Skip to content
Change industry

You said ·  Cyber insurance questionnaire

Industry ·  Legal

The questionnaire arrived. Now what.

Cyber insurer questionnaires used to be a two-page form that nobody really read. They're not any more. The questions are specific, the insurer reads the answers, and an 'oversold' yes on MFA or patching is the kind of thing that surfaces after a claim is declined. For an Australian law firm, that is not the hill you want the PI policy to die on.

See if we're a fit More on legal

What this usually looks like

What an honest answer to the questionnaire actually looks like.

The questions that trip most firms up are not the obvious ones. MFA is usually present on email; it is often absent on the practice-management platform, the document store, the remote-access layer, and the payroll portal. Patching windows are informal. Backups exist but have never been restored. Staff offboarding takes weeks and leaves active licences. The incident-response plan is whatever the insurer's hotline says to do.

A firm that ticks all those boxes because 'close enough' and then has a conveyancing fraud or a ransomware incident hands the insurer an easy reason to decline. The right answer is not to overstate. It is to give a defensible answer and a plan for the gaps, which the insurer will usually respect and price accordingly.

The work underneath has two shapes. One, tighten the controls the questionnaire is asking about so the answers move from 'sort of' to 'yes, with evidence'. Two, write the incident-response plan your firm will actually follow, not the generic one that came with a vendor's PDF.

Where we'd start

What we'd do between now and the submission date.

  1. Step 01

    Walk through the questionnaire with you

    We sit with the partner or managing partner running the renewal and go through the questions one by one. Some are ours to answer (the technical controls), some are yours (incident-response decisions, data-handling policy). We do the session in an afternoon and leave you with a marked-up answer sheet plus a gap list.

  2. Step 02

    Close the gaps that are quick, flag the rest

    MFA coverage across every critical system, not just email. Phish-resistant MFA where the insurer asks for it. Patch cadence documented with evidence. Offboarding tightened. Backup tested, with a restore log. Most of this is done in weeks, not months, for a mid-sized firm. What cannot be done by the renewal date gets a dated plan the insurer will accept.

  3. Step 03

    Stand up the incident-response plan you will actually follow

    Written for the size of your firm, with your people's names in it, and rehearsed. If a conveyancing fraud hits at 4pm on a Friday, the first hour matters. The plan that helps is the one your practice manager already knows, not the one you signed off two years ago and filed.

CCP's security floor

Every CCP client is covered by the Client Security Baseline.

The CSBO is our contractual security floor. MFA on everything that matters. Application control. Vulnerability management. Backups restored, not just scheduled. Account offboarding the same day someone leaves. Password management staff will adopt. Annual awareness training.

If you won't do the basics, we'd rather decline than take responsibility for an incident you chose to ignore.

  • Multi-factor authentication

    Phish-resistant MFA on everything that matters.

  • Application control

    Allowlisted applications. Nothing else runs.

  • Vulnerability management

    Known vulnerabilities remediated inside thirty days.

  • Tested backups

    Backups that have actually been restored, not just scheduled.

  • Same-day offboarding

    Account access cut the day someone leaves the business.

  • Password management

    A password manager your staff will actually use.

  • Awareness training

    Annual cybersecurity training. No one opts out.

  • The full baseline

    Eleven controls in total. Seven shown here. See what's included in Managed IT Complete.

Track record

Twenty years in. A hundred-plus clients. The numbers are load-bearing.

Years in business
0+
Loved clients
0+
Aussie techs
0%

4.8 average · 46 reviews on Google

“The new investors are making us offshore IT. It sucks. You guys were perfect. I don't want to change.”
Paraphrased. A client forced to leave after an acquisition.

Our clients measure their tenure with us in years, not renewals. When they do have to leave (almost always because they've been acquired), they're sad about it. That's the metric that matters.

“Night and day working with CCP. They came in from day one, spent the time to ensure everything was set up and secure properly, and now everything just works. Due to the success we've had with them, we further engaged them to manage our phone systems and website. If you work with CCP you will never have to worry about your IT systems again.”
Trent Martin Google review
“We have been using CCP since the early 2000s and have always had great service on our 20-plus PCs and server. We recently moved to a managed service and cannot rate the experience highly enough. Well done Lee and team.”
Kelvin Mansfield Flexi Google review
“We have been continually impressed with CCP over the several years we have used them. They are extremely efficient, excellent customer service and well priced. I would recommend Lee and his team.”
ProcessWorx HR consulting, Perth Google review
See if we're a fit

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.

Step 1 of 7

How big is your team?

Counting everyone: staff, contractors, anyone with an account.
See if we're a fit