How to Answer the CNA Cyber Insurance Application

CNA has become one of the most sophisticated underwriters in the cyber insurance market—and that sophistication starts with their application process. Unlike commoditized carriers that ask cookie-cutter questions, CNA's cyber applications are purposefully rigorous, designed to separate risks that can succeed with proactive security from those that will face denial or heavy restrictions.[1]

For brokers, navigating CNA's underwriting criteria isn't just about filling in boxes. It's about understanding why CNA asks what it asks, knowing which gaps can be remediated before submission, and positioning your clients in the best possible light for approval.

This guide covers everything you need to submit a clean CNA cyber application—from choosing between their flagship products to decoding the ransomware supplement and leveraging CyberPrep services to strengthen your renewals.

CNA's Cyber Insurance Products: Epack 3 vs. NetProtect

CNA offers two distinct cyber insurance products, and the choice between them shapes your entire application strategy.

Epack 3: The Mid-Market Workhorse

Epack 3 is CNA's primary cyber liability offering for small- to mid-market businesses. It's a first-of-its-kind modular policy designed to bundle cyber, media, technology, and professional liability coverage in a single, simplified form. The product combines:

• Cyber Liability Coverage: Data breach response, notification, credit monitoring, legal defense
• Technology & Professional Liability: Errors and omissions for technology services, privacy liability
• Media Liability: Defamation, intellectual property infringement, privacy violations

Important Availability Note: Epack 3 is currently available in 36 states on an admitted basis. Verify your client's location before pursuing an application.

Eligibility & Limits:

• Revenue ranges typically from $5M to $1B+, depending on industry and risk profile[2]
• Available limits generally from $250K to $5M
• Can write complex risks including healthcare providers, financial services, and professional service firms

Epack 3 applications are usually more straightforward than NetProtect, but don't mistake "straightforward" for "lenient." CNA's underwriting for Epack 3 is thorough, and your answers will determine not just approval, but pricing and terms.

Key Coverage Grants: Epack 3 includes market-leading coverage for:

• Network and data restoration (including bricking)
• Forensic accounting costs
• Broad treatment of privacy law and notification
• Business interruption and network failure (including contingent loss)
• Cybercrime coverage
• Reputational harm coverage
• No hammer clause language (meaning CNA won't exclude related claims post-incident)

NetProtect: The Enterprise-Grade Alternative

NetProtect is CNA's customizable cyber product for larger, more complex organizations. It's designed for:

• Sophisticated risk management programs
• Complex organizational structures or multiple subsidiaries
• Regulatory-heavy industries (financial services, healthcare, legal)
• Companies with annual revenue $500M+ (and in some cases, much larger)

NetProtect offers greater flexibility in coverage design, higher limits (up to $100M+), and integration with CNA's enterprise risk services. The application is correspondingly more detailed, often involving supplemental questionnaires specific to your client's industry and risk profile.[3]

For most brokers working with SMBs, Epack 3 is the target. NetProtect enters the picture when you're placing a Fortune 1000 company or a highly sophisticated mid-market risk.

What CNA Underwriting Really Tests

CNA's cyber underwriting philosophy isn't "do you have cyber insurance?" It's "do you have the fundamentals in place to detect, contain, and recover from a cyber incident?" They're pragmatists: they understand that perfect security doesn't exist, but they can price accordingly if you've built resilience into your architecture.

Why SMBs Matter: CNA's own public brochure cites research showing that 98% of cyber claims come from small and medium-sized businesses. This means CNA's underwriting rigor for Epack 3 is evidence-based—they're focusing on the segment where the real exposure lies. The simplified Epack 3 application is not a pass for SMBs; it's a reflection of CNA's commitment to this high-claims segment.

1. Multi-Factor Authentication (MFA)

This is the gatekeeper question. CNA wants MFA enforced for:

• Remote access (VPN, RDP, any off-network access)
• Email accounts (corporate email must have MFA, with limited exceptions)
• Privileged accounts (administrative credentials, domain admin, cloud admin roles)
• System access (servers, databases, critical applications)

What CNA is really asking: Can an attacker who compromises a single password gain unfettered access to your network?

Many of your clients will claim "we have MFA," but CNA digs deeper. They want to know:

• Is it hardware-based (FIDO2 keys), software-based (authenticator apps), or SMS-based (CNA's least favorite)?
• Are there carve-outs? (If you exempt service accounts or contractors, CNA will penalize pricing or ask for compensating controls.)
• What's your enforcement percentage? (CNA typically wants 95%+ enforcement; clients with 80% might face coverage restrictions.)

Red flags:

• SMS-only for critical systems
• MFA enforced only for specific user groups
• Exception processes that aren't tracked or reviewed
• No MFA for cloud environments (Microsoft 365, AWS, Salesforce, etc.)

If your client is weak on MFA, remediation is often quick—it's a software and process fix, not a hardware overhaul. CNA will sometimes approve pending remediation within 90 days if the client has a credible implementation plan.

2. Endpoint Detection and Response (EDR)

CNA's appetite for EDR requirements has grown significantly. For Epack 3:

• Mandatory for clients with $500M+ revenue
• Strongly expected for $100M-$500M revenue
• Preferred for $50M-$100M revenue
• Not always required below $50M, but increasingly expected

EDR means agent-based threat detection on all Windows and macOS systems. CNA accepts tools like CrowdStrike Falcon, Microsoft Defender for Endpoint, Sentinel One, and others from reputable vendors. Older tools like traditional antivirus/anti-malware don't satisfy this requirement.

What CNA wants to know:

• What percentage of your endpoint population runs EDR? (Target: 90%+)
• Who monitors alerts? Do you have a security operations center (SOC), or is monitoring outsourced?
• What's your response time to EDR alerts?
• Are notebooks/mobile devices covered, or just desktops?

Where clients stumble:

• Buying EDR licenses but not deploying to all machines
• Having EDR installed but no process for alert response
• Using legacy antivirus and claiming it's equivalent to EDR
• Exempting contractor or vendor-managed systems from EDR requirements

Like MFA, EDR is a remediation opportunity. If a client doesn't have it, CNA will often approve pending implementation within 60-90 days, especially for smaller risks.

3. Backup & Recovery Architecture

This is the question that exposes operational readiness. CNA wants to know:

Backup frequency:

• At minimum, daily backups for critical systems
• Some environments require hourly or near-continuous replication

Backup location:

• Offline backups (air-gapped, not accessible from the production network) for at least some data
• Immutable backups (write-once, cannot be modified or deleted) for ransomware protection
• Geographic redundancy (backups in a different location/region from primary systems)

Backup testing:

• Documented, scheduled backup restoration tests
• At least annually; CNA prefers quarterly or more frequent
• Tests that include full data verification, not just spinning up systems

Common issues:

• Clients with backups that are "connected" to production (ransomware encrypts both backup and production simultaneously)
• No documented testing—clients can't prove backups actually work
• Backups stored on-site only (a fire or physical theft defeats the purpose)
• Backup systems running on the same infrastructure (if your production is compromised, your backups are too)

CNA's perspective: If you can restore from backup within 24 hours with high confidence, your ransomware risk is dramatically lower. They will price accordingly.

4. Privileged Access Management (PAM)

This is especially important for clients in regulated industries or those with sensitive customer data.

CNA wants to see:

• Limited privilege principle: Users run with standard (non-admin) credentials for daily work
• Just-in-time admin access: Temporary elevation of privileges for administrative tasks, with session recording and approval workflows
• Credential management: Shared passwords stored in a vault (not in spreadsheets or notepads)
• Session recording: Administrative sessions logged and stored for audit and incident investigation

Red flags:

• Employees with persistent admin rights
• Shared passwords managed outside a credential vault
• No session recording or audit logs for privileged actions
• Domain admin accounts used for email or daily work
• Service accounts with hardcoded passwords

Many SMBs don't implement formal PAM systems, but CNA is increasingly asking for it—especially for the $100M+ segment. If a client doesn't have formal PAM, evidence of compensating controls (segmentation, monitoring, access reviews) will help, but it's not a substitute.

5. Patch Management for Internet-Facing Systems

CNA specifically focuses on systems exposed to the internet:

• Web servers, portals, remote access systems: What's your patch cycle? (CNA expects patches within 30 days, critical patches within 72-168 hours depending on risk level)
• Operating systems: Windows/Linux patch cycles
• Third-party software: Plugins, frameworks, libraries running on internet-facing systems

What you'll be asked:

• Do you have a documented patch management process?
• How long does it typically take to patch critical vulnerabilities?
• Are you monitoring vulnerability feeds or relying on vendor notifications?
• What systems are currently unpatched (and why)?

How to answer if you're behind:

• Be honest about timelines
• Explain what's preventing faster patching (dependencies, testing requirements, compatibility issues)
• Describe your roadmap to improvement
• Highlight any compensating controls (WAF, network segmentation, monitoring)

CNA understands that some clients can't patch immediately—they have legacy systems or complex dependencies. They'll ask about your risk tolerance and whether you've implemented workarounds.

6. Email Security

Email is the primary vector for ransomware and credential theft, so CNA asks:

• Email filtering: Advanced email filtering (gateway-level or cloud-based) that blocks malicious attachments, phishing, and spam
• Authentication standards: DMARC, DKIM, SPF implemented for your domain(s)
• User awareness: Email security training for staff (phishing simulations, security awareness programs)
• External email marking: System-wide marking of external emails (so users visually recognize emails from outside your organization)

What you should know:

• Basic spam filters don't satisfy CNA—they want next-gen email security (Office 365 Advanced Threat Protection, Proofpoint, Mimecast, etc.)
• DMARC should be set to "reject" (not "none" or "quarantine")
• Email security training should be documented and annual at minimum

7. Network Segmentation

Segmentation limits lateral movement—if an attacker compromises one system, they can't immediately move through your entire network.

CNA is increasingly asking:

• Do you segment your network (separate VLANs, firewalls, or more sophisticated microsegmentation)?
• Are critical systems isolated from general user workstations?
• Do you isolate payment card data (PCI DSS requirements) from other systems?

This is often a lower-priority item than MFA or EDR, but for mid-market clients, CNA will expect at least basic segmentation: a firewall separating the internal network from the internet, and segregation of payment processing systems.

8. Vendor and MSP Accountability

One of CNA's most underestimated underwriting points is the concept of outsourced IT and cloud liability. Here's what many business owners get wrong: outsourcing IT does not equal outsourcing liability.

CNA explicitly warns that business owners remain liable for data stored in the cloud or managed by third parties. This means:

• Cloud contracts matter: If your client uses Microsoft 365, Salesforce, AWS, or other cloud services to store sensitive data, those contracts need careful review. Who's responsible if there's a breach? What data can the provider access?
• MSP relationships belong in your submission: If a managed service provider handles servers, backups, endpoints, or security tools, CNA will want to understand the relationship, what controls the MSP provides, and where the client still owns the risk
• Liability questions to prepare for: CNA will ask whether data is stored on-premise or in the cloud, who manages it, and whether the client has contractual indemnification from their vendors

This is a critical part of your pre-submission discovery. Many brokers miss it because they assume "we have an MSP" automatically means the client is protected. It doesn't. Your job is to clarify the handoff points and ensure the client has contractual backup if something goes wrong.

9. Incident Response Planning

CNA wants to know you have a plan before an incident occurs.

Minimum expectations:

• A documented incident response plan (not just a conversation)
• Defined roles and responsibilities (who's the incident commander? Who handles communications?)
• A list of contacts for critical external parties (law enforcement, forensics firm, notification counsel, insurance broker)
• A communication plan (how will you notify customers, regulators, media?)

CyberPrep advantage: CNA's CyberPrep service includes tabletop exercises and incident response planning. If your client is on CyberPrep, CNA will give credit for the structured planning—it's one of the reasons CyberPrep is such a valuable differentiator in renewals.

Ransomware Supplement Simplification Note: CNA created a shortened version of its ransomware supplement specifically for businesses with less than $100 million in annual revenue. This simplified supplement still tests ransomware readiness (backup architecture, recovery capability, privileged access controls), but with fewer questions. The goal is to maintain underwriting rigor while making the quote process more practical for SMBs—a clear signal that CNA takes ransomware risk seriously across all size segments, not just enterprise.

Epack 3 vs. NetProtect: The Application Questionnaire Difference

Epack 3 applications are typically 20-40 questions covering the core controls above. You might complete it in 1-2 hours with a cooperative client.

NetProtect applications are often 50+ questions, with industry-specific supplements and often supplemental questionnaires that dig deeper into specific risk areas. A complex NetProtect application might take 4-8 hours across multiple conversations with the client's security team, IT leadership, and executive management.

Broker pro tip: For Epack 3, you can usually pre-fill much of the application based on basic discovery calls. For NetProtect, expect multiple rounds of underwriting requests and be prepared to explain or remediate gaps.

The Ransomware Supplement: Understanding CNA's Focused Questionnaire

In the last 5 years, as ransomware frequency exploded, CNA developed a focused supplemental questionnaire specifically targeting ransomware resilience. This supplement is sometimes included in the main application for certain risk profiles, and sometimes sent as a follow-up.

What the Ransomware Supplement Covers

Backup Architecture (Detailed)

• Frequency of backups
• Backup location and immutability
• Frequency of tested restoration (this is asked multiple times with different angles)
• Whether backups are accessible from compromised systems
• Whether backup credentials are stored separately from production credentials

Privilege Escalation Controls

• Documented privilege escalation procedures
• Who can request elevated access?
• How is elevated access approved and logged?
• Are service accounts used for human tasks?

Detection and Response Capability

• Do you have EDR or equivalent endpoint visibility?
• Do you have network monitoring/SIEM?
• What's your response procedure if ransomware is detected?

Offline Security Controls

• Are any systems completely air-gapped?
• Is there a recovery environment that doesn't depend on production systems?

Why CNA Created This Supplement

Ransomware attacks follow a predictable playbook: attacker gains initial access → moves through the network → reaches backups → encrypts production and backups simultaneously. By asking very specifically about backup architecture and privilege controls, CNA can assess whether a client can actually recover from ransomware or will be paying the ransom.

Translation for brokers: If your client can't answer the ransomware supplement with confidence, it's a signal they need remediation before submission. The good news is that most ransomware supplement issues are fixable with a 60-90 day remediation plan.

CyberPrep Services: CNA's Secret Weapon for Renewals

Here's what makes CNA different from most carriers: they bundle proactive security services with their policy through CyberPrep.

What's Included in CyberPrep

Pre-Breach Services:

• Risk assessments: Annual cybersecurity risk assessments to identify vulnerabilities
• Tabletop exercises: Facilitated incident response simulations (usually 2-3 hours, quarterly or semi-annual)
• Security awareness training: Phishing simulations, security awareness modules
• Vulnerability scanning: Periodic scanning of internet-facing systems
• Policy templates: Incident response, data breach response, and security policies

Post-Breach Services:

• Breach coaches: 24/7 access to incident response counsel
• Forensics support: CNA covers forensics firm fees up to policy limits
• Legal counsel: Access to breach response attorneys
• Credit monitoring: Provided to affected individuals

Why CyberPrep Changes the Conversation

On renewal, CNA will ask: "What CyberPrep services did you use this year?" If your client can report that they ran tabletop exercises, completed vulnerability scans, and updated their incident response plan with CNA support, that's a material improvement in their risk profile. CNA will often provide better terms or lower pricing because they know the client is operationally improving.

Broker strategy: When pitching CNA Epack 3, emphasize the CyberPrep value. Many brokers see it as "free training"—in reality, it's CNA investing in your client's security posture so they can justify better pricing at renewal.

Common Mistakes in CNA Cyber Applications (and How to Avoid Them)

Mistake #1: Overstating Security Controls

This is the most common error. A client claims "we have EDR" because they bought EDR licenses three years ago, but they haven't actually deployed it to most of their systems. CNA will discover this during underwriting review or, worse, during a claim investigation when they realize the client doesn't have endpoint visibility for forensics.

Fix: Before submitting, audit your client's actual installed software. Don't claim a control unless it's actively deployed and monitored.

Mistake #2: Confusing Compliance Requirements with Security Controls

A client says "we're PCI DSS compliant," which means they follow payment card standards. But CNA doesn't automatically consider PCI DSS compliance as proof of strong cybersecurity. Yes, PCI DSS requires MFA, encryption, and network segmentation, but CNA will want to know your client's specific configurations, not just "we meet PCI."

Fix: Translate compliance into security controls. "We're PCI DSS Level 1 compliant, which requires MFA for all access, encryption of data in transit and at rest, quarterly penetration testing, and weekly vulnerability scanning."

Mistake #3: Assuming Smaller Clients Get Easier Questions

This is backwards. Smaller clients often get simpler applications, but the underwriting standards don't change. A $10M revenue company that lacks EDR and has weak MFA will get the same scrutiny as a $100M company with the same profile. CNA will either ask for remediation or decline.

Fix: Don't assume your small-client base can bypass security fundamentals. Prep them the same way.

Mistake #4: Waiting Until Submission to Discover Gaps

A broker submits an application without verifying the client's controls first, and underwriting comes back requesting detailed evidence of MFA, backup testing, and EDR. Now the broker has to go back to the client, explain the gaps, and request documentation. This delays approval by 2-3 weeks.

Fix: Use a pre-submission questionnaire or readiness assessment tool (like BindLedger's Readiness Check) to identify gaps before submitting to CNA. Give your client time to remediate or gather evidence.

Pre-Submission Broker Checklist

Use this checklist 1-2 weeks before submitting to CNA:

Eligibility & Basic Info

• Confirm client has been in business for at least 2 years
• Verify revenue and ensure it aligns with Epack 3 or NetProtect eligibility
• Confirm industry type (some industries may have special underwriting or be declined)
• Ensure client is actively operating (not dormant or acquired)

Security Controls

• Document MFA: which systems have it? What % of users are enforced? Any exceptions?
• Document EDR: is it deployed? What % of endpoints? Who monitors it?
• Document backups: frequency, location, immutability, testing schedule
• Document PAM: do they have a credential vault? Session recording?
• Document patching: what's the cycle for internet-facing systems?
• Document email security: filtering vendor, DMARC/DKIM/SPF status
• Document segmentation: how is the network divided?
• Document incident response: do they have a written plan?
• Document vendor relationships: MSP/cloud provider names, scope of services, data handled, contractual liability terms
• Verify cloud contracts: Review agreements with SaaS providers for data security, liability, breach notification obligations

Documentation & Evidence

• Gather policy documents (security policies, data breach response plan, incident response plan)
• Gather evidence of control implementation (screenshots of MFA settings, EDR console status, backup logs)
• Gather evidence of testing (last backup restoration test, last tabletop exercise, last vulnerability scan)
• Prepare remediation plans for any gaps (timeline, responsible party, expected completion date)

CyberPrep Opportunity

• Ask about past CyberPrep participation
• Determine if CyberPrep tabletop or assessment is coming up
• Use CyberPrep services as a post-approval onboarding step

Where BindLedger Fits Into Your CNA Workflow

CNA's application is detailed, and correctly answering it requires both broker expertise and client transparency. That's where BindLedger can help.

The Readiness Check Tool

Before submitting to CNA, run your client through BindLedger's Readiness Check. It's a 15-minute questionnaire that assesses your client against the same criteria CNA uses: MFA, EDR, backups, patching, incident response, and more. You'll get a score and a clear list of gaps, which you can then remediate or address proactively in your CNA submission.

Benefit: Avoid the "submit and hope" approach. Know where your client stands before CNA reviews them.

The Carrier Decoder Tool

Once you have CNA's application in hand, use BindLedger's Carrier Decoder tool to parse the application and organize it by control area. The tool helps you:

• Identify which questions map to which security controls
• Flag questions that require documentation
• Generate a remediation roadmap
• Track which controls are strong and which need work

Benefit: Stop juggling PDFs and spreadsheets. Have a clear, organized view of what CNA is asking and what your client needs to deliver.

Cross-Carrier Context

If you're shopping multiple carriers, here's how CNA compares:

• CNA Epack 3 vs. Beazley: Both mid-market focused, but Beazley tends to be more flexible on backup architecture if you have EDR. See our Beazley guide for details.

• CNA Epack 3 vs. Chubb: Chubb is often easier to place on the controls side (more lenient on EDR timeline), but CNA offers better pricing if controls are strong. See our Chubb guide for comparison.

• CNA NetProtect vs. AIG CyberEdge: For enterprise deals, both are sophisticated, but CNA's CyberPrep services give them an edge in renewal pricing. See our AIG guide for NetProtect-sized deals.

Frequently Asked Questions

Q: Can a client be approved if they don't have EDR?

A: Yes, depending on size and other controls. For Epack 3 clients under $100M revenue, CNA prefers EDR but may approve if you have strong compensating controls: network monitoring, incident response planning, and robust MFA. For clients $100M+, EDR is increasingly required. If EDR is missing, propose a remediation timeline: "We'll implement Falcon endpoint within 60 days" is a credible commitment CNA will usually accept.

Q: What if the client's backup testing records are spotty?

A: Document what exists and commit to improving. "We've tested restoration quarterly for the past 18 months; here are 4 test results. Going forward, we'll document every test." CNA wants evidence of good practice and a path to better practice. If backups have never been tested, that's a serious issue—expect underwriting requests for evidence of testing before final approval.

Q: Does CNA care about industry-specific standards like HIPAA or PCI?

A: Yes. If your client is HIPAA-covered or PCI-DSS-compliant, provide a summary of how those standards inform their security posture. CNA will cross-reference their application answers against industry benchmarks. A HIPAA-covered entity should have better encryption, access controls, and audit logging than a non-regulated client of similar size.

Q: How long does CNA underwriting typically take?

A: For a clean Epack 3 submission with strong controls, 5-10 business days. For a submission with gaps or remediation conditions, 2-4 weeks. NetProtect submissions with supplements can take 4-6 weeks. Delays happen when CNA requests documentation and the client takes time to respond.

Bottom Line

CNA's cyber underwriting is rigorous, but it's rigorous for good reasons. They're pricing based on actual risk reduction, not wishful thinking. If your client can demonstrate strong fundamentals in MFA, EDR, backups, and incident response, CNA will approve and price competitively. If your client has gaps, CNA will either ask for remediation or decline.

Your job as a broker is to:

1. Assess your client's actual security posture before submission
2. Identify gaps early and work with them on remediation
3. Present a clear, evidence-based application that tells CNA exactly what controls are in place
4. Propose credible remediation timelines for any shortfalls
5. Leverage CyberPrep to strengthen renewals and operational security

Do that, and CNA becomes a reliable, sophisticated partner in your cyber insurance placements. Cut corners, and you'll get endless underwriting requests—or a decline.

---