A small carpet-cleaning business in Halifax wires $47,000 to what looks like the correct vendor. Two days later the owner realises the wire went to an account that is not the vendor's. The owner calls their broker. The broker files the claim under the cyber crime coverage the owner has been paying premium on for eighteen months.

The carrier requests the underwriting application. Question 14 on the application reads: "Does your organisation enforce multi-factor authentication on all email accounts, including administrator accounts?" The application returned Yes.

The carrier's forensic contractor requests tenant configuration data. Multi-factor authentication was enabled on the mailboxes. It was configured with SMS as a fallback for administrator accounts. Under the policy's rescission clause, this constitutes material misrepresentation of a control the underwriter relied on to price the risk. The claim is denied. The owner then sues the broker.

Eighteen months later, after the E&O claim, after the discovery process, after two settlement conferences and one mediation, the broker has spent a six-figure sum defending the placement, and the owner has recovered a fraction of the original loss. The wire fraud that started the whole thing was for less than a fifth of the eventual cost of the fight over whether it was covered.

This is not a hypothetical. The claim path above is now common enough that at least three major cyber carriers have published position statements on application-driven rescissions in the last twenty-four months.

The underwriting evolution

The cyber-insurance line went from soft-market growth to hard-market discipline between roughly 2020 and 2024. Loss ratios on early cyber portfolios ran above 100 percent for several carriers. Ransomware payment volume peaked, then partially receded. Business email compromise loss frequency stayed high. Carriers responded by tightening what they underwrite to and what they underwrite for.

The application form is where that tightening lands. Applications from 2019 asked five to seven questions about the applicant's security posture. Applications from 2025 ask thirty to sixty. The questions are more specific. They ask about controls the small-business owner cannot reasonably confirm without either an internal audit or an external assessment. The applications are typically completed at the point-of-sale by the broker sitting next to the owner, working through a checklist that neither of them has the tenant configuration data to answer with defensible accuracy.

The gap between "we checked yes" and "the carrier verified" is where claim denials now live.

The questions clients cannot actually answer

Below are questions drawn from the current-generation application forms of three carriers writing cyber coverage in the North American mid-market. The wording differs. The intent does not.

Multi-factor authentication scope and type

The application does not ask "do you have multi-factor authentication." It asks whether the client enforces phishing-resistant multi-factor authentication on all administrator accounts, on remote access, and on cloud email. It asks specifically about SMS-based factors, because SMS is not considered phishing-resistant. The distinction between "we have MFA" and "we have phishing-resistant MFA on all admin accounts, no SMS anywhere in the flow" is technical. Most small-business owners cannot describe the difference. Most brokers do not verify before the application returns.

Backup air-gap and restoration testing

The application asks whether backups are immutable, offline, and tested. Immutable means the backup cannot be modified or deleted by an attacker holding the primary system credentials. Offline means the backup is not reachable from the primary network. Tested means the restoration procedure has been executed against a real recovery objective within the last twelve months. Almost no small-business backup setup meets all three conditions out of the box. Almost every application returns Yes.

Documented incident response plan

The application asks whether the applicant has a written, current, and reviewed incident response plan. This is a document, not a control. Its existence is the specific artefact carriers request during claim-adjustment. A well-intentioned Yes answer that turns out to reference a two-page document last edited in 2019 is not, in the carrier's view, an incident response plan. The application answer stands.

Email authentication posture

The application asks about DMARC, SPF, and DKIM configuration on the applicant's sending domain. This is a technical control specific enough that the small-business owner has almost never heard of it. When the broker answers "yes" on their behalf, based on the assumption that a modern email provider must handle this, the carrier can verify the actual DNS configuration in seconds and record whether the posture matches the application.

Third-party risk management

The application asks whether the applicant maintains a documented vendor risk-management programme. Small businesses do not. The Yes answer, driven by the assumption that "we know our vendors" is equivalent to a programme, is a specific carrier-verifiable misrepresentation.

The broker E&O exposure

The historical case law on application-driven rescissions in the general insurance context runs against the insured. Where an application contains a material misrepresentation, the carrier's rescission right is broadly upheld. What has changed in the cyber line is that the underwriting questions are now specific enough that the misrepresentation is easily provable after the fact.

The broker's role in the application process creates a downstream duty of reasonable care. When a client sues after a denial, the sequence of interest is: what did the broker say the questions meant, what did the broker verify before returning the answers, what documentation did the broker retain of the client's stated posture at the point of sale, and what did the broker recommend the client do to reach the posture the application described.

Two of the meaningful cases in this line ran in the US commercial insurance market. Cottage Health System v. Columbia Casualty saw the carrier rescind a $4.125 million data-breach settlement recovery, citing application misrepresentation on encryption controls. Merck v. ACE American Insurance produced the war-exclusion argument that reshaped how cyber policies are worded, and in doing so exposed the way courts read policy language against carriers that draft ambiguously. The current-generation applications are drafted with those cases in mind. They are tighter. They ask what they mean to ask. The Yes answers stand as declared.

Brokers who write cyber coverage in the mid-market are increasingly caught between two obligations. The duty to help the client obtain coverage. The duty of reasonable care in the placement. When the application answers are demonstrably untrue at the point of a claim, the second duty gets tested first.

What brokers can do about it

The gap between the application and the audit is closable. The steps below are the ones brokers who take the E&O exposure seriously are moving toward.

Pre-application posture verification

Before the application returns, the client's external attack surface, cloud email configuration, backup posture, and documented plans are verified against the specific questions the application will ask. What the broker cannot see internally, an external assessment can. What the client answers is the actual state of the posture at submission, not the state the client assumed.

Documented remediation before submission

Where a client's actual posture is behind what the application requires, the remediation is completed before the application returns. This is not a cost-avoidance exercise for the client. It is coverage protection. The carrier's audit will find what was there at the time of underwriting, not what was there at the time of the claim.

Ongoing monitoring during the policy term

The application is a point-in-time declaration. Cyber posture drifts. A client that met the application's standard at issue can fail the standard at renewal or at a mid-term claim. Continuous monitoring keeps the answer true and gives the broker a documented record of the client's posture throughout the policy term. That record is the broker's affirmative defence when the carrier questions the placement.

Discovery-of-loss playbook

When a client reports a loss, the broker's first calls are as important as the claim submission itself. Preserving logs, capturing configuration state, and documenting the incident timeline before it degrades gives the adjuster the material to defend coverage rather than the material to deny it.

Why this matters now

Cyber coverage remains one of the fastest-growing lines in the professional-services insurance mid-market. It is also the line where the gap between what the application declares and what the carrier verifies is widest, and where the E&O exposure to the placing broker is most acute. Brokers who close the gap for their clients before the application goes in, and monitor for it during the policy term, keep both the client coverage collectible and their own book insurable.

The alternative is discovering the misrepresentation on the second day of the wire-fraud investigation, in front of a client who has already paid eighteen months of premium expecting to be covered.