Posted by scarlett admin, on

It’s that time of year again. Your organization’s cyber insurance contract is coming up for renewal. Year over year, you notice that the premiums have been steadily increasing. Tired of dealing with these annual increases, your organization opts to shop around for a more competitive offering. The team submits inquiries to a wide range of new insurance agencies, all promising better rates than the last.

Shockingly, policy after policy rejects to even quote your organization unless sweeping changes are made. With nowhere left to turn, you renew your current policy with an ever-increasing premium. What happened? Why was your organization rejected from even getting a quote with these other agencies? Why does it seem like the list of questions and requirements to even maintain a policy are growing every year?

We are often asked to clarify the confusing world of cyber insurance for our clients. While our team at The Scarlett Group does not directly offer cyber insurance, many of our clients utilize these services to protect themselves in the scenario of an incident. What may come as a surprise to many is the rigid requirements, questionnaires, and testing that comes hand-in-hand with applying for cyber insurance policies.

Cyber insurance is one of the newer realms of insurance, covering a wide range of potentially damaging scenarios surrounding an organization’s IT infrastructure. Our team has always emphasized the importance of assessing and auditing an organization’s IT and cybersecurity posture on a yearly basis. Insurance agencies have taken this concept and augmented it into a limited review of sorts – running basic scans and questionnaires against policy holders (usually on an annual basis). These reviews can alter rates, limit coverage, or even deny a policy renewal.

This post aims to cover some of the top 10 reasons that we see clients, prospects, and organizations get rejected from cyber insurance policy coverage.

Lackluster Disaster Recovery and Business Continuity Planning

v  Insurance providers want a return on their investment. When reviewing a policy, agencies want to see that your organization has the administrative, technical, and physical capabilities to recover the network in a disaster.

v  Disaster recovery is more than just backups. Work with experienced professionals to properly scope a business continuity plan. In addition to helping you qualify for a cyber policy, it will help ensure that your organization can survive an incident.

Inadequate Account Security Policies – Multi-Factor Authentication

v  Multi-Factor authentication is one of the single biggest reasons that many organizations find themselves rejected from a cyber insurance policy.

v  Account security is a core focus area for many providers due to the massive threat generated from a successful account compromise.

Lack of Cybersecurity Awareness

v  Employee awareness training is a key factor in proper cybersecurity maintenance. Users are one of the most vulnerable aspects of an organization’s security.

v  Cybersecurity awareness training is more than placeholder videos and articles. This usually involves detailed training sessions, quizzes, and even simulated phishing emails to train users on the signs of an attack.

Poor Cybersecurity Hygiene

v  These questionnaires are designed to determine overall cyber hygiene. Many organizations have one-off controls and security policies but fail to maintain a cohesive cyber plan.

v  Managed cybersecurity means that you have a team dedicated to covering the organization’s security posture. Usually, you can tell if your cybersecurity is “managed” by looking for team members in your organization with cybersecurity in their title.

Insufficient Endpoint Security

v  Let’s face facts – most organizations have Anti-Virus software. Insurance agencies see these tools fail time and time again – they have the data showing what really works.

v  Endpoint Detection and Response Tools are the “new and improved” anti-virus, combining several aspects of different security tools to cover a wide range of prevention and detection techniques. These tools usually cover many of the requirements for a cyber policy.

High-Risk Industry

v  Unfortunately, certain industries are at an increased risk of attack due to their data, risk profile, and cybersecurity trends.

v  If your industry or domain is at an increased risk relative to others, expect the possibility of more stringent requirements.

Exposed Network Ports

v  Part of a technical evaluation, agencies will often scan a network to determine whether there are exposed network ports that could pose a risk.

v  Proper firewall configuration is key to passing these scans and protecting the environment.

Vulnerable Services

v  Servers and the application services that reside on them are a key target for attackers.

v  Again, firewall configuration and patching are the key elements to passing this stage of the evaluation. Ensure that your organization follows a managed patching regiment – outsourcing if necessary.

      OWASP Top 10 Threats

v  This is not usually a formal reason for being denied a policy, but many of the attacks on the OWASP Top 10 are the types of threats that agencies are on the lookout for within potential clients.

v  Checkout our post on the OWASP Top 10 for more info.

Inadequate Incident Response

v  Everyone will have a cybersecurity incident – this is just an unfortunate fact. When a company follows proper procedures for prepping for this attack, future attacks and ensuing impact are greatly reduced.

v  Proper incident response is a discipline within itself. Ensure that your organization has credentialed experts on standby for an incident. Incident Response Policies should be well defined and current.


Hopefully, this list helps your organization prepare for the next insurance renewal season. The complexity surrounding cyber insurance is exponentially increasing as attackers grow bolder. In a nutshell, insurance providers want to see that you are actively assessing your organization’s security, following proper cyber hygiene within your organization, and managing your cybersecurity.

Getting a third-party assessment prior to insurance applications can help ease concerns for all parties involved. If your organization is considering applying for cyber insurance or has been denied coverage, The Scarlett Group can help. Our credentialed auditors go above and beyond the basic questions asked by insurance providers to ensure that your organization is fully prepared.


Share This

Related Posts

Last month, we discussed the importance of practicing “defense-in-depth” within an organization.
St. Johns County, Florida, worked to recover over $1 million lost to hackers through a business email scam.
You should give SIEM (Security Information & Event Management) system and SOC (Security Operation Center) the highest priority in your business setup.