Your cyber insurance renewal used to be a questionnaire. Check the boxes, attach an IR plan PDF, submit, renew. Maybe the broker followed up on one or two items. That was it.
That’s not how it works anymore. In 2026, carriers treat renewals more like audits. They want documentation — screenshots of your backup configuration, MFA enrollment reports, vulnerability scan results, and increasingly, evidence that you’ve actually tested your incident response plan. Not that you have one. That you’ve run it.
Roughly 41% of first-time SMB applicants get denied cyber coverage. The reasons vary, but a common thread is the gap between “we have an IR plan” and “we’ve tested our IR plan.” Carriers learned from the ransomware wave — organizations with untested plans file larger, slower, more expensive claims. That’s a risk they’re no longer willing to underwrite blind.
What carriers actually ask for now
Underwriting questionnaires have expanded significantly. What used to be a dozen questions about firewalls and backups is now 50+ questions covering endpoint detection, MFA coverage, backup immutability, vendor risk management, and incident response readiness.
The IR-specific questions that keep showing up:
- “When was your incident response plan last tested?” — “Never” or “more than 12 months ago” is a red flag. Some carriers won’t proceed past this question without a satisfactory answer.
- “Provide your most recent tabletop exercise report.” — Not all carriers ask for the actual document, but the trend is toward evidence over attestation. If you say you tested the plan, they want to see the report.
- “What scenarios did you test?” — Carriers want to know you practiced responding to the incident types that drive claims — ransomware, BEC, data exfiltration. A generic “we discussed a breach” doesn’t demonstrate much.
- “What gaps did the exercise identify and how were they addressed?” — This is the sophistication signal. An exercise that found problems you then fixed demonstrates a mature security program. An exercise with zero findings suggests it wasn’t rigorous.
Some carriers now request this evidence before quoting, not just at renewal. If you’re applying for coverage for the first time, the exercise report can be the difference between getting a quote and getting declined.
Here’s what happens without it: your broker calls, says the underwriter has follow-up questions about your IR readiness. You scramble to schedule a tabletop two weeks before the renewal deadline. Twelve people join a conference call, someone reads a scenario off a slide, everyone nods, and you produce a one-page summary that says “the exercise went well.” The underwriter reads it and sees exactly what it is — a compliance artifact produced under pressure, not evidence of a tested program. You get the renewal, but with a higher premium and a sublimit on ransomware coverage. Or you don’t get it at all.
Why carriers care about exercises
This shift didn’t happen in a vacuum. Between 2020 and 2023, ransomware claims exploded. Carriers paid out billions. When they analyzed the claims data, a pattern emerged: organizations with documented, tested IR plans filed claims that resolved faster and cost less. Organizations with paper plans — the kind nobody had practiced — filed claims that dragged on for months with escalating costs.
From an underwriter’s perspective, the logic is straightforward. A team that has practiced ransomware response — containment, negotiation, restoration, notification — will execute faster when it’s real. Faster containment means less data encrypted, fewer systems affected, shorter downtime. Shorter downtime means a smaller claim.
The difference between “we have a plan” and “we tested the plan” is material to how carriers model risk. A tested plan tells the underwriter that when the 2 AM call comes, your team has at least some muscle memory for what happens next. An untested plan tells them you’ve got a PDF.
What scenarios insurers want to see
Carriers care about the scenarios that drive claims. If your exercise tested a scenario that has nothing to do with how breaches actually unfold in your industry, it doesn’t tell the underwriter much.
Ransomware with double extortion. The most expensive claim type. Your exercise should cover detection, containment, the ransom decision, restoration from backups, and regulatory notification. If your team has never walked through “do we pay?” in a practice setting, that decision will be made under maximum pressure with minimum preparation.
Business email compromise. The highest-frequency claim type. An executive’s email is compromised, a wire transfer is redirected, and the CFO approved it because the request looked legitimate. Your exercise should test whether your team can detect the compromise, halt the transaction, and preserve evidence for law enforcement.
Third-party and supply chain compromise. A growing claim category. Your SaaS vendor is breached and your customer data is exposed. The exercise tests whether your team knows which vendors have access to what data, who to contact, and how your contract allocates breach notification responsibility.
Data exfiltration with regulatory notification. This tests the full notification chain — state breach notification laws, HIPAA if healthcare data is involved, PCI DSS if card data, GDPR if EU residents. Carriers want to see that your team understands the regulatory obligations a breach triggers.
The scenarios should reflect your actual risk profile. A healthcare org should test an EHR ransomware scenario. A financial services firm should test BEC. A SaaS company should test a supply chain compromise. Generic scenarios are better than nothing, but tailored scenarios demonstrate the kind of risk awareness carriers reward.
What your exercise report should include
Carriers don’t prescribe a format. What they want is evidence — proof that the exercise happened, that it was substantive, and that you did something with the findings.
| Element | What the underwriter sees |
|---|---|
| Exercise date and duration | Proof that testing happened within the past 12 months |
| Participant names and roles | Cross-functional involvement — not just IT |
| Scenario description | Relevance to actual claim drivers (ransomware, BEC, etc.) |
| Decision log | Evidence the team practiced real decision-making, not just attendance |
| Findings and gaps identified | Honesty about weaknesses (this is a strength signal, not a weakness) |
| Remediation actions and status | Proof that gaps were addressed — the closed loop |
| Scores or competency assessment | Demonstrates measurable improvement over time |
That last row is the differentiator. Most exercise reports are narrative — “the team did well, here are some areas for improvement.” A scored assessment with competency breakdowns gives your carrier a quantitative signal of your readiness. If you can show improvement across exercises — your containment scores going up, your notification timelines getting faster — that tells a story about a maturing program that no narrative summary can match.
The 90-day renewal playbook
The most common advice is “start preparing 90-120 days before renewal.” That’s good advice. Here’s what to do with that time:
90 days out: run the exercise. Pick a scenario that matches your industry risk profile. Include IT security, legal, finance, communications, and executive leadership. Document everything.
60 days out: complete remediation. Fix the critical gaps the exercise surfaced. Updated the escalation contacts. Tested the backup restoration. Clarified the communication chain. Document the fixes.
30 days out: compile the evidence package. Exercise report, remediation evidence, updated IR plan, and any other documentation your broker or carrier has requested. Hand it to your broker before the underwriter asks.
Why 90 days instead of the week before renewal? Because an exercise that found problems you then fixed is dramatically stronger evidence than no exercise at all. Carriers expect gaps — no program is perfect. What they don’t expect is organizations that found gaps and ignored them. The 90-day runway gives you time to close the loop.
The bottom line
A documented tabletop exercise doesn’t just check a box for your carrier. It changes the conversation. You go from “yes, we have a plan” to “here’s the report from our last exercise, here are the gaps we found, and here’s the evidence we fixed them.” That’s not a better answer to the same question — it’s a different conversation entirely. One where the underwriter sees a security program that’s actually running, not a binder that’s collecting dust.
If you’re also maintaining SOC 2 or HIPAA compliance, the exercise can serve double duty. One well-documented exercise, with the right artifacts, produces evidence that satisfies your auditor, your carrier, and your board.
We built Breachdeck to produce exactly this kind of evidence. Every exercise generates a scored debrief with timestamped decisions, competency breakdowns, and a one-click PDF — the artifact your underwriter is asking for and your auditor will accept. Run the demo — five minutes, and you’ll see the report.
