The questionnaire arrives. “Do you have a formal vulnerability management program?” You click yes. “Do you perform regular vulnerability scans?” Yes. “Do you remediate critical vulnerabilities within 30 days?” Yes.
Six months later, after an incident, the underwriter sends the claims investigation team. They want documentation supporting those yes answers. That is when a lot of companies realize the gap between what they do and what they can prove they do.
Cyber insurance underwriting has changed substantially since 2020. The questionnaire that used to be a two-page checkbox exercise is now a detailed technical assessment. Tier 1 carriers routinely ask for evidence of control effectiveness, not just assertions of control existence. And in claims situations, unsubstantiated questionnaire answers are treated as misrepresentation — which, depending on your policy language, can void coverage for the specific loss or in extreme cases the entire policy.
This guide covers what modern underwriters are actually evaluating, what “proof” looks like for a vulnerability management program, and how to build an evidence package before your next renewal.
How underwriting has changed
Before 2021, the cyber insurance market was relatively soft. Underwriters were competing for premium, questionnaires were not deeply scrutinized, and coverage was broadly available. Then ransomware losses spiked dramatically — combined ratios across the market exceeded 70% in 2021 — and carriers reacted.
The result was a hard market correction: premiums increased 50–130% in 2022 depending on sector, exclusions were added for specific attack vectors (some carriers excluded ransomware for a period), and technical requirements tightened. MFA became a binary requirement. Patch management controls became scrutinized. And the era of questionnaire answers without supporting evidence started ending.
The market has since stabilized, but the stricter underwriting posture has not gone back. Today, established carriers assess vulnerability management across several specific dimensions:
- Scanning coverage and frequency: Do you scan external-facing assets, and how often? Do internal assets get scanned? The expectation is quarterly at minimum, monthly for environments with high change rates.
- Critical and high remediation cadence: What is your average time to remediate critical vulnerabilities? 30 days is the standard expectation. 60+ days for critical findings without documented exception reasons is a rating factor.
- MFA coverage: Do you enforce MFA for remote access, email, and privileged accounts? This is now binary — either you do or you do not. Partial MFA deployment with exceptions is scrutinized.
- EDR and endpoint visibility: Do you have endpoint detection and response tools deployed across managed machines? Coverage rate matters — 95%+ is expected by most carriers.
- Backup and recovery: Do you maintain offline or immutable backups? How long would recovery take after a ransomware event? This gets at your aggregate loss exposure.
What underwriters mean by “proof”
When underwriters ask for supporting documentation during renewal or claims, they are not looking for policy documents. They want evidence of operational execution. Here is what that looks like for vulnerability management specifically:
Scan cadence proof
Scan reports from the past 12 months with timestamps and asset coverage documentation. Not the report that shows findings — the report that shows which systems were scanned, when. This demonstrates the cadence was executed, not just planned.
Remediation throughput evidence
Data showing that critical and high findings were actively remediated — not just discovered and aged in a queue. Ticket history or a metrics export showing average days-to-close for critical findings, and the trend over time, is what underwriters increasingly want. They are evaluating whether your program actually reduces risk or just measures it.
Exception documentation
For any critical finding that was not remediated within your stated SLA, the supporting record showing why, what compensating controls were applied, who approved the exception, and when it expires. An exception log that is current and maintained is evidence of a managed program. An absence of exceptions, combined with known constraints (legacy systems, vendor dependencies), is evidence that exceptions are not being tracked — which is a program quality concern, not a virtue.
Risk reporting to leadership
Evidence that vulnerability status reaches senior management. Board or executive meeting records that reference security posture, a recurring security report distribution, or dashboard screenshots with a leadership audience. Underwriters want to see that security is not siloed — that someone with authority over resources knows what the residual risk picture looks like.
Build the Evidence Your Underwriter Will Ask For
Automated remediation tracking, closure verification, and reporting that turns your vulnerability program into defensible documentation at renewal time.
Or View Pricing
Read the broader insurance cost breakdown in the cybersecurity insurance guide.
The evidence package to assemble before your next renewal
Most organizations start thinking about this two weeks before renewal, which is not enough time to reconstruct 12 months of evidence. Build the package as ongoing operational output so it is available on demand.
- Scan history report: 12 months of scan execution records showing cadence, scope, and coverage. Should confirm that all in-scope systems were scanned at least quarterly.
- Remediation metrics: Average days-to-close for critical and high findings by quarter. Trend data showing whether the backlog grew or shrank. Open critical count at the time of renewal.
- Exception log: Current list of all open exceptions — finding, reason, compensating control, approval, expiration. Should be actively maintained, not reconstructed from memory.
- MFA coverage attestation: Documentation of MFA enforcement across remote access, email, and privileged accounts, with coverage percentage and any systems where MFA is not yet deployed and the remediation timeline.
- Incident response test evidence: Tabletop exercise records, simulation results, or IR plan review dates from the past 12 months.
- Leadership reporting examples: Two or three examples of security status reporting distributed to or reviewed by executive leadership.
If you can hand your broker this package at renewal with current data, you are negotiating from a position of demonstrated control effectiveness rather than asserted capabilities. That translates directly to pricing leverage and faster underwriter response.
The mistake most teams make answering questionnaires
They answer about tools and processes, not about outcomes. “We run Qualys” or “we have a patch management policy” — these are tool and policy assertions, not control effectiveness evidence. Modern underwriters know the difference.
The shift is from describing what you do to showing what the results are. “In the past 12 months, we identified 347 critical and high findings. 312 were remediated within our 30-day SLA. 28 received formal exceptions with compensating controls. 7 remain open with an average age of 11 days.” That kind of answer, backed by exportable data, is what separates programs that get favorable renewal terms from programs that get rated up or trigger additional questionnaire rounds.
Your vulnerability program should be generating this data continuously, not assembled manually at renewal time. If producing these numbers requires hours of spreadsheet work, the program infrastructure needs attention — not just for insurance purposes, but because it means you do not have operational visibility into your actual remediation performance.