Can I answer 'yes' to phishing simulation if I only run it annually?

Technically yes, but the answer carries follow-up questions about frequency that will lower the credit. Most underwriters in 2026 treat 'annual' as functionally equivalent to 'no' for scoring purposes because the threat landscape shifts faster than that. If you run annually, answer accurately and indicate plans to increase cadence; an honest answer plus a stated plan often scores better than a misleading 'yes.'

What if I don't know my exact click-through rate?

Answer with the most accurate figure you have and indicate the reporting period. 'Approximately 12% across four campaigns in the past 12 months' is a defensible answer; 'we don't track' is the worst possible answer because it suggests the program is unmeasured. If your platform doesn't produce click rate per campaign, that's a sign the platform has limitations the application will probably reveal.

Do I need to disclose phishing incidents on the application?

Yes - most cyber insurance applications require disclosure of cyber incidents in a defined lookback period (commonly 12 to 24 months). Phishing-led incidents, including BEC and ransomware, must be disclosed if they fall within scope. Misrepresentation can void coverage; a recent incident with disclosed remediation steps generally produces a better outcome than concealment that surfaces later.

How does multi-channel phishing coverage affect the application?

2026 applications increasingly ask about SMS (smishing) and voice (vishing) simulations by name. Programs that include multi-channel coverage land in a smaller, better-scored bucket. Email-only programs are still credited but at a reduced level. Adding smishing and vishing campaigns is one of the more impactful program upgrades for renewal positioning.

Cyber Insurance Application Security Awareness Section: A Walkthrough

Q: What does the security awareness section of a cyber insurance application typically cover?

Most carrier applications in 2026 include questions on: whether you provide regular security awareness training, whether you run simulated phishing campaigns, the frequency and outcomes, whether failed users receive remediation, scope of coverage including executives and contractors, multi-channel coverage (SMS phishing, voice phishing) and whether the program is governed by a written policy approved by management.

Cyber Insurance Application Security Awareness Section: A Walkthrough

The security awareness section of a cyber insurance application is short - typically a single subsection with seven to twelve questions - but it does heavy lifting on the underwriting score. The questions look straightforward, but each one has an "obvious answer" that misses meaningful credit and a "complete answer" that captures it. This post walks through the section question by question, in the order it typically appears on major carrier applications, with guidance on what to write and what evidence to have ready when the underwriter asks for verification.

The questions below are paraphrased from common application forms across major U.S. carriers; specific wording differs by carrier and year. Your broker will have the live questionnaire - use this guide to think through your answers before you sit down to fill it in.

Question 1: Do you provide security awareness training to all personnel?

Obvious answer: "Yes."

Complete answer: "Yes - annual structured training plus continuous monthly phishing simulations. All personnel including executives, contractors with system access and finance staff are in scope."

What underwriters infer: A bare "yes" suggests minimum effort. An answer that names the cadence, names the channel mix and explicitly names executives in scope reads as a governed program rather than a checkbox. The single most common scoring negative on this question is excluding executives from simulations.

Question 2: How frequently is security awareness training conducted?

Obvious answer: "Annually."

Complete answer: "Annual structured training, supplemented by monthly phishing simulations and just-in-time remediation training assigned automatically when a user fails a simulation."

What underwriters infer: "Annually" without supplement is functionally treated as no continuous program in 2026 underwriting. The threat landscape moves faster than annual cadence can address, and carriers know it. Monthly or quarterly simulation cadence is what credits.

Question 3: Do you conduct simulated phishing exercises?

Obvious answer: "Yes."

Complete answer: "Yes - monthly campaigns covering five attack categories (credential harvest, malware delivery, BEC, link-based info theft and account spoof) at three difficulty levels (easy, regular, hard). The program also includes SMS phishing (smishing) and voice phishing (vishing) campaigns at least quarterly."

What underwriters infer: Multi-channel coverage is now an expected attribute of strong programs. Application forms increasingly ask about smishing and vishing by name - naming them proactively in the freeform answer signals program maturity. AI-generated phishing simulations are a related credit signal.

Question 4: What was your average phishing simulation click-through rate over the past 12 months?

Obvious answer: A single number.

Complete answer: A number plus a trend. "Average 11% over the trailing 12 months, trending down from 24% twelve months prior."

What underwriters infer: A flat low number can read as easy templates and selective reporting. A higher number trending sharply down reads as a working program. If your trend is flat or up, answer honestly and explain what changed (added harder templates, expanded scope, included new acquired employees).

Question 5: What percentage of users who fail simulations complete remediation training?

Obvious answer: "We assign remediation."

Complete answer: "94% of users who clicked completed remediation training within 7 days. Assignment is automated - when a user clicks a simulated phish, the platform assigns targeted remediation training immediately, with reminder emails until completion."

What underwriters infer: Manual remediation processes do not credit at the same level as automated. The number alone doesn't tell the story; the automated flow does.

Question 6: Are executives, IT staff and contractors included in your phishing program?

Obvious answer: "Yes."

Complete answer: "Yes. Executives receive higher-difficulty templates appropriate to their role (BEC and whaling-tier scenarios). IT staff receive technical lures (MFA-bypass, credential-harvest pages mimicking SSO). Contractors with system access are in scope on the same cadence as employees."

What underwriters infer: Carve-outs are scored negatively because executive and IT accounts are the highest-loss targets. Naming the differentiated treatment for high-risk roles signals the program is risk-tiered, not uniform.

Question 7: Do you have a written security awareness policy approved by management?

Obvious answer: "Yes."

Complete answer: "Yes. Policy version 4.2, approved by [executive title or risk committee] on [date]. Reviewed annually; last review [date]."

What underwriters infer: Specific version and date is verifiable; "yes" alone is not. Policies that have not been reviewed in three years draw follow-up questions.

Question 8: How are phishing program results reported to leadership?

Obvious answer: "Quarterly to the CISO."

Complete answer: "Monthly internal dashboards available to security leadership; quarterly written report to the executive risk committee covering campaigns run, click and report rates, training completion and material findings; annual board update with program metrics."

What underwriters infer: Programs that report only inside IT are scored lower. Reporting to a risk committee or board signals governance maturity and is one of the cheaper program upgrades that materially improves underwriting position.

Question 9: Have you experienced a phishing-related security incident in the past 24 months?

Obvious answer: Tempting to minimize. Don't.

Complete answer: Honest disclosure of any in-scope incident, with a description of remediation steps taken. "One BEC attempt in [month/year]; vendor wire instructions changed via spoofed email; finance team identified before funds released. Remediation included [list - e.g., dual-control wire authorization, vendor verification protocol, targeted training for finance team, increased simulation cadence for that group]."

What underwriters infer: Carriers don't expect zero incidents - they expect honest disclosure and evidence the organization learned from incidents. Misrepresentation is the single fastest way to put coverage at risk post-claim. A disclosed incident with strong remediation often scores better than a clean answer that conceals a known event.

Question 10: Are users provided with a means to report suspected phishing?

Obvious answer: "Yes."

Complete answer: "Yes - one-click reporting via Outlook add-in for Microsoft 365 users; mobile app for SMS-based reporting. Average time-from-receipt to user-report is approximately 4 minutes. Reported emails feed into the SOC triage workflow."

What underwriters infer: Fast reporting compresses incident detection time, which directly affects 24/72-hour notification windows under regulatory regimes like GDPR and NIS2. The faster the workforce reports, the smaller the potential loss.

Question 11: Do you measure user susceptibility over time?

Obvious answer: "We track click rates."

Complete answer: "Yes. Per-campaign click rate trended over rolling 12-month and 24-month periods. Repeat-offender tracking identifies users who fail multiple simulations within 90 days; those users receive intensified, role-specific training and additional follow-up. Susceptibility is reported by department to identify concentrated risk areas."

What underwriters infer: Programs that surface repeat-offender data are visibly more mature than programs that only report aggregate click rate. Naming the department-level breakdown signals the program is actually used to direct intervention.

Question 12: How is your program adapting to AI-generated phishing?

Obvious answer: "Our platform handles it."

Complete answer: "Yes. The simulation library includes AI-generated lures alongside traditional templates, so personnel see content of the same caliber attackers are now producing with large-language-model tooling. Multi-channel coverage extends to AI-generated SMS phishing and voice (vishing) scenarios reflecting current threat-actor tactics."

What underwriters infer: The 2026 application increasingly asks about AI threats explicitly. A program that has AI-generated content in its template library is meaningfully more credible than one that only references "traditional phishing." This question wasn't on 2023 forms; it is on most 2026 forms.

Pre-submission checklist

Before your broker submits, verify:

Each "yes" is supported by exportable evidence - campaign log, training records, policy, reporting samples.
Numbers in the application match numbers in the supporting export. Mismatched numbers are the fastest way to draw scrutiny.
Frequency claims in the application match the actual campaign log dates.
Policy version and date in the application match the policy document.
Any disclosed incident has matching internal documentation and remediation evidence.

The submission package

Beyond the application form itself, brokers submit a supporting package. The phishing-program portion should include the eight-artifact set covered in our companion guide on documenting phishing training for cyber insurance audits: 12-month campaign log, click-through rate trend, training completion data, remediation flow evidence, coverage statement, multi-channel sample, written policy and reporting sample.

Where Bait & Phish helps

Bait & Phish was designed around the questions cyber insurance applications actually ask. Five template intent categories crossed with three difficulty levels, automated remediation training assignment, multi-language delivery and SMS phishing and voice phishing campaigns alongside traditional email - and a single-PDF export that tracks the application's section structure. Customers regularly pull a fresh export 30 days before renewal and hand it to their broker as the supporting package.

If your renewal is approaching and you don't have an existing program, the free trial covers up to 25 users and produces a sample submission-ready report after a single campaign. Pricing for production deployments is on the pricing page; for a renewal-prep walk-through with your broker, start at contact. The companion guides on what cyber insurers ask about phishing training and how the phishing training discount works cover the underwriting math behind these questions.

This post is informational and does not constitute insurance advice. Application questions and scoring vary by carrier, year and risk profile; consult your broker for guidance on your specific application.

4nov