The Cyber Insurance Question Every CFO Should Ask Their MSSP Before the Next Renewal
Cybool Security Team
Risk & Insurance
Cyber insurance has become the most expensive line item in many mid-market security budgets. In 2025, average premiums rose between 25% and 40% in LATAM and Europe, deductibles doubled in some segments, and coverage exclusions multiplied. For 2026 renewals, the underwriting questionnaires have grown longer and more technical — and underwriters now ask for evidence, not attestations.
For CFOs, this changes the relationship with the MSSP. The MSSP is no longer just a security vendor. It is now the company’s primary source of underwriting evidence — and the gap between what the MSSP can actually produce and what the underwriter requires is where premium surprises and coverage rejections happen.
Here are the seven questions every CFO should ask their MSSP in the 60–90 days before the next renewal. Each one has a correct answer; if the MSSP cannot produce it, that is information the CFO needs.
1. "Can you produce a control-evidence packet aligned to our policy’s underwriting questionnaire?"
The correct answer is yes, with examples from prior renewals. Underwriters increasingly require evidence packets that include:
- Configuration screenshots from the EDR / SIEM / identity platform
- Sample alert tickets and SLA-met evidence
- Quarterly penetration test or vulnerability scan reports
- Documented incident-response playbook with named roles
- MFA enforcement reports across privileged accounts
A modern MSSP should have a template evidence packet ready to populate for renewal. If your MSSP responds with "we can probably pull most of that," budget an extra 30 days for the renewal and expect underwriting questions.
2. "What percentage of our privileged accounts have phishing-resistant MFA today?"
Underwriters in 2026 distinguish between SMS / app-based MFA and phishing-resistant MFA (FIDO2 hardware keys, Windows Hello for Business, certificate-based authentication). A growing number of carriers now offer materially lower premiums for organizations that can demonstrate phishing-resistant MFA on 100% of administrators and privileged accounts.
The correct answer from the MSSP is a specific percentage and a roadmap to 100%. "We have MFA enabled" is the answer that costs you premium discount.
3. "What is our mean time to detect and mean time to respond, and how do we measure it?"
Underwriters now ask for these metrics directly. The correct answer includes a number, the source of the measurement, and the trailing-12-month trend.
A common reasonable answer: "Median detection time across confirmed incidents in the last 12 months was 8 minutes; median response time to containment was 22 minutes; both measured from SIEM event ingestion to ticket-resolved state, validated by post-incident review."
If your MSSP cannot give you specific numbers, the underwriter will assume the worst.
4. "Can you demonstrate immutable backups across our critical systems, and when was the last successful restore test?"
Ransomware-related underwriting almost always asks about backup immutability and restore testing. The correct answer is a specific backup architecture (typically air-gapped or immutable cloud backups) and a recent restore test date — within the last 6 months for the most defensible posture.
Most rejected ransomware claims trace back to either non-existent backups or backups the policyholder could not restore. Underwriters know this and ask accordingly.
5. "What is our supply-chain security posture, and how do you assess our top vendors?"
Supply-chain attacks drove a significant portion of 2025 cyber losses. Underwriters now want to see that the policyholder has a vendor risk-management process and applies it to high-risk vendors. The correct answer references a vendor inventory, a risk-tiering methodology, and concrete due-diligence activities for the top tier.
For LATAM and European companies, NIS2-driven supply-chain controls now overlap directly with underwriting expectations. If you have closed the NIS2 gap, you have substantially closed the underwriting gap too.
6. "What is our incident-response retainer status, and what is the SLA?"
Insurers increasingly prefer policyholders with a pre-engaged DFIR retainer that activates inside 1 hour of a confirmed incident. Some carriers offer materially better terms if the retainer is with a carrier-approved firm; others accept any reputable provider as long as the SLA is documented.
The correct answer is a named provider, a contracted activation SLA (sub-1-hour is the modern standard), and evidence that the retainer covers the geographies and entities on the policy.
7. "If we have an incident, who notifies whom, in what order, and within what timelines?"
Coverage is often voided by late notification. Most policies require notification to the carrier within 24–72 hours of the policyholder becoming aware of a covered event. NIS2 in Europe and LFPDPPP / LGPD in LATAM may require regulator notification within the same window.
The MSSP should be able to walk the CFO through the notification chain: how an event is confirmed, who at the customer is informed, how the carrier hotline is contacted, how the regulator notification is prepared, and how the legal counsel coordinates. Practiced clarity here is one of the single biggest predictors of how a claim is paid.
What to Do With the Answers
After this conversation, the CFO will typically find one of three patterns:
Pattern A — The MSSP has clean answers across all seven questions. Renewal becomes a low-friction exercise. The CFO should ask the broker whether the evidence packet qualifies for any premium-discount programs the carrier offers.
Pattern B — The MSSP has clean answers on four to five, gaps on the rest. The CFO has a 60–90 day project. Close the gaps before renewal; document the remediation in the underwriting packet. Carriers reward visible improvement.
Pattern C — The MSSP cannot answer most of the seven. This is the difficult conversation. The CFO has two options: either upgrade the MSSP relationship to a tier that produces the evidence, or accept that the renewal will price punitively. Both are valid choices; pretending the choice does not exist is what causes the renewal surprise.
The CFOs that handle 2026 renewals best are not the ones with the largest security budgets. They are the ones who have the MSSP conversation in February for an April renewal, not in March for an April renewal.
Cybool produces underwriting evidence packets for customers ahead of every renewal cycle, aligned to the major carriers’ 2026 questionnaires. Contact our team to walk through your next renewal, or request a free pre-renewal readiness review.