Cyber insurance evidence: what MSPs should collect before renewal

TL;DR

Cyber insurance evidence is not a folder of screenshots built the night before renewal. It is the proof that a client’s controls are active, in scope, tested where needed, and tied to a named owner.

For MSPs, the safest pattern is evidence first, answer second. Build a client evidence pack around MFA, backups, endpoint coverage, patching, incident response, access control, email security, logging, vendor access, and security awareness training. Then help the client decide what can be answered as confirmed, what needs an exception, and what should be remediated before the broker or carrier asks.

Security awareness is one slice of the pack. It matters because insurers and public guidance keep pointing businesses toward training, reporting, MFA, backups, and response planning. But training proof only helps when it shows scope, completion, dates, overdue users, and exceptions, not a vague “annual training done.”

What is cyber insurance evidence?

Cyber insurance evidence is the proof behind a client’s insurance answers.

A questionnaire may ask, “Do you require MFA?” The useful evidence is not a yes from memory. It is the conditional access policy, MFA enrollment report, admin-account status, exception list, and scope note that shows which systems and users are covered.

A questionnaire may ask about backups. The evidence is not “we have backups.” It is the job status, retention policy, restore-test record, offline or immutable backup note, and recovery owner.

A questionnaire may ask whether employees receive security awareness training. The evidence is the training assignment list, completion report, topics covered, date range, overdue users, exception notes, and reporting path for suspicious messages.

That is the difference between an answer and evidence.

For an MSP, the evidence pack has 3 jobs:

1. Help the client answer accurately.
2. Show gaps early enough to fix or disclose them.
3. Create a repeatable service workflow instead of a renewal-week scramble.

It should not turn the MSP into the client’s insurer, broker, lawyer, or risk owner. The MSP can verify technical facts and produce records. The client still owns the final application and the business statements inside it.

Why cyber insurance evidence matters for MSP clients

Cyber insurance conversations have moved from broad claims to proof.

CISA’s small-business guidance tells owners to track practical security goals such as MFA adoption, fully patched systems, and backed-up systems, and to make cybersecurity an everyday business activity rather than an occasional project: CISA cyber guidance for small businesses. The FTC’s small-business cybersecurity hub points businesses toward the NIST Cybersecurity Framework, email authentication, remote access security, vendors, cyber insurance, and incident response: FTC cybersecurity for small business. NIST’s CSF 2.0 small-business quick-start guide gives smaller organizations a way to begin cyber risk management without pretending they have an enterprise security team: NIST SP 1300.

Insurance-specific guidance from security vendors and carriers says the same thing in different words: underwriters want controls they can understand and records they can check. Huntress describes the current direction as “attestations are good; verification is better,” with common evidence areas including MFA, endpoint detection, tested backups, security awareness training, monitoring, email security, patching, privileged access, logging, incident response, and vendor risk: Huntress cyber insurance requirements. Travelers lists MFA, system updates, endpoint detection and response, an incident response plan, and backups as cyber readiness practices for businesses: Travelers cyber readiness practices.

None of those sources mean every client needs the same controls in the same form. They do mean MSPs should stop treating evidence as a final admin task.

The risk is not just a messy renewal. It is an unsupported answer.

If a client says MFA is in place, but privileged accounts or remote access are excluded, the answer needs context. If a client says backups are tested, but the last restore test is unknown, the answer needs a gap note. If a client says all staff are trained, but the report excludes contractors, executives, or new starters, the answer is weaker than it looks. For a deeper prep workflow, see our guide to preparing clients for cyber insurance questionnaires.

The MSP’s value is in making that visible before it becomes urgent.

What MSPs should collect in a cyber insurance evidence pack

The exact carrier form will vary. Use the client’s questionnaire when available. If it is not available yet, start with this evidence map.

This is the whole renewal evidence pack, not just the training proof folder.

Evidence area	What the insurer or broker is usually trying to understand	Useful MSP evidence
MFA	Whether sign-ins are protected beyond passwords	MFA policy export, enrollment report, admin-account coverage, remote-access coverage, exception list
Backups	Whether the client can recover from data loss or ransomware	Backup status, retention setting, restore-test record, offline or immutable backup note, recovery owner
Endpoint protection	Whether managed devices are protected and monitored	EDR/AV coverage report, unmanaged-device list, alert review evidence, exception notes
Patching	Whether known vulnerabilities are being reduced	Patch compliance report, unsupported software list, remediation tickets, approved deferrals
Email security	Whether malicious email and spoofing risk are managed	Mail security settings, SPF/DKIM/DMARC status, quarantine policy, phishing-reporting path
Security awareness	Whether users are trained and know how to report suspicious activity	Assignment report, completion report, topics, dates, overdue users, exceptions, reporting workflow
Incident response	Whether the client knows what happens during an incident	Incident response plan, contact list, tabletop notes, escalation path, broker/carrier contact process
Access control	Whether users and admins have appropriate access	Admin-user list, access review, leaver process, privileged-account exceptions
Logging and monitoring	Whether events can be detected and reviewed	Log source list, monitoring summary, alert response records, retention notes
Vendor and MSP access	Whether third-party access is known and controlled	Vendor inventory, MSP access model, third-party account review, responsibility matrix
Governance	Whether ownership and decisions are clear	Client sign-off record, policy owner, risk owner, exception approval, renewal decision log

This table is not legal advice. It is a working map for service delivery.

The evidence pack should be client-specific. Do not blend tenant reports. Do not use a generic security statement when the form asks for a control status. Do not let a good answer for one system imply coverage for every system.

Step-by-step: how to build cyber insurance evidence before renewal

1. Get the date, form, owner, and broker context

Start with the practical basics.

Ask the client:

• When is renewal or application submission due?
• Who owns the insurance relationship?
• Which broker and carrier are involved?
• Is this a new policy, renewal, claim follow-up, or control-improvement request?
• Who can approve final answers?
• Who can approve remediation work?

If the form is available, get it early. If only last year’s form is available, use it as a starting point. If neither is available, build the pack from the evidence map above and update it when the broker sends the actual questions.

Do not let the MSP become the unspoken business sign-off. The client should approve final answers.

2. Create one evidence pack per client

Evidence scattered across tickets, email, screenshots, and vendor portals is hard to defend and hard to reuse.

Create one controlled pack for the client. Keep it simple:

• current questionnaire or prior-year form;
• evidence checklist;
• control reports;
• screenshots only where exports are not available;
• exception log;
• remediation notes;
• final answer review notes;
• client sign-off.

Use a date in every record. A screenshot without a date, tenant, or scope note becomes weak proof later.

For MSPs managing many clients, the evidence pack should be a repeatable folder structure or service object, not a one-off project. The shape should be boring enough that any technician can find the latest MFA report, backup test, training completion report, and exception note without asking the original account manager.

3. Label each control as confirmed, partial, planned, or unknown

A cyber insurance questionnaire often turns messy reality into yes/no boxes. Your internal prep should not.

Use 4 labels before the final answer is chosen:

• Confirmed: evidence exists and matches the scope of the question.
• Partial: the control exists, but not everywhere the question appears to cover.
• Planned: the client has approved work, but it is not active yet.
• Unknown: the MSP cannot verify the answer from current evidence.

This prevents sloppy “yes” answers. It also gives the MSP cleaner inputs for measuring security awareness effectiveness and turning client reports into evidence, not noise.

Example: “MFA is enabled for Microsoft 365 users, but 2 break-glass accounts and 3 legacy service accounts are excluded. Admin access is covered. VPN access is covered. Client owner accepted the break-glass exception on 2026-06-18.”

That is more useful than “MFA: yes.”

4. Make scope visible

Scope is where evidence breaks.

For every control, state:

• client name;
• tenant or environment;
• date range;
• user/device/system count;
• source system;
• exclusions;
• owner;
• next review date.

This matters for security awareness evidence in particular. A 96% completion report is not good or bad until the denominator is clear. Is it 96% of active users? Assigned users? Licensed users? Full-time employees only? Did it include executives, contractors, finance, HR, and privileged users?

The same scope problem appears in endpoint protection and patching. A clean report for managed laptops is not evidence for unmanaged BYOD devices. A backup report for servers is not evidence for SaaS data unless the SaaS data is included.

Scope turns a record into useful proof.

5. Pair every answer with the evidence source

Build a simple crosswalk.

Questionnaire answer	Evidence source	Owner	Status
MFA required for Microsoft 365	Conditional access export, MFA enrollment report	MSP technical lead	Confirmed
Backups tested quarterly	Backup console export, restore-test note	MSP backup owner	Partial: one app needs test
Employees receive security awareness training	Defendwise tenant report, completion export, overdue list	MSP service manager	Confirmed with 4 overdue users
Incident response plan exists	Client IR plan PDF, last review date	Client operations owner	Planned review next month

This does 2 things. It makes the answer review faster, and it stops the MSP from repeating work next year.

6. Separate insurance evidence from marketing claims

The client may ask, “Will this reduce our premium?” Do not promise that.

Evidence can help a client answer accurately, reduce friction, and avoid guessing. It may also help brokers and carriers understand the client’s security posture. But pricing, exclusions, approvals, and claim decisions belong to the insurance process.

Say this plainly:

“We can help prove what is in place and flag what is not. Your broker and carrier decide how that affects terms.”

That line protects the client and the MSP.

7. Keep the pack alive after renewal

The best cyber insurance evidence pack is maintained all year.

Use existing service rhythms:

• Monthly: update overdue training, backup failures, patch gaps, endpoint exceptions, and access changes.
• Quarterly: review client-facing evidence in the QBR.
• 90 days before renewal: request the current questionnaire and run the full pack review.
• 30 days before renewal: resolve or document remaining exceptions.
• After submission: lock the evidence version used for answers.

CISA’s ransomware guide recommends offline encrypted backups, tested recovery, and an incident response plan that is maintained and exercised: CISA StopRansomware guide. Those are not tasks to invent when a renewal email arrives. They are operating habits.

What good cyber insurance evidence looks like

Good evidence is boring, specific, and easy to explain.

It has these traits.

It is current. The record has a date, source, and owner.

It is scoped. It says which users, systems, tenants, devices, or groups are included.

It has exceptions. It does not hide the break-glass account, unsupported server, failed backup, untrained executive, or unmanaged device.

It is reproducible. Someone else at the MSP can pull the same report later.

It is client-readable. The client can understand what is confirmed, what is partial, and what decision is needed.

It separates controls. Security awareness evidence is not backup evidence. MFA evidence is not incident response evidence. One strong area does not cover another weak area.

It has a clean approval trail. The client signs off on final answers, accepted risk, and remediation choices.

That is what makes the evidence pack useful beyond insurance. The same pack can support QBRs, security roadmap work, audit prep, board reporting, and incident readiness.

Mistakes MSPs should avoid

Treating the questionnaire as the source of truth

The questionnaire is a prompt. The evidence is the source of truth.

If the client answers the form first and gathers proof later, the MSP is working backwards. Start with the evidence, then draft the answer.

Saying “yes” when the answer is partial

Partial controls are common. The problem is not partial status. The problem is hiding it.

A control can be active for Microsoft 365 and missing from a legacy VPN. Training can be complete for office staff and missing for new starters. Backups can be running but not recently tested. Write that down before the client chooses an answer.

Using screenshots without context

Screenshots are sometimes necessary, but they are weak when they lack dates, tenant names, scope, and source details.

Prefer exports, reports, or system-generated records. If a screenshot is the only option, add a short note explaining what it shows, when it was captured, and what it does not prove.

Confusing training delivery with human-risk evidence

A training module assigned once a year is not the full human-risk layer.

For insurance evidence, the useful record should show who was assigned, who completed, when it happened, what topics were covered, who is overdue, which groups are excluded, and how suspicious activity is reported. CISA’s small-business guidance pushes organizations to build a culture of security and track measurable security goals, including MFA, patching, and backups; training records should fit that same proof habit.

Letting client-owned tools create blind spots

Many MSP clients have tools outside the MSP stack. HR systems, accounting apps, line-of-business SaaS, warehouse devices, personal devices, and ad hoc vendor portals can all sit outside standard reports.

Do not imply coverage where the MSP cannot see. Mark it unknown, ask the client owner, or document the dependency.

Making insurance promises

Avoid premium promises, approval promises, and claim promises.

The safer promise is operational: “We will help you collect the evidence, identify gaps, and prepare accurate answers.”

How security awareness evidence fits

Security awareness training has a real place in cyber insurance evidence, but it should not be overclaimed.

CISA’s ransomware guidance includes user awareness and training as a prevention practice, with guidance on identifying and reporting suspicious activity. The FTC’s small-business guidance points to cybersecurity basics and practical actions, and NIST CSF 2.0 includes Protect categories that cover identity, awareness and training, data security, platform security, and infrastructure resilience. Travelers and Huntress both list training or user education alongside technical controls such as MFA, backups, endpoint protection, and incident response.

For an MSP, that means security awareness evidence should answer 6 questions:

1. Who was in scope?
2. What was assigned?
3. Who completed it?
4. Who is overdue or excluded?
5. What reporting path was taught?
6. Can the record be reproduced later?

The evidence should be tenant-specific. A fleet-wide average is useful for MSP operations, but it is not a clean client evidence record. The same rule applies to internal phishing campaigns: the result is only useful when the scope, date range, and follow-up are clear.

This is where multi-tenant, white-label SAT matters. MSPs need to deliver training under their own service model and show client-ready records without turning every client into a separate admin project. Defendwise is built for that operating model: flat fee, unlimited users and client organizations, white-label delivery, multi-tenant management, automated onboarding, Microsoft 365 sync, Zapier integration, and branded monthly compliance reports.

Use that as the awareness layer. Keep the wider cyber insurance pack honest by pairing it with technical evidence from the rest of the client environment.

If the broker or insurer asks specifically for training proof, use the dedicated security awareness training evidence checklist for completion records, phishing simulation evidence, exceptions, and remediation notes.

A simple MSP workflow for the next 30 days

If the client has a renewal coming up, start with this.

Week 1: collect the known records. Pull MFA, backup, endpoint, patching, training, incident response, access, and email-security evidence. Get the questionnaire or prior-year form.

Week 2: label gaps. Mark each control confirmed, partial, planned, or unknown. Do not polish the answer yet. Find the truth first.

Week 3: review with the client. Show what can be answered confidently, what needs remediation, and what needs client risk acceptance.

Week 4: prepare the answer pack. Attach evidence references to every answer, lock the version used, and record client sign-off.

Then keep the pack alive monthly. A renewal should become a review of current evidence, not a scavenger hunt.

How a flat-rate MSP SAT platform helps

Defendwise does not replace a cyber insurance program, a broker, or the technical controls a client needs.

It helps MSPs make the security awareness evidence layer repeatable. With flat-fee pricing, unlimited users, unlimited client organizations, white-label delivery, multi-tenant management, automated onboarding, and reporting, MSPs can cover more users without turning every added seat into a billing argument or admin chore.

If security awareness evidence is the part of your insurance pack that keeps turning into exports, screenshots, and reminder chases, start there. If you are comparing platforms, use the same evidence standard in your SAT vendor selection process. Build the awareness layer once, then make it clean enough to use in QBRs, audit prep, and cyber insurance renewal reviews.

Start a free 7-day trial and see how Defendwise helps MSPs run white-label awareness training with client-ready reporting.

Frequently asked questions

What is cyber insurance evidence?

Cyber insurance evidence is the proof behind a client’s insurance answers. It can include MFA reports, backup records, endpoint coverage, patching status, security awareness completion reports, incident response plans, access reviews, and documented exceptions.

What evidence do cyber insurers usually ask for?

It varies by carrier, policy, client size, industry, and risk profile. Common areas include MFA, backups, endpoint protection, patching, email security, incident response, logging, access control, vendor access, and employee security awareness training.

Should an MSP answer cyber insurance questions for a client?

An MSP can help collect technical evidence and explain control status. The client should approve final answers because the application or renewal can affect coverage, exclusions, and claims.

How often should cyber insurance evidence be updated?

Update evidence during normal service delivery, then run a focused review 60 to 90 days before renewal. Monthly reporting and quarterly business reviews are useful checkpoints.

Does security awareness training count as cyber insurance evidence?

Yes, when the record shows scope, assignments, completion, dates, overdue users, exceptions, and the reporting path for suspicious activity. It supports the human-risk layer. It does not replace MFA, backups, endpoint protection, incident response, or access control.

Can cyber insurance evidence reduce premiums?

Evidence can help the client answer accurately and reduce renewal friction, but MSPs should not promise premium reductions, approval, coverage terms, or claim outcomes. The broker and carrier decide those.

How can Defendwise help with cyber insurance evidence?

Defendwise helps MSPs deliver white-label, multi-tenant security awareness training with automated onboarding and reporting. That makes the awareness evidence layer easier to repeat across clients while the MSP manages the wider technical evidence pack.

Header image brief for Picasso

• Source TL;DR: Cyber insurance evidence should be collected all year, not assembled in a panic at renewal. MSPs need a client-specific evidence pack that ties answers to proof across MFA, backups, endpoint, patching, incident response, access, email security, and awareness training. The awareness layer helps when it shows scope, completion, dates, exceptions, and reporting paths.
• Primary pillar: compliance and client-facing proof
• Infographic thesis: Show the MSP turning scattered control records into one client-ready cyber insurance evidence pack before renewal.
• Suggested layout: 3-part map
• Short on-image text candidates: Evidence first; Confirmed; Partial; Exception; Client sign-off
• Key objects: insurance questionnaire, evidence folder, MFA key, backup drive, training report, client sign-off checklist
• Avoid: fake premium numbers, insurer logos, vendor logos, compliance badges, padlocks, hoodies, matrix/cyber theatre, unreadable UI labels
• Crop needs: 1200x628 blog/OG, plus social-safe 1200x627

Source notes

External sources used:

• CISA, Cyber Guidance for Small Businesses
• CISA, #StopRansomware Guide
• CISA, Cybersecurity Performance Goals 2.0
• CISA, Multifactor Authentication
• FTC, Cybersecurity for Small Business
• NIST, SP 1300: NIST Cybersecurity Framework 2.0 Small Business Quick-Start Guide
• NIST, Small Business Quick-Start Guides
• Travelers, 5 Cyber Readiness Practices to Boost Your Cybersecurity
• Travelers, How Multifactor Authentication Can Help Protect Against Cyber Threats
• Huntress, Cybersecurity Insurance Requirements

Internal Defendwise links used:

• Preparing clients for cyber insurance questionnaires
• Measure security awareness effectiveness
• Internal phishing campaign
• How to choose the right vendor
• Start Free 7-Day Trial

Publication notes

• Product claims are limited to the current Defendwise source-of-truth register.
• No claims are made that awareness training guarantees insurance approval, lower premiums, fewer exclusions, or claim payment.
• The article should not be treated as legal, broker, or coverage advice.