The renewal questionnaire is longer than it used to be. A few years ago, cyber insurance for a dealership was a one-page form and a handshake. Now it is a technical audit, and the dealership cyber insurance requirements on that form decide whether you get coverage, what you pay, and whether a future claim gets paid at all.
If you have ever stared at a renewal questionnaire wondering what half the acronyms mean, this is for you. We will walk the controls underwriters actually check, in plain language, and what each one means for a small lot with one to three rooftops.
Why renewals are getting denied
Underwriting moved from "do you have security" to "prove it." Carriers paid out heavily on ransomware claims, so they tightened the rules. Many now run an external scan of your systems during underwriting, and brokers cite missing multi-factor authentication, missing endpoint protection, or weak backups as standalone reasons for refusal.
Stolen credentials remain the most common way attackers get in, according to the Verizon 2025 Data Breach Investigations Report, which is exactly why the questionnaire leads with the controls below. There is a money angle too, not just a yes-or-no one. Industry guidance suggests that strong, documented controls can move a premium meaningfully in either direction at renewal, so the questionnaire does not only decide whether you are covered, it decides what you pay.
For a small lot, that is the difference between a planned line item and an unwelcome surprise. And because a large share of carriers now scan your systems from the outside before they quote, the answers you give are checked against what they can actually see. The questionnaire is not paperwork. It is a prevention-and-recovery test: can you keep attackers out, and can you recover fast if one gets in?
The controls underwriters check
Different carriers word it differently, but the same core controls show up on nearly every application. Here they are in plain English.
- Multi-factor authentication (MFA). A second step beyond the password, especially on email, remote access, and the DMS. Microsoft reports MFA blocks more than 99.2 percent of account-compromise attacks, which is why it is the first box underwriters look at.
- Endpoint detection and response (EDR or MDR). Modern protection on every computer that watches for suspicious behavior, not just known viruses, and can isolate a machine fast. Legacy antivirus alone is no longer accepted.
- Tested, immutable backups. Backups that cannot be altered by an attacker and that you have actually restored from. A backup you have never tested is a hope, not a plan.
- A written incident response plan. Who calls whom, in what order, when something breaks. Carriers increasingly want evidence of a recent tabletop, which is a practice run of the plan.
- Patch management. Keeping software and systems updated on a schedule, and removing software that is past end of life.
- Email security and anti-phishing. Filtering plus the email authentication settings (SPF, DKIM, DMARC) that stop spoofing, backed by staff awareness.
- Access control and least privilege. People get access to only what they need, and access is removed the day someone leaves.
- Security awareness training. Regular training so staff recognize the phishing emails that start most breaches.
- Asset inventory and documentation. A current list of your devices and systems, plus the screenshots, logs, and reports that prove the other controls are actually in place.
None of these nine are exotic, and none of them require a server room. They are the same controls a careful small business would want anyway. What trips dealerships up is not difficulty, it is ownership. At a busy lot, MFA never gets enforced on the DMS, the backup never gets tested, and the incident plan never gets written, because it is nobody's actual job. The questionnaire simply surfaces those gaps at the least convenient moment, right when you need coverage bound.
What "we have antivirus" misses
Plenty of owners answer the questionnaire with "we have antivirus and a firewall" and assume that covers it. It does not, for three reasons. Legacy antivirus only catches threats it already recognizes, while modern attacks change shape to slip past it. Antivirus does nothing about the human side, the stolen password or the phishing click that causes most breaches. And it produces no evidence, while underwriting is now evidence-based. Checking "yes" on a control you cannot back up with a screenshot or a report is how claims get denied later, after an incident, when the carrier asks you to prove the answer you gave.
How to get bindable in weeks
Here is the encouraging part: the fastest controls to put in place are also the highest-impact ones. MFA can usually be turned on in one to two weeks, and EDR in two to four. Applications that arrive with the controls already in place often clear underwriting in two to four weeks, while applications that need fixes can stretch to two or three months.
The move is to close the gaps before you submit, then submit with an evidence packet: MFA enforcement, EDR deployment, backup restore tests, training records, and a dated incident response plan. Strong controls do more than win approval; they pull premiums down at renewal. Underwriters reward proof, not promises, so a dealership that hands over a clean evidence packet often sees both faster approval and better terms than one that simply checks boxes.
Assumption, labeled plainly: exact timelines and premium effects vary by carrier, your current setup, and your broker. Treat the ranges above as typical, not as guarantees.
Where Flynaut fits
For most independent dealers, the realistic path is not staffing an IT security team to chase a renewal once a year. It is having one. Flynaut becomes your IT and security team: we put these controls in place, build the evidence packet your underwriter wants, and keep it current so next year's renewal is a formality instead of a fire drill.
We are not insurance brokers, and this is not insurance or legal advice. We build and run the security program behind your answers, and we recommend you confirm coverage details with your broker. If your renewal is coming up, do not wait for the questionnaire to tell you what is missing. Find out first, while there is still time to fix it.
Book a free FTC Safeguards readiness check
Sources & notes
Verizon 2025 Data Breach Investigations Report (stolen credentials as top initial access vector); Microsoft (MFA blocks 99.2 percent+ of account-compromise attacks); carrier and broker cyber-insurance underwriting guidance, 2025 to 2026.
Related reading
What the FTC Safeguards Rule Actually Requires of Independent Auto Dealers · What the 2024 CDK Ransomware Attack Taught Every Independent Lot · The Real Cost of Ignoring FTC Safeguards
