Key Takeaways
- Cyber insurance policies increasingly treat penetration tests and vulnerability scans as two completely different things — and which one you need depends on your coverage limit and industry.
- Most policies over $1 million now require annual penetration testing as a formal condition of coverage, not just a recommendation.
- Insurers are already passively scanning your business using security ratings platforms — before you even apply for a policy.
- Over 40% of cyber insurance claims result in no payout, and failing to meet security requirements before an incident is a leading reason why.
- There is a critical difference between finding vulnerabilities and proving they are patched — and insurers want documented proof of both.
If you have been shopping for cyber insurance lately, you may have noticed the application getting longer and more technical every year. Insurers are not just asking whether you have antivirus software anymore. They want to know exactly how your business is protected and they want proof. That’s the real question underneath all of it: does cyber insurance require a pen test, or is a basic vulnerability scan enough? Most small business owners assume the two are roughly the same thing. They are not and the difference could determine whether your claim gets paid.
Most Policies Now Require More Than a Basic Scan
The cyber insurance market has changed dramatically over the past few years. Carriers got burned by a wave of ransomware claims and responded by tightening what they require from policyholders. A simple vulnerability scan used to be enough to check a box on the application. For many businesses today, that is no longer the case.
Annual penetration testing is now an explicit condition of coverage or renewal for many policies — particularly those with higher coverage limits. This is not a suggestion buried in fine print. It is a hard requirement that, if unmet, can give your insurer grounds to deny a claim entirely. For the full list of controls a formal review typically checks, see the 7 critical areas a small business security audit examines.
The shift reflects a broader change in how insurers think about risk. They have moved from trusting businesses to self-report their security posture to actively verifying it. That means the bar for getting — and keeping — good coverage has risen. Understanding what insurers actually want, and why, is the first step toward making sure your policy holds up when you need it most. Resources like our breakdown of the five cyber insurance policy exclusions that deny claims help small business owners cut through the technical noise and understand exactly what these requirements mean in plain language.
Two Very Different Things Insurers See
A Vulnerability Scan Finds Problems — It Cannot Prove They Are Exploitable
A vulnerability scan is an automated tool that checks your systems against a database of known weaknesses. It looks for outdated software, missing security patches, and misconfigured settings across your internet-facing systems. Think of it like a smoke detector — it tells you something might be wrong, but it does not tell you how bad the fire actually is.
From an insurer’s perspective, a vulnerability scan is considered baseline hygiene. It is expected, not impressive. The scan produces a list of potential problems, but it cannot tell you whether any of those problems could actually be used by an attacker to break into your system or cause real damage. That limitation is exactly why insurers do not treat it as proof of strong security.
A Pen Test Shows Exactly How an Attacker Would Break In
A penetration test — or pen test — is a completely different exercise. A real human security expert actively tries to break into your systems, the same way a criminal hacker would. They do not just flag vulnerabilities on a list. They attempt to exploit them, chain multiple weaknesses together, and see how far into your network they can get.
A pen test can reveal things an automated scan simply cannot. For example, a scan might flag an outdated web server. A pen tester might use that outdated server to bypass your login system, access internal files, and demonstrate a full path to your most sensitive data. That is the kind of real-world evidence that carries weight with insurers.
Insurers also generally require the pen test to be conducted by an independent third-party firm — separate from your existing IT provider or managed service provider. The goal is an unbiased assessment, not a team reviewing its own work. The core requirement is objectivity, which is why most carriers specify an external, credentialed firm rather than an internal team.
Insurers Treat Them as Completely Different Levels of Proof
Underwriters use vulnerability scans as a minimum standard for basic policies. Penetration tests are required when the stakes are higher — larger coverage amounts, more sensitive industries, or businesses that have experienced prior incidents. They represent a verified, higher level of security maturity that insurers are willing to back with larger payouts.
| Criteria | Vulnerability Scan | Penetration Test |
|---|---|---|
| What it is | Automated tool checking systems against a database of known weaknesses | A human security expert actively attempting to break in, the way a real attacker would |
| What it proves | A list of things that might be wrong | Proof of what an attacker could actually exploit and how far they could get |
| Who performs it | Automated tooling; no independence requirement | An independent third-party firm, separate from your existing IT provider or MSP |
| How insurers view it | Baseline hygiene — expected, not impressive | Verified, higher-level proof of security maturity |
| When it’s required | Accepted as the minimum standard for coverage under $1M, alongside MFA and a security questionnaire | Formal condition at $1M+ coverage (or as low as $500K for healthcare, financial services, legal, SaaS/fintech); near-universal at $5M+ |
When a Pen Test Becomes Mandatory
Policies Over $1 Million Almost Always Require One
The clearest trigger for mandatory penetration testing is the size of the policy limit you are applying for. For coverage below $1 million, most carriers will accept a combination of vulnerability scans, multi-factor authentication (MFA), and a security questionnaire. Cross the $1 million threshold, and annual manual penetration testing becomes a formal requirement for most commercial insurers. For policies of $5 million or more, it is essentially universal across all major underwriters.
The logic is straightforward: the more money an insurer is on the hook for, the more proof they need that your security controls actually work under pressure — not just on paper.

You’ve just read the thresholds — $1 million as the general trigger, as low as $500,000 for healthcare, financial, legal, and SaaS firms. But policy language varies by carrier, and “close to the line” is exactly where businesses get caught off guard. Enter your coverage limit and industry below to see where you likely stand.
Do You Need a Penetration Test?
Answer two questions. We’ll tell you what most carriers require for your coverage level — based on current underwriting standards.
This isn’t a substitute for reading your actual policy — carriers vary, and the only requirement that matters is the one written into your contract. But if the checker above told you a pen test is required or likely required, that’s your cue to confirm it with your broker before renewal, not after a claim gets denied.
Healthcare, Financial Services, and Legal Firms Face a Lower Threshold
If your business operates in a high-risk sector, the threshold drops significantly. Organizations in healthcare, financial services, legal, SaaS, and fintech often face mandatory annual penetration testing requirements at lower policy limits than the standard $1 million mark — sometimes as low as $500,000, though this varies by carrier and policy structure.
The reason comes down to the type of data these businesses handle. Medical records, financial account details, and confidential legal files are among the most valuable — and most targeted — types of data in existence. Even a small breach in these industries can trigger regulatory penalties, lawsuits, and significant remediation costs. Insurers price that risk accordingly, and they require stronger proof of security to match.
Insurers Are Already Watching Your Business
Security Ratings Platforms Score Your Business Like a Credit Report
Here is something many small business owners do not realize: insurance carriers are not waiting for you to submit an application before they start evaluating your security. They are already scanning your business using third-party security ratings platforms.
Companies like Bitsight and SecurityScorecard continuously monitor millions of businesses by scanning their internet-facing systems. Bitsight uses a scoring range from 250 to 900 — similar to a credit score — while SecurityScorecard uses an A-through-F letter grade. Insurers pull these scores during the quoting process and monitor them throughout your policy term. A declining score mid-policy can affect your renewal terms, your premiums, or your ability to get coverage at all.
Exposed Ports, Leaked Passwords, or Weak Email Settings Can Affect Your Coverage
These platforms look for specific, concrete signals — not vague impressions of your security. Some of the issues that can directly affect your insurance standing include:
- Exposed administrative ports like RDP or SSH left open to the internet — a finding that can lead to adverse underwriting decisions, including denial of coverage, until the issue is resolved
- Leaked employee passwords circulating on dark web marketplaces — an issue that insurers flag and that typically requires remediation, such as a credential reset, before or as a condition of coverage
- Missing or broken email authentication settings such as SPF, DKIM, or DMARC records — deficiencies that can affect coverage for social engineering and payment fraud incidents
- Active malware signals from your network communicating with known malicious servers — a serious indicator that can trigger policy review or other adverse underwriting actions
None of these require you to have been hacked. They are passive, outside-in assessments that give insurers a real-time view of your risk — whether you know they are looking or not.
How Unmet Security Mandates Can Void Your Claim
Insurers Require Specific Protections to Be Active Before an Incident — Not After
There is a legal concept built into most cyber insurance policies called a condition precedent. In plain English, it means: certain security measures must already be in place before something goes wrong — not scrambled into action after a breach occurs. If the required protections were not active at the time of the incident, the insurer is not obligated to pay.
This catches a lot of businesses off guard. They purchase coverage, assume they are protected, and do not realize that coverage is only valid as long as they maintain the specific security controls they attested to in their application. Letting those controls lapse — even briefly — can create a gap that voids the entire claim.
Known Vulnerability Exclusions: Leaving a Patch Unapplied Can Mean No Payout
One of the most commonly triggered exclusions in cyber insurance policies is the known vulnerability exclusion. This clause states that if a breach occurs through a vulnerability that was already identified and known — but not patched — the insurer can deny the claim.
Once a penetration test or vulnerability scan is completed, that report becomes a legal record of what was known. If those vulnerabilities are not fixed and a hacker later exploits one of them, the insurer’s position is clear: the business knew about the problem and chose not to fix it. That is not what insurance is designed to cover.
Over 40% of Claims Result in No Payout — Unmet Security Requirements Are a Leading Reason Why
The numbers here are sobering. More than 40% of cyber insurance claims result in no payout, and failing to maintain required security controls is one of the primary reasons. Among denied claims specifically tied to security failures, the absence of properly implemented multi-factor authentication (MFA) alone accounts for 82% of those denials.

The takeaway is that a cyber insurance policy is not a guarantee of payment — it is a contract with conditions. Meeting those conditions before an incident happens is the only way to ensure the coverage you are paying for actually works.
What Insurers Expect After a Test
Critical Vulnerabilities Left Unpatched Can Trigger Coverage Exclusions
Completing a penetration test is only half the job. What happens next — and how fast — matters just as much to insurers. Modern underwriting standards now include Mean Time to Patch (MTTP) requirements, which measure how quickly a business fixes vulnerabilities after they have been identified.
For critical vulnerabilities — particularly those with high severity scores or those actively being exploited in the wild — insurers generally expect rapid remediation, often within days rather than weeks. Threat intelligence shows that roughly 28% of vulnerabilities are weaponized within 24 hours of being publicly disclosed, which is why remediation windows are getting shorter, not longer. Leaving a critical vulnerability open for an extended period after it has been identified in a test significantly increases the risk of triggering a coverage exclusion if a breach occurs during that window.
Documented Proof of Remediation — Updated Reports or Written Attestations — Is What Insurers Look For
When renewing a policy or filing a claim, insurers do not just take your word for it that vulnerabilities have been fixed. They want documented evidence: a formal re-test report showing that previously identified issues have been resolved, or a written attestation confirming that specific remediation steps were completed.
This documentation serves two purposes. First, it protects your claim by proving due diligence — that your business took the test results seriously and acted on them. Second, it satisfies the warranty of truth requirement embedded in most policies, which obligates you to accurately represent your security posture not just at sign-up, but throughout the entire policy term. This is exactly the kind of ongoing documentation an MSSP is built to maintain continuously, rather than scrambling to assemble it after an incident. If a forensic investigation after a breach reveals that known vulnerabilities were left open, or that a warranted control was disabled, the insurer can deny the claim on grounds of material misrepresentation — and in some cases, cancel the policy entirely.
Get the Test Done Right — or the Coverage Will Not Hold
Cyber insurance is no longer a simple safety net you purchase and forget about. It is a contract that demands ongoing action — verified security controls, timely patching, independent testing, and documented proof that your defenses are real and working. For small businesses, that might sound overwhelming, but the core requirements are straightforward once you know what they are.
The businesses that run into trouble are not usually the ones with the worst security. They are the ones who did not understand what their policy actually required — and found out the hard way when a claim was denied. Whether you are applying for coverage for the first time, renewing an existing policy, or trying to understand why your application was flagged, getting clarity on these requirements early is far less costly than discovering gaps after an incident.
Here is a practical summary of what most insurers expect you to have in place:
- Multi-factor authentication (MFA) on all remote access and admin accounts — this is the single most-checked control in underwriting
- Endpoint detection and response (EDR) software actively monitoring your devices
- Annual penetration testing by an independent third-party firm — required at $1M+ coverage, and often at lower limits in healthcare, legal, and financial services
- Documented remediation of vulnerabilities identified in tests, with re-test reports to back it up
- Offline or immutable backups that cannot be encrypted by ransomware
- Clean email authentication settings — SPF, DKIM, and DMARC — to protect against phishing and payment fraud
Getting these fundamentals right will not just help with your insurance — it will meaningfully reduce the actual risk of a breach. The goal is not to pass a checklist. It is to build a business that is genuinely harder to attack, and a policy that will actually pay out if the worst happens.
For businesses that need to go further — full SOC 2 attestation for enterprise deals — see the compliance automation tools small businesses are actually using in 2026.
For the full cost breakdown of what an audit — pen test included — typically runs for a small business, see how much a small business security audit costs in 2026.
Our free cybersecurity health check helps small business owners understand and put in place exactly these kinds of protections — in plain language, without the need for a technical background or an IT team.



