How to Save 10-20% on Cyber Insurance by Fixing What the Insurer's Scanner Finds

How Cyber Insurance Underwriting Works Now

Before 2020, cyber insurance underwriting was largely based on questionnaires: yes/no attestations about whether you had antivirus, MFA, backups, and incident response plans. Insurers took your word for it. The result was a market full of policies underwritten on incorrect information and claims that far exceeded premiums.

The market correction has been significant. Cyber insurance premiums increased dramatically, coverage terms tightened, and - most importantly - underwriters started running their own external security assessments before quoting. Companies like BitSight, SecurityScorecard, and CyCognito emerged specifically to serve the cyber insurance market's need for independent assessment data.

Today, when you apply for or renew cyber insurance, your insurer is likely already looking at your external attack surface before they receive your questionnaire response. What they find influences whether you get coverage, at what premium, and with what exclusions.

What Insurer Scanners Look For

The external scanning services used by cyber underwriters look for a specific set of high-risk indicators:

Open RDP (port 3389): Exposed Remote Desktop Protocol is one of the most reliable predictors of ransomware incidents. Insurers use its presence as a significant risk factor. If your organization has any RDP exposed to the public internet, your insurer knows, and it's likely affecting your premium.

Unpatched or end-of-life services: External-facing services running outdated software - web servers, VPN appliances, email gateways - are identifiable by their version fingerprints. Known CVEs against those versions are public. Insurers flag them.

Weak or missing MFA on external services: Some scanning approaches can identify whether your email infrastructure has evidence of MFA enforcement in the authentication headers they observe. Microsoft 365 tenants with legacy authentication protocols enabled are a known risk indicator.

Domain and email security configuration: SPF, DKIM, and DMARC configuration - the standards that prevent email spoofing - are publicly testable. Missing or weak DMARC policies tell both attackers and insurers that your domain can likely be spoofed for phishing attacks against your clients and employees.

SSL/TLS configuration: Outdated TLS versions (TLS 1.0/1.1), weak cipher suites, and expired or misconfigured certificates are all visible externally and scored negatively by insurers.

The Questionnaire Still Matters - But Differently

The questionnaire hasn't disappeared - it's become a complement to the external scan. Specifically, the questionnaire now asks about the internal controls that the external scan can't see: MFA on internal systems, endpoint protection coverage, backup frequency and testing, privileged access management, security awareness training, and incident response planning.

The shift is that insurers now correlate your questionnaire responses with what their scanner found. If you attest to strong patch management but their scanner finds an unpatched VPN appliance on your external attack surface, that discrepancy creates problems - both at underwriting and potentially at claims time.

The 10-20% Reduction Playbook

The organizations we've helped achieve premium reductions followed a consistent pattern:

Step 1: Scan yourself before your insurer does. Lavawall®'s domain vulnerability scanner runs the same type of external assessment that insurance scanners use. Run it against your domain before your renewal date and see what your insurer will see. Fix what you find before you get scored.

Step 2: Document your CIS Controls implementation. CIS IG1 (the 18 essential safeguards) is the baseline that most cyber insurers use as their minimum acceptable controls threshold. If you can provide documented evidence of CIS IG1 compliance - not just attestation, but actual logs and configuration data - many insurers will credit this in underwriting. Lavawall® GRC generates this documentation continuously.

Step 3: Address the four highest-impact items. If you do nothing else, closing four gaps will have the most impact on your premium: (1) eliminate exposed RDP, (2) enforce MFA on all email and remote access, (3) disable legacy authentication protocols in M365, and (4) implement DMARC with reject policy. Lavawall® monitors all four continuously and alerts when configurations drift.

Step 4: Generate documentation for the questionnaire. When your questionnaire asks about MFA coverage, produce the actual Lavawall® MFA compliance report - showing the percentage of accounts with MFA enforced and exceptions. When it asks about patch management, produce the patch compliance report. When it asks about backups, produce the backup log with last verified restore date. Documentation of controls is more valuable than attestation of controls.

Step 5: Engage your broker with evidence. Brokers can advocate for better rates when you give them something to work with. A Lavawall® security posture report that shows your CIS compliance score, your patch compliance rate, and your incident detection capability gives your broker a substantive case to make to underwriters beyond "our client says they're secure."

The Insurance Market Is Rewarding Better Controls

The cyber insurance market has been volatile, but the direction of travel is clear: organizations with documented, continuous security controls are achieving better rates than those who can only provide self-attestation. The premium differential between a well-documented security program and an undocumented one continues to grow as underwriters get better at distinguishing the two.

The investment in documented controls - through Lavawall® or any equivalent continuous monitoring platform - increasingly pays for itself through insurance savings alone, before considering the breach risk reduction.