How to Answer the Chubb Cyber Insurance Application

Chubb dominates the U.S. cyber insurance market. With $560.6 million in direct written premiums and a 7.92% market share as of 2024, Chubb maintains the #1 position globally with 16% market share — a position they've held despite industry premium declines[1]. The carrier invests over $1 billion annually in technology, and their underwriting standards reflect that sophistication.

For brokers and IT leadership preparing a Chubb cyber insurance application, precision matters. Chubb underwrites enterprise risk differently than standard carriers. They ask harder questions about patching cadences, infrastructure architecture, and incident response capabilities. Getting answers wrong delays quotes. Getting them right unlocks access to market-leading coverage at competitive rates.

This guide walks you through Chubb's application process, product lines, platforms, and the specific controls they scrutinize most.

Understanding Chubb's Cyber Product Portfolio

Chubb offers three distinct cyber insurance paths, each designed for different organizational profiles and risk architectures.

Cyber Enterprise Risk Management (Cyber ERM)

Cyber ERM is Chubb's flagship enterprise offering. It combines traditional cyber liability coverage with embedded loss mitigation services and managed incident response — creating a cohesive risk management framework rather than a standalone insurance policy[1].

Enterprise organizations using Cyber ERM gain access to Chubb's proprietary vulnerability management tools, continuous network monitoring, and the firm's five core cyber service focus areas: multi-factor authentication (MFA), firewall and VPN configuration, backup configuration, Microsoft 365 hardening, and Active Directory security[7].

The product is underwritten for organizations with sophisticated IT operations, typically $50M+ in revenue. Chubb uses a tiered approach: larger, mature organizations see broader underwriting appetite and better pricing.

DigiTech Enterprise Risk Management

DigiTech ERM is purpose-built for technology companies, SaaS providers, and digital-native organizations[2]. It combines technology errors & omissions, media liability, cyber liability, and regulatory defense on a single policy — eliminating coverage gaps where traditional cyber insurance ends and E&O begins.

For tech companies answering the Chubb application, DigiTech reframes underwriting questions around your software development lifecycle, product security testing, and third-party risk management. It's more aligned with how tech firms actually distribute and support their products.

Integrity+ by Chubb

Integrity+ consolidates multiple exposures — E&O, cyber, privacy, media liability, and intellectual property — on one master policy[3]. It's positioned for mid-market firms with diverse liability footprints but not yet enterprise scale. The multi-line structure creates administrative efficiency and can improve underwriting outcomes if your organization manages multiple concurrent exposures.

Small Business Cyber Coverage

Chubb offers scaled cyber products specifically for small businesses via chubbsmallbusiness.com[1]. Application requirements are lighter, but coverage is also narrower. The platform focuses on essential protections: ransomware, breach response, business interruption, and regulatory liability.

The small business short-form application focuses on key exposure and control questions:

Data & Exposure:

• Number of protected records that could be compromised
• Nature of operations, including high-sensitivity business types (financial institution, crypto exchange, data aggregator, surveillance, payment processing, etc.)

Loss History:

• Past 3 years of loss/incident history
• Awareness of any circumstances that could give rise to claims

Information Security:

• Third-party software (antivirus, encryption, firewalls)
• Incident response plan (documented)
• No end-of-life software in use
• Manufacturer security updates applied

Compliance & Industry-Specific Controls:

• PCI compliance (chip-enabled terminals, PCI self-attestation in past 12 months)
• HIPAA/HITECH compliance (if applicable)
• California medical confidentiality compliance (if applicable)
• Fair Credit Reporting Act (FCRA) compliance (if applicable)

Business Continuity:

• Backup and recovery procedures implemented, documented, and tested annually for all mission-critical systems

Cyber Crime Controls:

• Fund transfer authentication via predetermined phone number or customer identity code
• Dual approval requirement for wire transfers
• Vendor/supplier bank account verification by direct call to receiving bank before accounts payable setup

Chubb's Three Application Platforms

Chubb has decoupled its cyber application process from its traditional business insurance flow, creating three distinct pathways depending on your organization's size and complexity.

Cyber Central: End-to-End Quoting

Launched in June 2023, Cyber Central is Chubb's cyber-native quoting platform. It handles three distinct workflows[4]:

1. End-to-End Quoting: Comprehensive application suitable for enterprise risks ($100M+ revenue, complex exposures). This is the full underwriting process, typically yielding a formal quote with binders and renewal options.

2. Indicative Quoting: Fast-track appetite check. You provide high-level loss history, asset counts, and revenue; Chubb returns a premium range and underwriting appetite answer (yes, no, or conditional) in hours.

3. Batch Quoting: For brokers managing 30+ customer submissions simultaneously. Chubb ingests a standardized spreadsheet containing account data and processes the cohort in parallel, yielding instant indications without detailed data entry. Batch Quoting also enables shareable applications, risk reports, eSignatures, and automatically surfaces qualified leads — transforming Cyber Central into a book-management surface for cyber-specialist brokers.

Cyber Central assumes enterprise-grade IT. If you're applying here, Chubb expects documented security controls, incident response plans, and clear patch management timelines.

Marketplace: Sub-$100M Revenue, Bindable Quotes

The Marketplace is Chubb's platform for mid-market risks under $100M in annual revenue[5]. It emphasizes speed and simplicity. Once your Marketplace application passes underwriting review and you've signed off, the quote becomes bindable immediately — no additional contingencies or conditions.

Marketplace focuses on multi-line quoting: cyber, E&O, management liability, and commercial crime on one platform. The underwriting standards are still rigorous, but the application itself is streamlined for faster turnaround.

Small Business Portal

Chubb's small business portal (chubbsmallbusiness.com) handles applications for organizations under ~$25M revenue seeking basic cyber coverage. Application requirements are minimal — often completed in under 15 minutes. However, coverage limits and service access are also more constrained than Cyber ERM or DigiTech.

Platform Positioning: Cyber Central vs Marketplace vs Cyber APIs

Chubb positions three distinct distribution surfaces for brokers:

• Cyber Central: Purpose-built for cyber-specialist brokers. Serves the cyber-specialist lane, focused on standalone cyber, Tech E&O, and Miscellaneous Professional Liability. Includes Batch Quoting for managing 30+ accounts.
• Marketplace: Multi-line platform. Cyber rides alongside E&O, management liability, and commercial crime for mid-market risks ($100M revenue and below).
• Cyber APIs: For brokers with meaningful cyber portfolios and select multi-carrier integrations. Enables custom integration with broker management systems.

If you're a cyber-specialist broker, Cyber Central is your native home. If you write multi-line coverage, Marketplace is the integrated surface.

The Core Chubb Cyber Application: What They Actually Ask

Regardless of platform, Chubb's cyber applications center on five control areas[7]. Know your answers before you submit.

Data Exposure: Protected Records Volume

Before diving into controls, Chubb establishes your data exposure profile. A key question appears early in the application:

How many records containing protected information (customer data, employee PII, health information, financial account data, payment card data, intellectual property, etc.) could be compromised in a breach?

This tells Chubb your exposure volume — not just your tools, but your actual risk surface. A SaaS company with 5 million customer records faces different exposure than a professional services firm with 500 employee records. Chubb uses this to calibrate coverage limits, pricing, and cyber crime/data breach sub-limits.

Have an honest count. If you've never calculated this, work with your data governance team to estimate records under your control or management. Include customer, employee, and vendor records.

1. Multi-Factor Authentication (MFA)

Chubb treats MFA as a foundational control, not a nice-to-have.

Expected answers:

• What percentage of users have MFA enabled on email/identity systems?
• Is MFA mandatory for remote access (VPN)?
• Are you using hardware tokens, SMS, authenticator apps, or passwordless methods?
• Is MFA enforced for privileged accounts?

If your organization hasn't hit 95%+ adoption on email and 100% on administrative access, Chubb will ask a follow-up: what's your timeline to mandate it? If you don't have one, expect underwriting friction.

For detailed guidance on MFA evidence collection and reporting, see The M365 MFA Reporting Gap.

2. Firewall and VPN Configuration

Chubb wants to know your perimeter.

Expected answers:

• What firewall vendor/model do you use?
• How often do you audit firewall rules?
• Do you have next-gen firewall (NGF) capabilities like intrusion prevention or web filtering?
• Is your VPN segmented by role or network zone?
• Do you perform egress filtering?

Chubb favors mature firewall ecosystems (Palo Alto, Fortinet, Checkpoint, Cisco) and documented change management. If you're running commodity hardware firewalls or haven't documented your VPN access controls, you'll face detailed follow-ups.

See When Remote Access Becomes an Underwriting Question for deeper context on VPN underwriting expectations.

3. Backup Configuration and Immutability

Ransomware has been responsible for 72% of all cyber claim dollars over the past two years, up from 63% average across 2020-2022[9]. Chubb knows this and prices backup controls accordingly.

Expected answers:

• What percentage of critical systems have daily backups?
• Are backups immutable (write-once-read-many, or WORM)?
• How many versions of each backup do you retain?
• Is backup restoration tested annually?
• Is backup infrastructure isolated from production networks?

"Backup" doesn't count if it's on a network-accessible server an attacker can delete. Chubb specifically asks about immutable storage: cloud vaults, tape archives with air-gapped retention, or storage with immutability rules enabled.

For specifics on what "immutable" means to underwriters, see How to Prove Backup Immutability.

4. Microsoft 365 Hardening

Nearly every enterprise organization runs Microsoft 365 (M365). Chubb treats M365 security posture as a leading indicator of your overall security discipline.

Expected answers:

• Do you enforce conditional access policies for cloud apps?
• Is legacy authentication disabled?
• Are shared calendars/mailboxes restricted to named users?
• Do you use Data Loss Prevention (DLP) policies?
• Is mail forwarding restricted to internal users only?
• Are external user B2B access controls documented?

Chubb often requests a Microsoft Secure Score report (available in the M365 admin portal) as evidence. A score below 50% typically triggers additional underwriting scrutiny.

5. Active Directory Security

Active Directory is the keys to the kingdom for Windows environments. Chubb recognizes this.

Expected answers:

• Is AD running the current or N-1 version?
• Do you enforce Kerberos signing and sealing?
• Are privileged users in a dedicated admin tier (Tier 0)?
• Is AD replication encrypted?
• Do you monitor and audit domain admin group changes?
• Is LAPS (Local Administrator Password Solution) deployed?

If your organization hasn't segmented administrative accounts or hasn't implemented LAPS, Chubb will ask for a remediation timeline. AD compromise is a precursor to ransomware and data exfiltration — both of which drive the claims Chubb pays.

The 45-Day Patch Grace Period: The Neglected Software Exploit Endorsement

One of Chubb's most distinctive underwriting innovations is their "Neglected Software Exploit Endorsement" — a 45-day grace period on patching[6].

Here's how it works:

Days 0-45: If a vulnerability appears in the NIST National Vulnerability Database (NVD), you have 45 days to patch without any coverage impact. This period acknowledges that patches need testing and that zero-day exploits take time to weaponize.

Days 46-90: Once you exceed 45 days, "incremental risk sharing" begins. Coverage still applies, but with modified terms — typically a higher deductible or lower sub-limit for claims arising from that specific vulnerability.

Days 91-180: Risk sharing increases further.

Day 181-365: The policyholder bears increasingly more of the risk.

Day 365+: Continued reallocation toward the policyholder.

This structure incentivizes prompt patching without penalizing organizations for the realities of patch management (testing, change management, third-party vendor delays). Chubb expects you to have a documented patching schedule and to explain your average patch window.

In your application, you'll be asked: "What is your average time to patch critical and high-severity vulnerabilities?" Have a number. "90 days" is common for enterprise organizations. "30 days" signals security maturity.

Chubb's Vulnerability Outreach Program

Beyond the application itself, Chubb provides ongoing vulnerability intelligence to policyholders. Their Vulnerability Outreach Program continuously monitors actively exploited threats and sends email notifications with specific exposure details and remediation actions[10].

They also offer a Vulnerability Management service that scans for 6,000+ known hacker vulnerabilities, and External Vulnerability Monitoring — daily risk measurement of your internet-facing footprint with breaking alerts on newly discovered CVEs.

In your application, Chubb may ask: "Are you currently using external vulnerability scanning?" Having a yes (whether from Chubb, Rapid7, Qualys, or another vendor) strengthens your position.

Claims Data: What Chubb's Claims History Tells About Underwriting

Chubb publishes their proprietary claims data via the Chubb Cyber Index, a free public tool available at chubbcyberindex.com[8]. Updated twice monthly, the Index aggregates nearly two decades of claims data, segmented by industry and revenue size.

The 2024 Chubb Cyber Claims Landscape Report reveals[9]:

• Ransomware dominance: 72% of all cyber claim dollars (2023-2024), up from 63% average (2020-2022)
• Third-party litigation surge: Ransomware-related third-party litigation frequency increased approximately 75% in 2024 compared to 2020-2021 baseline
• Trending upward: Both claims frequency and severity have trended upward over the past three years

This data directly influences Chubb's application questions. They ask about ransomware-specific controls (backup immutability, segmentation, MFA) because these are the exposures that drive their claims costs.

When answering the application, emphasize any recent investments in anti-ransomware capabilities. Chubb rewards organizations that have demonstrably reduced their ransomware risk profile.

Incident Response and 24/7 Support

Chubb's cyber coverage includes 24/7 incident response support. The hotline is 800-817-2665[11]. Policyholders also get access to the Cyber Alert mobile app for instant breach reporting, pre-written data breach response plans (available both online and via app), and a dedicated IR team including forensics, legal counsel, notification services, and crisis communications.

Chubb also offers a Non-Panel Provider Program — if you have an existing IR vendor relationship or prefer a specific firm, you can add them to your incident response team rather than be locked into Chubb's panel.

During the application, you may be asked: "Do you have a current IR retainer or incident response plan?" Answering yes (with documentation) is favorable underwriting. It signals you've thought about response procedures and won't be improvising during a live incident.

Email Security: DMARC, SPF, DKIM

While less prominent than MFA or AD security in the formal application, Chubb increasingly asks about email security posture, particularly DMARC, SPF, and DKIM implementation.

These controls prevent email spoofing and domain impersonation — both common attack vectors leading to social engineering and phishing. If your organization handles sensitive data via email or has high-value wire transfer activity, Chubb may ask: "Do you have DMARC enforcement in place?"

For guidance on email security controls in the context of cyber insurance, see DMARC, SPF, and DKIM for Cyber Insurance.

Cyber Crime and Funds Transfer Controls

Cyber crime coverage — covering unauthorized wire transfers, business email compromise, social engineering, and account takeover — is often a high-value component of Chubb cyber policies. The underwriting here is detailed.

Chubb's application asks specifically about funds transfer procedures and authentication controls:

Transfer Authentication & Authorization:

• Are fund transfer instructions accepted over telephone, email, or text?
• Are instructions authenticated by calling a predetermined phone number or requiring a customer identity code?
• Is dual (more than one person) approval required for wire transfers?

Vendor Account Setup & Verification:

• Before setting up a new vendor or supplier in accounts payable, is the receiving bank account verified by direct call to the receiving institution?
• Is this procedure documented and enforced consistently?

Organizations with weak funds transfer controls — accepting wire instructions via email without callback verification or allowing single-person wire approval — will face underwriting friction or exclusions. Chubb prices cyber crime coverage based on your ability to prevent unauthorized transfers.

If your organization processes high-value wires or handles customer payment instructions, have clear evidence of callback verification and dual-approval procedures. This is one of the strongest fraud-prevention controls Chubb sees and a material underwriting factor.

Capital Markets and Chubb's Strategic Positioning

In 2025-2026, Chubb took a notable step to manage cyber tail risk: they pursued their first-ever annual aggregate cyber catastrophe bond[13]. The East Lane Re VII structure included a $150 million Class B tranche attached to $600 million with exhaustion at $750 million.

This move signals that Chubb sees cyber risk as potentially catastrophic at scale and is actively transferring extreme tail exposure to capital markets. For applicants, this is reassuring — it means Chubb has the balance sheet to pay claims and is taking a long-term view of cyber underwriting sustainability.

Material Change Notification Requirement

Chubb's application includes an important covenant: if there is any material change in the answers provided before policy inception, the applicant must notify Chubb in writing. Upon notification, Chubb may modify the quotation, adjust terms, or withdraw the quote entirely.

This means if your organization undergoes significant changes between application submission and policy binding — such as a major security incident, major operational change, personnel transition in IT leadership, loss of a key control, or change in business type — you must disclose it. Failure to disclose material changes can affect coverage validity at claim time.

Before binding, review your answers and confirm they remain accurate as of the binding date.

Tips for a Successful Chubb Application

1. Be Precise on Control Implementation

Chubb underwrites based on control evidence, not aspirations. If MFA is in rollout, say so and give a timeline. Don't claim 100% adoption if you're at 87%.

2. Prepare Audit Reports and Evidence

For Cyber ERM (enterprise) applications, have ready:

• Current SOC 2 Type II report (preferred)
• Latest vulnerability assessment results
• Patch management policy and sample implementation records
• Backup restoration test documentation
• MFA enrollment and enforcement reports (from your identity provider)
• Incident response plan (summary)

3. Know Your Crown Jewels

Chubb will ask: "What are your three most critical assets?" Know the answer. Articulate why they matter to your business and what controls protect them.

4. Understand Your Incident History

If you've had a breach, ransomware incident, or significant downtime in the past 5 years, disclose it. Chubb will find it anyway, and transparency strengthens your negotiating position. Explain what you learned and what you changed.

5. Have a Conversation with Your Broker

Don't submit a Chubb application cold. Work with your broker to pre-qualify your risk profile and get broker feedback on likely underwriting questions before the application goes in.

6. Use the Chubb Cyber Index

Run your organization through the Chubb Cyber Index. See how your industry and revenue peers are performing on claims frequency and severity. This context informs realistic expectations for coverage terms and pricing.

Tools to Strengthen Your Application

BindLedger's Carrier Decoder

If your organization has existing cyber insurance with another carrier, our Carrier Decoder tool (/tools/supplement-parser) extracts key underwriting evidence directly from your current policy supplement or application. You can port this evidence into your Chubb application, accelerating the underwriting process.

Free Readiness Check

Before you even call your broker, run a quick security readiness check at /scan. We assess your core controls against Chubb's five focus areas and highlight gaps. It's free and takes under 10 minutes.

Additional Resources

For deeper guidance on cyber insurance evidence and underwriting across all major carriers, see The Complete Guide to Cyber Insurance Evidence in 2026.

For context on how other carriers approach cyber underwriting and how Chubb compares, explore our carrier-specific guides (Travelers, Beazley, Munich Re, Zurich, Arch, and others).

---