Broker / Security teamReference / BOFU

What underwriters are really asking when they ask about IR plans

Understand what cyber underwriters really need in IR plans. Learn why testing matters and what documentation to prepare for renewals.

Overview

When underwriters ask 'Do you have an incident response plan?', they are distinguishing between three levels of readiness: having a document (lowest), maintaining current documentation (middle), and actively testing the plan (highest). The cost of a data breach for companies without a tested IR plan is 55% higher than for those with one, which explains why underwriters prioritize proof of testing. Underwriters ask specifically for: a written incident response plan documenting roles, responsibilities, communication procedures, and escalation paths; evidence that the plan has been tested through tabletop exercises or simulations within the past 12 months; proof that the plan is current and reflects actual organizational structure and contact information. A document created two years ago without testing is insufficient. Underwriters rank incident response planning among effective controls associated with lower breach probability, alongside EDR and logging/monitoring. The key distinction is that brokers must provide proof of recent testing, not just the existence of a plan document.

Key Facts

  • IR plan document alone is insufficient — testing required as proof of readiness.
    Source: BindLedger Research
  • Plan must be current: outdated plans (2+ years old without updates) are rejected.
    Source: BindLedger Research
  • Testing proof: tabletop exercise or simulation results within 12 months, showing who participated and findings.
    Source: BindLedger Research
  • Contact accuracy: IR plan must reflect current organizational structure and phone numbers.
    Source: BindLedger Research

How it Works Today

Current Manual Process

Cyber application asks 'Do you have an IR plan?'; client says 'yes'; broker receives PDF from IT; broker forwards to underwriter; underwriter asks 'When was it last tested?'; if untested, contingency issued or application rejected.

Friction Points

Application language doesn't clarify that testing is required; brokers often unaware of testing requirement; clients may have plans but no test documentation; no standardized format for test results.

Ideal Output

Structured IR plan attestation showing: plan creation/update date, roles and participants, test date and type (tabletop/simulation), test findings summary, and proof of plan distribution to team. Template for IR plan testing checklist.

BindLedger Tool Handoff

Ready to streamline this workflow?

Use Evidence Room

Use Evidence Room

Related Answers

How to prove backup immutability for cyber renewals
Learn how to prove backup immutability for cyber insurance renewals. Discover platform-specific proofs and what underwriters accept as sufficient evidence.
How to send your MSP the right cyber insurance tasks
Learn what cyber insurance underwriters require from MSPs. Broker guide to requesting MFA, EDR, backups, patches, and training evidence without the back-and-forth.
How to document an incident response plan carriers will accept
Outside-in cyber readiness check for brokers
Learn what outside-in scans reveal about your external security posture and how brokers use external attack surface data in cyber insurance submissions.
How to organize a cyber supplement without a new platform
Organize cyber insurance supplements efficiently without a dedicated platform — manage responses, track completion, and streamline underwriting.
What underwriters are really asking when they ask about backups
Understand what cyber underwriters really ask about backups. Learn the 5 operational factors they assess and what evidence to prepare.

Sources

Underwriters want evidence of regular tabletop exercises and a clear, actionable plan for the first few hours of a breach.

The cost of a data breach for companies without a tested IR plan is 55% higher, explaining underwriter prioritization.

Incident response planning ranks among effective controls associated with lower breach-based claim probability.