Does Your Cyber Insurance Require a Penetration Test?
If you are filling out a cyber insurance application or renewal and it is asking about penetration testing, you are not alone, and you probably have one question: does my cyber insurance require a penetration test, or is this just another box? This one is for Arizona business owners and office managers staring at an insurance questionnaire trying to figure out what actually counts. Here is the straight answer, what carriers are really looking for, and what it costs to get one done right.
The short answer: it depends on your carrier, and it is trending toward yes
There is no single rule every insurer follows. What we see on most applications and renewal questionnaires is some version of the same question: do you perform penetration testing at least once a year, or after a major change to your systems?
For a smaller policy, that box might be optional. For higher coverage limits, and especially for solid ransomware coverage, a recent penetration test is often the difference between getting the terms you want and getting a smaller policy at a higher price. If you cannot produce a recent, dated report, that is usually a red flag to the underwriter (Insureon has a good plain-language overview of why).
So even when it is technically optional, having one in hand makes the whole renewal smoother.
Why carriers ask for it
Insurers are not asking to make your life hard. They are pricing risk. A penetration test shows them you are actively looking for the gaps an attacker would use and fixing them, instead of hoping for the best. The inability to show a recent test is one of the common reasons coverage gets reduced or denied.
It is worth remembering what actually causes most claims. The exciting zero-day stuff makes headlines, but most breaches still come down to ordinary things: a reused password, a click on the wrong email, a server that missed a patch. Verizon’s annual Data Breach Investigations Report consistently finds a human element in a large share of breaches. A test that a person actually runs, not just a tool, is how you catch those before someone else does.
A real test, not just a scan
Here is the part that trips people up. A lot of cheap “penetration tests” are really just an automated scan with a logo on the report. Insurers have caught on, and many now specifically ask for manual, human-led testing.
The difference matters:
| Automated scan | Penetration test | |
|---|---|---|
| What it is | A tool checks for known issues | A person tests the way an attacker would, by hand |
| What it catches | The obvious, published stuff | The chain of small problems that actually gets someone in |
| Satisfies most insurers | Often not on its own | Yes, this is what carriers ask for |
A scan is a useful input, not the finished product. And one more thing worth saying plainly: having a VPN or a remote-access portal reachable from the internet is not a finding by itself. Those are supposed to be reachable. A real test checks whether they are patched, configured correctly, and behind multi-factor authentication, which is exactly the kind of thing a scanner alone will not tell you.
Every engagement we run is both the automated pass and real hands-on external testing, so the report holds up when your broker looks at it.
What carriers actually want to see in the report
When the underwriter or your broker asks for the report, a good one:
- Is recent and dated
- States clearly what was tested (the scope)
- Ranks each finding by how exploitable it actually is, not just severity in theory
- Includes a remediation plan you can hand to your IT person
- Ideally shows a retest confirming you fixed what was found
That last one matters more than people expect. Every test we do includes the retest, because you should not have to pay twice to prove the fix worked. If you are testing specifically for a policy, our cyber-insurance readiness engagement is built around exactly what carriers ask for.
The rest of the questionnaire
While we are here, the penetration test is rarely the only thing on the form. Most cyber insurance applications also ask about:
- Multi-factor authentication on email and remote access
- Endpoint protection (the software that watches the computers for signs of an attack)
- Backups that are tested, not just running
- Email filtering
- How quickly you patch
If some of those are not in place, the test will usually surface it and your broker will ask about it anyway. Better to get ahead of it than to find out during a claim.
What it costs
For most Arizona small and mid-sized businesses, an insurance-driven test is either our Small External or Medium Full engagement. Our pricing is public and starts at $4,000, so you do not have to sit through a sales call just to learn the number. What moves the price is mostly the size of your network and whether testing from inside the network is in scope. You can see the full pricing and what is included in each tier.
Frequently asked questions
Does a vulnerability scan count as a penetration test for insurance?
Usually not on its own. A scan is automated and finds known issues, while carriers increasingly ask for manual, human-led testing. A scan is a useful starting point, but most insurers want the real thing.
How often does cyber insurance want a penetration test?
Most applications ask whether you test at least once a year and after any major change to your systems. The exact requirement varies by carrier, so check your specific policy or ask your broker.
Will a penetration test lower my premium?
It can help you qualify for better terms and, just as importantly, avoid a denial or a reduced policy. It is not a guaranteed discount. The bigger value is usually getting the coverage you actually want.
What if the test finds problems right before my renewal?
That is normal and completely fine. You get a prioritized fix list, you close the serious items first, and the included retest confirms they are fixed. Finding them now is far better than having a claim denied later.
So, does your cyber insurance require a penetration test?
Increasingly, yes, especially for good ransomware coverage, and even when it is technically optional, having a recent report makes the renewal smoother and often cheaper. The key is getting a real test, the kind an insurer accepts, with a clear report and a retest to back it up.
Not sure which test your policy needs? Tell us a little about your business and what your insurer is asking for, and we will come back with a fair, fixed quote. Request a quote.
Want to know where you stand?
Tell us a little about your business and what is prompting the test. We will come back with a fair, fixed quote.
Request a quote