The composite question list seen across Lloyd's specialty cyber and Tech E&O submissions in 2025–2026, with what counts as a defensible answer to each.
The questions below appear in some form across the cyber and Tech E&O submissions we've reviewed with beta users in the last six months. Specialty brokers report similar question sets at Beazley, CFC, Hiscox, Tokio Marine Kiln, MS Amlin, and AXA XL. Phrasing varies; the substance is similar.
Submission asks: "Provide a list of AI / autonomous-agent systems in production, including business purpose and the data they process."
Defensible answer: a written inventory listing each system, its intended purpose under Article 13(2), the data classes it processes, the human-review threshold, the named owner, and whether it is in scope of the EU AI Act high-risk regime.
Not defensible: "we have several internal AI tools."
Submission asks: "How are AI / agent actions logged? Provide a sample log record."
Defensible answer: a written description of the capture mechanism (typically: an SDK at the agent runtime layer), the storage architecture, the retention period, and a sample receipt with sensitive data redacted.
Not defensible: "agent activity is logged via our standard application logging."
Submission asks: "How is the integrity of those logs assured?"
Defensible answer: hash-chained or Merkle-tree integrity, with independent verifiability described. Optional notarisation explained.
Not defensible: "logs are stored in our SIEM and protected by access controls."
Submission asks: "What is your retention period for AI log data?"
Defensible answer: per-data-class retention with stated legal basis for each. At minimum 6 months for AI Act-relevant logs; typically 7 years for FCA-regulated firms.
Submission asks: "Have you experienced any AI-related incident in the last 24 months? If yes, describe response and resolution."
Defensible answer: honest disclosure, with timeline, response actions taken, and current mitigation. Carriers expect that you have had incidents — what they're testing is whether you handled them maturely.
Submission asks: "What is your AI governance framework? Provide written policy, named owners, review cadence."
Defensible answer: a written AI policy approved at board level, named accountable officer (typically CISO or Head of Compliance), quarterly review cadence, last-reviewed date.
Submission asks: "Are you in scope of the EU AI Act? If yes, what is your readiness position for the August 2026 deadline?"
Defensible answer: explicit position on scope. If in scope, stated readiness milestones, current status against the Article 12 requirements, named workstream owner, target completion date.
From conversations with specialty cyber brokers, the qualitative shift between "loading at the top of the range" and "loading at the bottom" tracks closely with: