If you are searching for the Coalition cyber application PDF, you probably do not need a vague blog post about cyber insurance.
You need to know what the document is actually asking, what evidence answers it cleanly, and where the dangerous guesses live.
That is what this guide is for.
Coalition's help center still points brokers to its new business application, renewal application, US client questionnaire, and ransomware supplemental. The new business Coalition Cyber Policy Application is short by insurance standards. That is exactly why it gets underestimated. A short cyber application is not a low-risk application. It is a compressed one.
Key takeaways
- Coalition's PDF is short, but each answer carries real underwriting and claims consequences.
- The application is really testing a handful of issues: loss history, known circumstances, device encryption, recoverability, MFA by access path, and fraud-prevention procedures.
- The safest way to answer the PDF is not checkbox first. It is evidence first, answer second.
- The teams that get in trouble usually do not lie outright. They over-compress messy technical reality into a clean "Yes."
Related
The Complete Guide to Cyber Insurance Evidence in 2026
What brokers, MSPs, and business owners need to know about collecting, organizing, and submitting cyber insurance evidence for renewal. Control requirements, carrier mapping, and the mistakes that get claims denied.
The short answer is this:
Coalition's application is primarily underwriting operational truth. The PDF wants to know whether you have already had material incidents, whether you know about one that is coming, whether endpoints are encrypted, whether backups are genuinely recoverable, whether MFA is enforced on the specific access paths attackers use, and whether your finance workflow can stop a fraudulent funds transfer. The rest of the form supports fit, disclosure, or adjacent coverage questions.
Which Coalition document are you actually looking at?
Coalition's own application help page lists several separate artifacts:
- Coalition Cyber Policy - New business application
- Coalition Cyber Policy - Renewal application
- Coalition US Client Questionnaire
- Coalition Canada and UK questionnaires
- Ransomware Supplemental Questionnaire
That matters because people often use the wrong document name when they mean "the Coalition PDF."
This article focuses on the Coalition Cyber Policy Application currently linked by Coalition's help center and publicly distributed as form CYUSP-00NA-1022-01. If you are working a renewal, the renewal workflow may be prefilled or routed slightly differently, but the core underwriting logic is close enough that this guide still helps.
If you want the broader operational prep guide rather than the line-by-line PDF breakdown, pair this page with How to Answer the Coalition Cyber Insurance Application.
Read the PDF with the right mental model before you touch a checkbox
Before the individual questions, four lines on the Coalition application matter more than the rest.
First, the form says the liability insuring agreements are claims-made and reported.
Second, it says the limit available to pay judgments or settlements is reduced by defense and claims expenses, and that defense and claims expenses also apply against the retention.
Third, it says that if a policy is issued, the application attaches to and becomes part of the policy.
Fourth, the signature section says the application has been completed after reasonable inquiry, the statements are true and complete to the best of the signer's knowledge, and material misstatements or misrepresentations can support disclaimer of claims or rescission under applicable law.
That is the mental model.
This is not a casual intake form. It is a representation about what is true in the environment at underwriting.
A one-screen view of what Coalition is really asking
| Question area | What Coalition literally asks | What Coalition is really testing | Best evidence |
|---|---|---|---|
| Business fit and prior events | Industry, domains, claims/incidents, known circumstances | Whether the risk fits Coalition's appetite and whether there is undisclosed known loss | Prior applications, incident history, broker disclosure notes |
| Q3 Encryption | Are laptops, desktops, and portable media encrypted? | Whether lost or stolen devices are a major breach vector | Managed device encryption report |
| Q4 Data footprint | Do you handle PCI, PII, or PHI, and how much? | Exposure magnitude and data sensitivity | PCI/PII/PHI inventory and counts |
| Q5 Backups | Weekly backups of critical data and systems offline or on a separate network? | Recoverability after ransomware or destructive events | Backup job history, repository architecture, restore-test proof |
| Q6a-d MFA | Email, VPN, remote access, privileged accounts | Whether MFA is enforced on attacker-preferred access paths | IAM policy exports, VPN config, RDP / remote tool controls |
| Q7a-c Funds transfer validation | Secondary communication for transfers and banking-detail changes | Whether the business can stop BEC-driven financial fraud | Treasury/AP procedures, callback verification workflow |
| Q8-11 E&O and media | Concurrent E&O / PI, prior complaints, takedown procedures | Whether adjacent professional and media exposures exist | Current policies, legal / marketing procedures |
That table is the compressed version.
The rest of this guide expands each piece.
The top of page 1: Coalition is screening fit before it gets to controls
Before the numbered control questions, the application asks for:
- named insured,
- website and email domains,
- address,
- industry,
- employee count,
- revenue / gross profit,
- and whether the named insured is engaged in businesses such as adult content, cryptocurrency / blockchain, gambling, payment processing, or MSP / MSSP / remote network administration services.
This is not just identity collection. It is appetite screening.
Two practical implications follow:
Domain list accuracy matters
Coalition explicitly asks for all website addresses including web and email domains. Do not answer this lazily.
If the organization uses multiple email domains, marketing domains, or legacy domains that still receive mail or host client-facing content, include them. Domain inventory is one of the easiest places for "reasonable inquiry" to turn into "we forgot about that old domain."
The business model answer matters more than some teams expect
Payment processing, MSP services, and remote administration services are not trivial descriptors in cyber underwriting. They change exposure shape. If the insured does a meaningful amount of this work, do not bury it under a generic industry label.
Q1: Prior cyber incidents, claims, or losses
Coalition asks whether, in the past three years, the named insured experienced a cyber incident, claim, or loss that could have been covered under a similar policy. It then gives examples: data breaches or security failures, privacy or network-security claims, government action or subpoenas, and actual or attempted extortion demands. If the answer is yes, Coalition wants count, total loss amount, whether any single event exceeded $25,000, and what was done to remediate.
What Coalition literally wants
A truthful loss-history disclosure.
What Coalition is really testing
Whether there is an existing pattern of loss, whether the risk has matured since prior events, and whether the insured has a habit of under-describing incidents.
What answers it cleanly
- Prior claim summaries
- Internal incident log
- Broker notes from prior placement
- A short chronology of what happened and what changed afterward
Where teams get into trouble
They interpret "incident" too narrowly.
If there was a BEC event, an extortion attempt, a privacy complaint, or a material security event that did not become a formal insurance claim, do not assume it falls outside the question. The application itself is broad.
Q2: Knowledge of any fact or circumstance that could give rise to a claim
Coalition then asks whether the insured has knowledge of any fact, circumstance, situation, or event that could reasonably give rise to a claim or loss under the proposed insurance. If yes, any claim or loss arising from that known matter is excluded.
This is one of the most consequential questions on the form.
What Coalition literally wants
A disclosure of known-but-not-yet-claimed problems.
What Coalition is really testing
Whether the insured is trying to bind coverage while already aware of a likely incident or claim scenario.
What answers it cleanly
- Internal incident escalations
- Active legal or regulatory notices
- Open forensics or breach-investigation threads
- Written confirmation from leadership that no such known circumstances remain undisclosed
Where teams get into trouble
They answer this as if it only means "a filed claim."
That is not what the PDF says.
If the organization already knows of a serious compromise, unresolved suspicious activity, or an event reasonably likely to generate a claim, the clean answer may not be "No."
Q3: Encryption on laptops, desktops, and portable media
Coalition asks whether the named insured implements encryption on laptop computers, desktop computers, and other portable media devices.
That sounds simple. It is not.
What Coalition literally wants
A statement about endpoint encryption.
What Coalition is really testing
Whether a stolen or lost device can turn into a reportable breach and claims event.
What answers it cleanly
- BitLocker status report for Windows devices
- FileVault status report for macOS devices
- MDM or endpoint-management export showing managed encryption state
- Procedure for removable media if it is allowed at all
Where teams get into trouble
They answer from policy intent instead of current managed state.
"BitLocker is supposed to be on" is not evidence. "Encryption is enforced by policy" is not the same as "every relevant endpoint is currently encrypted."
A careful answer also checks desktops. Many teams read "portable devices" and mentally skip the desktop language. Coalition did not.
Q4: PCI, PII, PHI, and data volume
Coalition asks whether the insured collects, processes, stores, transmits, or has access to PCI, PII, or PHI other than employee data. If yes, it asks for annual transaction volume and counts of PII / PHI records.
What Coalition literally wants
A data-footprint statement.
What Coalition is really testing
How much sensitive data the insured touches and how severe a privacy or payment-card event could become.
What answers it cleanly
- PCI transaction counts from the payment processor
- Customer / member / patient record counts from systems of record
- A short narrative of where the data sits and who administers it
- Third-party hosting or processor context, if relevant
Where teams get into trouble
They underestimate "has access to."
If the business does not store the card data itself but can still access it operationally through a portal, vendor console, or support workflow, that may still matter. The safest answer comes from the actual data flow, not from a comforting simplification like "the vendor handles that."
Q5: Weekly backups of critical data and systems offline or on a separate network
This is one of the shortest questions and one of the most overloaded.
Coalition asks whether the insured maintains at least weekly backups of all sensitive or otherwise critical data and all critical business systems offline or on a separate network.
There are four tests inside that single checkbox:
- frequency,
- scope,
- system coverage, and
- isolation.
What Coalition literally wants
A yes / no statement about backup practice.
What Coalition is really testing
Whether the business could recover after ransomware or destructive system compromise.
What answers it cleanly
- Recent backup job history
- Backup scope inventory
- Architecture diagram or narrative showing isolation
- Restore test result, even if the form does not explicitly ask for it
Where teams get into trouble
They answer based on the presence of backup software.
That is not enough.
A strong verification process checks:
- whether jobs are actually succeeding,
- whether all critical systems are covered,
- whether backups are separated enough that the same compromise cannot wipe production and backup together,
- and whether the organization has proven recoverability, not just retention.
If you need the deeper backup version of this question, pair this page with How to Prove Backup Immutability for Cyber Insurance Renewals.
For specific backup isolation architectures and immutability evidence patterns that satisfy Coalition, see How to Prove Backup Immutability for Cyber Insurance Renewals.
Q6: MFA - the most important section of the PDF
Coalition does something more disciplined than many carriers here.
It does not ask "Do you have MFA?"
It splits MFA by access path:
- 6a Email
- 6b VPN
- 6c RDP, RDWeb, RD Gateway, or other remote access
- 6d Network / cloud administration or other privileged user accounts
This is the right question design.
Why Coalition splits MFA by access path
Because a global "Yes, we have MFA" tells an underwriter almost nothing.
An environment can have:
- MFA on Microsoft 365 email but not on the VPN,
- MFA on users but not on admin roles,
- MFA on the main IdP but not on a remote-support tool,
- MFA registration without true enforcement,
- or quiet exclusions that leave the highest-risk accounts weak.
Coalition's format forces the organization to think about those paths separately.
What answers each sub-question cleanly
6a Email
You need evidence that MFA is enforced for email access, not merely enrolled in an identity platform.
Useful evidence:
- Conditional Access or Security Defaults state
- user coverage export
- recent sign-in activity showing MFA use
- documented exceptions
6b VPN
You need evidence from the VPN or access platform itself, especially if VPN is not using the same identity stack as email.
Useful evidence:
- VPN appliance configuration
- SSO / MFA integration proof
- remote access policy
- exception list
6c RDP, RDWeb, RD Gateway, or other remote access
This is where dangerous blind spots live.
Useful evidence:
- whether RDP is disabled, gated, or MFA-protected
- remote management tool controls
- bastion or jump-host policy
- external exposure review
6d Network / cloud administration or other privileged user accounts
This is not optional admin hygiene. It is its own underwriting question.
Useful evidence:
- privileged-role inventory
- admin account list
- MFA requirement on privileged roles
- exception handling for break-glass or service-related access
Where teams get into trouble
They read one portal screen and answer all four sub-questions from memory.
Do not do that.
If you use Microsoft 365, Duo, Okta, a VPN appliance, a remote support tool, and separate cloud consoles, MFA truth is distributed. That is why the clean workflow is export first, answer second.
For the evidence side, use How to Export MFA Evidence from Entra ID, Duo, and Okta. For guidance on writing a carrier-aligned MFA policy to accompany the technical evidence, see How to Write an MFA Policy That Satisfies Cyber Insurance Underwriters.
Q7: Secondary communication to validate funds transfer requests and banking-detail changes
Coalition asks whether the named insured requires a secondary means of communication to validate:
- funds transfer requests above $5,000,
- funds transfer requests above $25,000,
- and any request to change banking details such as ACH, wire, or payroll distribution instructions.
This is Coalition's cleanest BEC / funds-transfer control question.
What Coalition literally wants
A procedural control around money movement.
What Coalition is really testing
Whether the business can stop social-engineering fraud after an email account, vendor thread, or mailbox workflow is compromised.
What answers it cleanly
- AP / treasury written procedure
- callback-verification workflow
- dual-approval process
- out-of-band confirmation steps
- evidence of training on the procedure
What does not answer it cleanly
"We usually call if it looks weird."
That is not a control. That is a habit.
Coalition's claims data makes the logic clear. Coalition's 2026 Cyber Claims Report says BEC and funds transfer fraud accounted for 58% of all claims in its dataset, 52% of FTF claims originated as BEC, and 71% of FTF claims were a direct result of social engineering. The underwriter is not being theoretical here. They are asking about a loss path that is already happening.
Q8 and Q9: Concurrent tech E&O or professional indemnity coverage
Coalition asks whether the insured will have an active technology errors and omissions policy or an active errors and omissions / professional indemnity policy concurrent with the cyber policy.
What Coalition literally wants
Disclosure about adjacent professional-liability coverage.
What Coalition is really testing
Whether there are overlapping or complementary exposures that sit outside pure cyber controls.
What answers it cleanly
- current or proposed E&O / PI policy information
- broker note on how the account is being structured
- confirmation if there is no such concurrent coverage
Why it matters
Do not route these to the IT team by default. This is usually broker / risk-transfer context, not a technical-control question.
Q10 and Q11: Content complaints and takedown procedures
The application asks whether, in the last three years, the named insured has been subject to complaints concerning website content, advertising materials, social media, or other publications, and whether it enforces procedures to remove content that may infringe intellectual property or privacy rights.
These questions are easy to dismiss because they sit outside the main security-control cluster.
Do not dismiss them.
What Coalition literally wants
Media-liability and content-governance disclosure.
What Coalition is really testing
Whether the insured has adjacent content / publication exposure and whether there is any basic takedown discipline.
What answers it cleanly
- legal or compliance incident history on content complaints
- documented web / marketing takedown procedure
- ownership for content escalation
Where teams get into trouble
They toss these to IT because the application is branded as "cyber." These are usually cross-functional questions. Marketing, legal, and operations may know more than IT.
The evidence packet that answers this PDF cleanly
If you want the shortest path to a defensible Coalition submission, package the file like this:
-
One summary sheet A one-page explanation of each non-obvious answer, including any exceptions.
-
One device-encryption artifact Managed report showing endpoint encryption status.
-
One backup packet Job history, scope summary, architecture note, and a recent restore test if available.
-
One MFA packet Policy proof, coverage proof, recent activity proof, and documented exceptions.
-
One finance-procedure artifact Funds-transfer verification procedure and approval thresholds.
-
One disclosure memo for history / known circumstances if applicable Use plain language, dates, impact, and remediation.
That package is much stronger than a pile of screenshots with no explanation.
The five Coalition mistakes that create the most trouble
Mistake 1: Treating a short PDF like a low-stakes PDF
The application is short because Coalition compresses the underwriting decision into a few high-signal questions.
Mistake 2: Answering from memory
The signature section is built around reasonable inquiry. Memory is not reasonable inquiry.
Mistake 3: Confusing policy intent with control state
"BitLocker should be on." "Security Defaults are enabled, I think." "Backups run nightly, probably."
None of those are good enough.
Mistake 4: Treating MFA as one control instead of four access paths
Coalition explicitly split the question. You should too.
Mistake 5: Assuming finance procedures are outside cyber underwriting
They are not. Coalition wrote the funds-transfer controls into the application for a reason.
The right way to think about the Coalition PDF
Do not think of this form as a checklist.
Think of it as a compression layer.
Every checkbox stands in for a larger operational claim:
- that devices are actually encrypted,
- that backups are actually recoverable,
- that MFA is actually enforced on the specific paths attackers use,
- that privileged accounts are actually stronger than ordinary ones,
- and that money movement is not authenticated by email alone.
If you read the PDF that way, the workflow becomes obvious:
verify first, answer second.
Verify before you sign
If you are preparing a Coalition submission right now, start with the fastest high-confidence evidence you can gather:
- run an external posture check for the domains Coalition asked you to list,
- verify MFA separately for email, VPN, remote access, and privileged accounts,
- review the backup architecture, not just the schedule,
- and document funds-transfer controls in writing before the PDF goes back.
Start here:
- Run the free readiness check ->
- Upload the PDF to Carrier Decoder ->
- Read the broader Coalition workflow guide ->
FAQ
Where can I find the Coalition cyber application PDF?
Coalition's application help page lists the new business application, renewal application, and related questionnaires. For the US new business form, the publicly distributed PDF is the Coalition Cyber Policy Application with form number CYUSP-00NA-1022-01.
Is the Coalition application the same as the Coalition client questionnaire?
Not exactly. Coalition's help page lists them as separate documents. The client questionnaire may be used in parts of the workflow, but the application itself contains the contractual and signature language that matters for underwriting and binding.
What is the most important section of the Coalition application?
For most SMB and MSP-supported environments, the highest-consequence section is Q6 on MFA because Coalition breaks MFA out by access path: email, VPN, remote access, and privileged accounts.
Does Coalition ask about DMARC directly on the PDF?
Not on the current PDF covered here. But Coalition asks for the insured's web and email domains, and carriers can evaluate parts of email-security posture externally. Do not assume "not asked directly" means "not relevant."
What if we use Microsoft 365 Security Defaults - can we answer Yes to email MFA?
Maybe, but not automatically. The safe answer depends on whether MFA is actually enforced for the access path in question, whether there are exclusions, and whether other remote-access tools sit outside Microsoft 365.
Does a written AP policy really matter for Q7 funds-transfer controls?
Yes. Coalition is explicitly asking about a secondary communication method for validating transfer requests and banking-detail changes. If the control only lives in someone's head, it is weak evidence.