Does remote access to your network and email require Multi-Factor Authentication (MFA)? If an employee's login credentials are stolen, can the thief still get in? With MFA, stolen credentials alone aren't enough — a second step (phone code, app, token) is required.

Are your backups protected by MFA, kept offline, or stored in immutable (unchangeable) storage? If ransomware locks up your live systems, can the attacker also reach and destroy your backups? If yes, you have no real way to recover without paying.

Do you have endpoint protection (EDR or advanced anti-malware) on laptops, desktops and servers? Basic antivirus catches known viruses; EDR watches for suspicious behaviour and can stop an attack while it's happening — not after.

Do you have enterprise email security in place (sandbox, gateway or filtering)? Does something inspect links and attachments before they land in an inbox? Most breaches start with a single click on a phishing email.

Could a breach require you to notify more than 500,000 individuals? This is about how much customer or employee data you hold, not how secure you are. More records held means greater potential exposure if a breach occurs.

Does your business comply with relevant privacy laws (e.g. Malaysia's PDPA) in every jurisdiction you operate in? Non-compliance can mean regulatory fines stacked on top of breach costs — and insurers price that risk into your premium.

Do you conduct annual security awareness training with your staff?

Do you maintain a patch management strategy to ensure timely updates for all applications and operating systems?

Does the company have a cyber incident response process in the event of a cyber attack?

Does the company hold any of the following security certifications: ISO 27001, NIST, PCI DSS, SOC 2?

Do you perform security assessments on your key third-party suppliers?

What does the business to be insured actually do?