Signal Harbor Security

Cyber Insurance Guide

Your underwriter is already scanning your domain. This is what they find.

Cyber insurance underwriters do not rely solely on your application answers. Before issuing a quote, most major carriers run automated scans on your public-facing domain to measure your actual security posture. This happens passively, without notice, and the findings directly influence your premium, your coverage terms, and whether a policy is offered at all.

How underwriters measure risk before writing your policy

A cyber insurance application asks you to describe your security practices. Underwriters and their vendors treat that as self-reported information, which means they verify it independently. Most major carriers and their third-party risk vendors often scan your public domain at renewal time using passive automated tools to grade your external posture before issuing a quote.

This scan runs against your externally reachable infrastructure the same way an attacker's reconnaissance would. It catalogs what services are running, what certificates are installed, what email authentication records are published, and whether known vulnerability signatures are detectable. The results feed directly into the underwriter's risk model.

You are not notified when this scan runs. It does not require your cooperation or knowledge. In many cases the results inform your quote before you have finished your application.

Why this matters: If your application says "we maintain strong email security controls" but the automated scan finds no DMARC policy published on your domain, your application answer and your external footprint tell the underwriter two different things. The scan result carries more weight than the application answer every time.

What a passive perimeter scan finds in minutes

The scanning tools used by underwriters and security researchers check the same categories, with the same methodology, against the same public data sources. The findings are not exotic. They are the standard configuration failures present on thousands of small business and public-sector domains.

  • Expired or self-signed TLS certificates on public login pages and customer portals
  • Remote desktop (RDP) or remote management interfaces visible on the public internet
  • Missing DMARC records, or DMARC records published with a policy of "none," which provides zero enforcement and zero protection against spoofing
  • SPF records with a "+all" qualifier, which explicitly permits any IP address on the internet to send mail as your domain
  • Open administrative panels for content management systems, routers, or network equipment
  • Services running outdated software versions with publicly documented vulnerabilities
  • Staff email addresses appearing in public breach datasets, often paired with reused passwords

Each of these findings requires one lookup, one database query, or one port connection to identify. They take minutes to catalog and hours to remediate. The cost differential between fixing them before underwriting and explaining them after a quote returns is significant.

How findings translate into premium outcomes

Not all findings produce the same outcome. Underwriters weight risk findings by severity and by how directly they correlate with known loss patterns. An open RDP port is weighted heavily because it is the initial access vector in a substantial percentage of ransomware claims. A missing or unenforced DMARC record is weighted heavily because Business Email Compromise is the leading cause of cyber insurance losses by total dollar amount, according to FBI cybercrime reporting.

The possible outcomes when a passive scan finds these issues during underwriting:

Premium surcharge. The policy is offered with an increased rate to price in the additional identified risk. You pay more for the same coverage terms.
Remediation required before binding. The underwriter will not issue the policy until a specific finding is documented as resolved. The clock is running on your renewal date while you coordinate the fix.
Coverage exclusion. The policy is issued but excludes losses arising from the identified vulnerability. An open RDP port may produce a ransomware exclusion on an otherwise comprehensive policy.
Declination. The underwriter determines that the current risk posture falls outside their acceptable parameters and declines to write the policy. You restart your market search with fewer options and a documented adverse finding on file.

What a documented external review does for your application

An external visibility review completed before your renewal window serves a specific purpose in the insurance context: it replaces the underwriter's passive scan as the primary source of truth for your external security posture. You control when the review runs and what it finds before the underwriter does their own check.

When you provide a third-party perimeter review that documents what was found, what was remediated, and what your current configuration looks like, you shift the conversation from reactive to proactive. Underwriters for policies above certain coverage limits frequently request this documentation as a condition of quoting.

More practically: if our review identifies open issues and your IT team resolves them before the underwriter runs their scan, the underwriter's scan finds a clean perimeter. The policy is priced against what exists, not what existed before you looked.

The renewal window matters. If an underwriter runs their passive scan during your application period and finds an open RDP port, that finding is in their file regardless of when you fix it. The right time to run an external review is before the renewal application is submitted, not after the quote comes back with a ransomware exclusion attached to it.