How to Prepare a Cyber Insurance Submission in 2026: The Complete Broker's Guide

You have a submission meeting in 30 minutes. The carrier wants: domain exposure scan, prior claims history, financial statements, security questionnaire, and a completed application form. The broker who walks in with all five gets the best terms. The broker who walks in with just the application gets a referral to the declinations desk.

Cyber insurance submissions in 2026 are more demanding than ever. NIS2 enforcement is real. DORA is reshaping how financial entities assess risk. And carriers are using real-time attack surface data — not just questionnaires — to make binding decisions.

Here’s exactly what you need to prepare.

What Changed in 2026

Three shifts have made cyber submissions fundamentally harder this year:

1. Attack surface data is now primary evidence — Underwriters run their own scans. If your submission claims strong security but their scan finds exposed RDP, expired certificates, and open Elasticsearch instances, your credibility is gone. They already know — your submission just tells them whether you’re honest about it.

2. NIS2 compliance is a pricing factor — The June 2026 NIS2 audit deadline means carriers now treat NIS2 compliance as a proxy for security maturity. Non-compliance can add 30-50% to premiums or trigger outright declinations. Check your client’s NIS2 status with our free NIS2 Compliance Checker.

3. Financial exposure quantification is expected — “High risk” doesn’t mean anything to a CFO. Carriers want estimated annualized loss expectancy in EUR. The Instant Broker Scorecard (IBS) converts technical findings into financial exposure ranges that underwriters can price against. See how it works.

The 7-Part Cyber Submission Checklist

1. Attack Surface Assessment (Your First Gate)

Before anything else, know what the carrier will find. Every major underwriter — Beazley, Allianz, CFC, Zurich — now uses external scanning as part of their quoting process.

Run a domain exposure scan on every entity in the submission:

• Subdomains exposed to the internet
• Open ports and services (RDP, SSH, databases)
• SSL/TLS certificate validity and configuration
• HTTP security headers (HSTS, CSP, X-Frame-Options)
• Email security (SPF, DKIM, DMARC records)
• Known breach history on associated domains
• Technology stack fingerprinting

Our Domain Exposure Checker runs all of these checks in under 30 seconds — the same checks underwriters run. If you find issues, you can remediate before the formal submission.

2. Completed Application Form (Still Required)

Yes, carriers still need the signed application. But in 2026, focus on these sections:

• Revenue breakdown — by geography and business line. EU revenue? You need NIS2/DORA compliance proof.
• IT environment description — cloud providers, SaaS tools, number of employees with access. Gaps here flag shadow IT risk.
• Third-party dependencies — carriers now ask about 4th parties. Your CRM vendor’s breach becomes your claim.
• Incident history — full disclosure. Carriers compare against CTI feeds. Omissions = voided policies.

3. Security Questionnaire (Make It Consistent With Scan Data)

This is where most submissions fail. The questionnaire says “MFA enabled on all external-facing systems” but your domain scan shows exposed RDP without MFA.

Rule #1: Never write anything in the questionnaire that contradicts your attack surface data. Carriers cross-reference.

Rule #2: Don’t overclaim. “MFA partially deployed with a 90-day rollout plan” is better than “MFA everywhere” when the scan shows otherwise.

Rule #3: Use the scan findings to inform your answers. If you found exposed services, note them and show a remediation plan. Proactive disclosure builds trust.

4. Financial Exposure Estimate

Every submission should now include a financial exposure estimate. Not a security rating letter grade — a number in EUR.

Carriers need to know:

• Estimated annualized loss expectancy based on company size, industry, and attack surface findings
• Worst-case scenario exposure (e.g., ransomware + data exfiltration + business interruption)
• Current coverage adequacy — does the requested limit match the exposure?

The Instant Broker Scorecard generates this automatically from domain exposure data, so you don’t need to guess.

5. NIS2 and DORA Compliance Evidence

If your client is an EU-based essential or important entity (or serves one), include:

• NIS2 scope confirmation — entity classification and applicable articles
• Compliance roadmap — what’s implemented, what’s in progress, what’s planned
• Audit evidence — penetration test results, risk assessments, incident response plan
• DORA ICT risk management — for financial entities, include third-party risk assessment

Non-compliant entities face premiums 30-50% higher or outright declinations from major carriers. Our NIS2 Compliance Guide covers what brokers need to verify.

6. Incident Response Plan

Carriers now ask for this as a standard submission document. It should include:

• Response team roles and contact information
• Forensic provider retainer (is one in place?)
• Communication plan — internal, customer, regulator, media
• Backup and recovery procedures — tested within the last 6 months
• Ransomware decision framework — under what conditions would they pay?

7. Claims History Analysis

Include a summary of all cyber incidents in the last 5 years, even ones that didn’t result in a claim. Carriers use this to assess:

• Security maturity trajectory (getting better or worse?)
• Incident response capability (how fast was containment?)
• Root cause patterns (same vulnerability exploited twice?)

5 Submission Mistakes That Kill Coverage Terms

Mistake 1: Submitting Without Scoping First

What happens: The carrier runs their scan, finds issues you didn’t disclose, and either loads the premium 40% or declines outright.

Fix: Run your own scan first using our Domain Exposure Checker. You get the same data the carrier will see — before they see it.

Mistake 2: Overstating Security Controls

What happens: The questionnaire says “MFA everywhere” but the scan shows exposed RDP. The carrier questions every answer. The submission gets flagged for review.

Fix: Be honest about gaps and show remediation plans. Underwriters reward transparency.

Mistake 3: Ignoring NIS2/DORA Compliance

What happens: The client is an EU manufacturing company with 300 employees. They’re in NIS2 scope but haven’t started compliance. Most carriers will decline or price at 2x standard.

Fix: Check NIS2 scope early and include compliance evidence in the submission pack.

Mistake 4: Walking in with Just the Application

What happens: The underwriter asks for your attack surface assessment, breach history analysis, and financial exposure estimate. You have a signed form and a hope.

Fix: Build a complete submission pack using the checklist above. It takes 3 minutes with the right tools.

Mistake 5: No Benchmarking Data

What happens: The underwriter has no context for whether your client’s security posture is good, bad, or average for their industry.

Fix: Include industry benchmark data. Show where your client ranks compared to peers. The Broker Scorecard includes this automatically.

How the Instant Broker Scorecard Changes the Game

The Instant Broker Scorecard (IBS) was built specifically for this workflow. Type a domain → 3 seconds later you have:

• Domain exposure grade (A-F) — same data underwriters use
• Financial exposure estimate in EUR — based on findings, industry, company size
• Underwriter recommendation — Bind / Bind with Conditions / Refer / Decline
• Industry benchmark — how this company compares to peers
• Top 3 actionable findings — what to fix before submission
• Printable PDF — attach directly to the submission binder

It’s a Pro feature at €49/month — unlimited scans, scorecards, and PDF downloads. Compare that to the 3 hours of manual research per submission this replaces.

Sample Submission Timeline

T-7 Days	T-3 Days	T-1 Day	Submission Day
Collect financials, claims history	Run Domain Exposure Checker	Generate Broker Scorecard	Walk in with complete pack
Check NIS2/DORA scope	Remediate critical findings	Prepare questionnaire aligned with scan data	✓
Identify third-party dependencies	Gather compliance evidence	Review incident response plan	✓

Tools to Speed This Up

• Domain Exposure Checker — Free domain scan (limited). Pro for unlimited.
• Instant Broker Scorecard — Pro feature. Turns scan data into underwriter-ready assessment.
• NIS2 Compliance Checker — Free. Check if your client is in scope.
• Breach Cost Calculator — Free. Estimate financial impact scenarios.
• Pre-Submission Risk Checker — Free. Preview what underwriters will find.

The Bottom Line

The 2026 cyber submission game is won before you walk in the door. Carriers have real-time attack surface data. They will verify every claim. If your submission shows you’ve done the work — scan, quantify, remediate, document — you get better terms. If you show up with just an application, you’re negotiating from a deficit.

The tools exist. They cost €49/month. The alternative is three hours of manual research per submission — and still getting beaten by the broker who used automation.

Ready to build your next submission in 3 seconds? Try the Instant Broker Scorecard.