BrokerageAudit
ACORD Forms & Documentation

ACORD 855 (Cyber Supplement)

An extended ACORD supplemental form for detailed cyber risk assessment beyond the standard ACORD 163.

What It Is

The ACORD 855 is an extended cyber risk supplement that provides more granular detail than the ACORD 163. It delves deeper into the applicant's technology infrastructure, including network architecture diagrams, endpoint protection specifics, incident response testing frequency, and third-party security audit results.

This form is typically required by carriers for larger accounts, those with significant data exposure, or industries with heightened cyber risk such as healthcare, financial services, and technology companies.

The ACORD 855 also includes sections on business continuity planning, regulatory compliance posture (HIPAA, PCI-DSS, SOX), and cyber insurance claims history with detailed descriptions of any incidents.

Why It Matters for Brokers

As cyber insurance rates have increased and underwriting has tightened, carriers require more detailed risk information for medium and large accounts. The ACORD 855 enables brokers to present a comprehensive cyber risk profile that can differentiate their client from competitors in a tight market. Brokers who can effectively translate a client's cybersecurity posture into the ACORD 855 format help secure broader coverage and more competitive pricing.

Real-World Example

A mid-size financial services firm with $50M in revenue and 200 employees applies for a $5M cyber policy. The carrier requires the ACORD 855 in addition to the ACORD 163. The broker works with the client's CISO to document their zero-trust architecture, quarterly penetration testing, SOC 2 Type II certification, and a tabletop incident response exercise conducted within the last 12 months. The detailed supplement results in a 15% premium reduction compared to the initial indication.

Common Mistakes

  • 1Submitting the ACORD 855 without input from the client's IT security team, resulting in inaccurate technical details.
  • 2Confusing compliance certifications (SOC 2 vs. ISO 27001) or overstating their scope on the form.
  • 3Failing to disclose prior incidents that did not result in a claim but are still reportable under the carrier's application questions.

How brokerageaudit.com Handles This

Submission Intake provides a guided workflow for the ACORD 855 that translates technical cybersecurity questions into plain language. The platform maintains a library of common IT security configurations to help brokers accurately describe their client's controls.

Related Terms

ACORD 163 (Cyber Liability Application)
Cyber Liability Insurance
Incident Response Plan
Data Breach

Automate your insurance operations

From COI management to policy checking, brokerageaudit.com handles the terminology and the workflows.

Weekly insurance operations intelligence

Actionable insights on agency automation, compliance updates, and backoffice best practices — written for brokerage owners and ops managers.

  • E&O prevention tips from real agency workflows
  • Regulatory updates that affect your brokerage
  • Carrier market intelligence and rate filing alerts

Join 2,000+ agency operators

One email per week. Unsubscribe anytime.

We respect your privacy. Read our privacy policy. No spam — ever.

Bank-Level Encryption
Integrates with Applied Epic, AMS360, HawkSoft, EZLynx, NowCerts
Start free trial →