Cyber Insurance Requirements: Security Testing & Penetration Testing

Cyber insurance is becoming a critical part of risk management. But most policies have strict requirements—including regular penetration testing. Here's what insurers actually require and why.

Why Cyber Insurance Matters

A major breach is catastrophic. The average cost is $4.4 million. Most companies can't absorb that loss. Cyber insurance covers:

• Incident response and forensics
• Breach notification and credit monitoring
• Regulatory fines and penalties
• Business interruption losses
• Extortion/ransom negotiation (though paying ransom may violate federal law)
• Legal defense and settlements

Without cyber insurance, a breach can mean bankruptcy. With insurance, it's a managed risk.

The Problem: Cyber Insurance is Getting Expensive (And Hard to Get)

Premiums have skyrocketed. A policy that cost $5,000 in 2020 might cost $25,000+ in 2026. Insurers are increasingly denying claims or refusing to renew policies.

Why? Because breaches are happening more frequently and costing insurers more money. Insurers are getting selective about who they cover. If you want insurance—or if you want affordable insurance—you need to prove you're a low-risk client.

Penetration testing is one of the primary ways you prove that.

Common Cyber Insurance Requirements

Multi-Factor Authentication (MFA)

Nearly all insurers now require MFA on:

• All remote access (VPN, RDP, Citrix)
• Email accounts, especially administrative accounts
• Cloud services (Microsoft 365, AWS, Salesforce, etc.)
• Administrative and privileged accounts

Some insurers specify hardware tokens (FIDO2) for highest security. Others accept authenticator apps. Check your policy for specifics.

Patch Management

You must have a documented process for:

• Tracking all systems and software
• Identifying applicable security patches
• Testing patches before deployment
• Deploying critical patches within 30 days
• Documenting the process

Insurers will deny claims if a breach resulted from an unpatched vulnerability that had a patch available for 60+ days.

Penetration Testing

Many policies require penetration testing. Common requirements:

• Annual external penetration testing (some require more frequently)
• Internal testing every 2-3 years
• Web application testing if you have customer-facing apps
• Must be conducted by qualified third-party (not internal team)
• Must be documented with remediation plan for findings

Vulnerability Scanning

Regular automated vulnerability scanning:

• Monthly or quarterly scanning
• Documented tracking of results
• Remediation plans for identified vulnerabilities
• Some insurers require proof of remediation

Security Awareness Training

Documented employee security training:

• Annual security awareness training for all staff
• Additional training for high-risk roles
• Some insurers require documented testing (simulated phishing)
• Documentation of who completed training

Incident Response Plan

Written, documented, and tested plan for:

• Detecting security incidents
• Investigating and containing incidents
• Notifying affected parties and regulators
• Recovering systems
• Roles and responsibilities
• Communication procedures

Some insurers require that you conduct tabletop exercises (simulations) at least annually.

Data Management and Encryption

Specific requirements for protecting sensitive data:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of sensitive data at rest
• Access controls limiting who can access sensitive data
• Regular access reviews to ensure proper privileges

Firewall and Network Security

Network-level protections:

• Documented firewall policies
• Regular firewall rule reviews
• Network monitoring and logging
• Intrusion detection or prevention systems

Backup and Recovery

Critical for ransomware scenarios:

• Regular backups (daily minimum)
• Offline/air-gapped backups that attackers cannot access
• Tested recovery procedures (not just backup existence)
• Documentation of backup strategy

How Insurers Verify Compliance

Pre-Policy Application

Before issuing a policy, insurers will ask detailed questions about your security controls. They may require:

• Security questionnaire with detailed technical questions
• Evidence of MFA implementation
• Copies of security policies
• Recent penetration test reports (usually within 12 months)
• Evidence of incident response planning

Honest answers matter. If you later discover you misrepresented your security controls and have a breach, insurers may deny your claim.

Annual Renewal

When renewing your policy, insurers often require updated evidence:

• New penetration test or summary of findings and remediation
• Updated security questionnaire
• Documentation of compliance with previous year's requirements

Post-Breach Investigations

If you have a breach and make a claim:

• Insurers will conduct thorough investigations
• They'll review whether you met policy requirements
• If you failed to implement required controls and that enabled the breach, they may deny your claim or reduce coverage

The Penetration Testing Requirement in Detail

Penetration testing is a key requirement and a way to demonstrate security maturity. Insurers use pen tests to:

• Validate that external defenses work: Testing targets internet-facing systems and the first line of defense
• Assess realistic attack scenarios: Tests simulate how actual attackers operate
• Demonstrate management commitment: Running pen tests shows you take security seriously
• Identify gaps before claims: Finding vulnerabilities via testing is cheaper than paying a claim

What Insurers Look For in a Pen Test Report

• Reputable tester: Conducted by established security firm or qualified individual (OSCP, CEH, or similar certification)
• Clear methodology: Uses industry-standard methodologies (NIST, OWASP)
• Comprehensive scope: Tests external network, web applications, and ideally internal systems
• Detailed findings: Clear description of vulnerabilities, how they were exploited, and business impact
• Risk ratings: Appropriate severity ratings for findings
• Remediation plan: Organization's documented plan to address findings with timelines
• Follow-up: Evidence that critical findings were remediated

Cost Implications

Annual external penetration testing costs $3,000-$10,000+, depending on scope. But this is far cheaper than:

• Higher insurance premiums for companies without testing (often 30-50% more)
• Being denied coverage altogether
• A breach that costs millions to respond to

Penetration testing is essentially required if you want insurance at a reasonable price.

Insurance Requirements Vary By Policy

There's no single standard. Different insurers have different requirements:

Small Business Policies

Entry-level policies may have minimal requirements (basic MFA, password policy, employee training). They're cheaper but cover less.

Mid-Market Policies

Typically require:

• Annual external penetration testing
• MFA on all critical systems
• Incident response plan
• Regular patch management

Enterprise Policies

Most stringent requirements:

• Annual external + internal penetration testing
• Quarterly vulnerability scanning
• Security operations center (SOC) or 24/7 monitoring
• Formal security governance and board oversight
• Regular risk assessments

Industry-Specific Policies

Healthcare, financial services, and critical infrastructure have additional requirements based on regulatory requirements (HIPAA, PCI-DSS, NIST, etc.).

Getting Insurance: A Roadmap

Step 1: Assess Your Current State

Before applying for insurance, honestly assess your security:

• Do you have MFA implemented?
• Are systems being patched regularly?
• Do you have vulnerability scanning in place?
• Have you had a penetration test in the last 12 months?
• Do you have an incident response plan?

Step 2: Conduct a Penetration Test

If you don't have a recent pen test, conduct one. This is often a requirement for initial coverage.

Step 3: Fix Critical Findings

Remediate findings, especially critical and high-risk items, before applying for insurance.

Step 4: Document Everything

Gather documentation of:

• Security policies and procedures
• Evidence of MFA, patch management, training
• Penetration test reports and remediation status
• Incident response plan

Step 5: Work With an Insurance Broker

An insurance broker familiar with cyber insurance can help you:

• Find insurers that match your risk profile
• Understand specific requirements
• Prepare accurate policy applications
• Negotiate better rates based on your security posture

Step 6: Apply and Maintain Compliance

Apply with honest, documented answers. Once covered, maintain compliance with policy requirements year-round.

The Business Case: Why Invest in Security Now

Investing in penetration testing and security improvements might seem expensive. But consider:

• Insurance cost difference: A company with annual pen testing might pay $15,000/year for insurance. Without it, $25,000+/year or be denied coverage entirely
• Breach prevention: Penetration testing finds and helps fix vulnerabilities before attackers discover them
• Competitive advantage: Strong security posture can be a selling point to customers and partners
• Risk reduction: If you do have a breach, meeting insurance requirements means your claim won't be denied

Penetration testing and related security investments are no longer optional for businesses that want insurance—they're a cost of doing business.