the full discussion on Episode 15: The Small Business Cyber Security Guy Podcast - Episode 15
Related Posts:
- You Bought Cyber Insurance. Congratulations. Now Read the Bloody Small Print.
- Cyber Insurance Claims Are Being Denied: And It’s Your Fault
- You’ve Got a Flood Plan, But No Cyber Plan? Here’s Why That’s a Business Killer