Essex Junction, VT802-335-2662dkoran@davidkoran.com
David Koran& Associates
Cyber Insurance Readiness

Independent Cyber Insurance Audit and Readiness Assessment

Cybersecurity has to be established in the operation, not assumed from an application.

A cyber insurance audit determines whether the cybersecurity controls represented in an insurance application are actually implemented, operating, and supported by evidence. As an independent cyber insurance consultant, I assess the company's operating environment, identify the controls affecting underwriting, guide remediation, and provide a documented report for the business and its broker to return to the carrier.

For larger, multisite, manufacturing, financial, energy, maritime, or operationally complex organizations, the assessment normally includes an onsite review. Smaller cloud-based organizations may sometimes be assessed remotely when the available evidence and operating environment support that approach.

The Underwriting Problem

When the insurance application cannot be supported.

Cyber insurance applications increasingly ask for specific information about cybersecurity controls: whether multifactor authentication is enforced, how backups are protected and tested, whether endpoints run modern detection tooling, and who responds when something goes wrong. Carriers and their underwriters review those answers, and many also review external scan findings, before deciding whether to write or renew the account.

The difficulty is rarely dishonesty or unwillingness. The difficulty is that the business cannot determine whether its answers are fully supported:

  • Management does not know whether MFA covers all required users and systems.
  • The MSP says a control is active but has not provided evidence.
  • EDR is installed on some endpoints but not all of them.
  • Backups exist but restoration has never been tested.
  • Remote access has not been fully inventoried.
  • Administrator accounts are shared.
  • The written policy does not match daily operations.
  • External scan findings conflict with the application answers.
  • Multiple locations have inconsistent controls.
  • Operational technology or legacy systems were excluded from the original answer.
  • The underwriter has requested additional evidence.
  • The business has received a conditional quote, restricted coverage, or a remediation requirement.

None of this is a failure of the broker, the carrier, the MSP, or the client. It is an evidence problem and an operating-environment problem. The application asks whether a control is in place. The honest answer often depends on facts that no one in the transaction has independently examined. A cyber insurance readiness assessment exists to establish those facts.

Cyber insurance underwriting requirements

Underwriting requirements are not uniform. What a carrier asks for depends on the carrier itself, the industry, the revenue and headcount of the business, the limits requested, the sensitivity of the information involved, prior incidents, and the risk profile of the technology environment. Some carriers publish the controls they expect; others communicate requirements through the application, a supplemental questionnaire, or a deficiency notice after review. The constant across carriers is the direction of travel: application answers are increasingly expected to be supportable, and an underwriter may ask for the evidence behind them. A fuller discussion is in Cyber Insurance Requirements: What a Business Must Be Able to Prove.

Who the Engagement Serves

Two audiences, one shared problem.

The engagement is retained by the business being assessed, and it usually begins with a referral from a commercial insurance broker whose client has reached an underwriting obstacle. Both parties get something specific out of the work.

For Businesses

When the application, the renewal, or the deficiency notice is on your desk.

The engagement is appropriate when a company:

  • Is applying for cyber insurance
  • Is approaching renewal
  • Has been declined
  • Has received a conditional or limited quotation
  • Has been asked for additional evidence
  • Cannot confidently support technical application answers
  • Needs to remediate identified controls
  • Has several locations, operational technology, legacy systems, or an outsourced IT provider
For Commercial Insurance Brokers

Somewhere credible to refer a client when underwriting has stalled.

The broker remains responsible for the insurance relationship. I handle the cybersecurity assessment, the remediation roadmap, and the technical evidence. The service is intended to help the broker preserve the client relationship without making the broker responsible for evaluating technical cybersecurity controls.

  • I work constructively with the broker
  • I contract directly with the business being assessed unless another arrangement is established
  • I do not sell insurance and do not compete with the broker
  • I do not receive a percentage of the premium
  • I remain independent from technology-product sales

The work gives the broker a supportable technical record to return to underwriting. It does not promise that the broker will retain every account.

The Broker Referral Process

How the broker referral process works.

The engagement follows the same discipline as every assessment this practice performs: define the objective, examine the actual environment, distinguish what is supported from what is assumed, and give management a remediation plan it can execute against a deadline.

01 Underwriting Review

Review the carrier application, supplemental questionnaires, deficiency notice, scan findings, requested controls, renewal date, and other available correspondence.

Output: Defined assessment objective and evidence request.

02 Discovery and Scope

Interview leadership, the broker where appropriate, internal IT personnel, the MSP, and other responsible parties. Define the locations, systems, users, vendors, and operational dependencies involved.

Output: Assessment scope and onsite work plan.

03 Technical and Onsite Assessment

Examine the actual environment, configurations, systems, records, physical conditions, vendor arrangements, and working practices. Determine whether each relevant application answer or underwriting requirement is supported.

Output: Supported current-state findings.

04 Remediation Roadmap

Identify deficiencies, distinguish material underwriting blockers from broader improvement opportunities, and assign practical remediation priorities.

Output: Prioritized remediation plan with ownership and sequencing.

05 Remediation Support

Work with management, internal IT, or the existing MSP to clarify requirements, review proposed corrective actions, and keep the project aligned with the underwriting deadline.

Output: Documented corrective-action record.

06 Post-Remediation Control Validation and Final Report

Verify the completed remediation and issue an updated evidence-based report.

Output: Cyber Insurance Readiness Assessment and Control Validation Report for the client and authorized broker to provide to the carrier.

Scope and fees depend on the company's size, locations, technology, operational complexity, underwriting requirements, and deadline. The first conversation establishes all of that before any commitment is made.
Scope of Review

What a cyber insurance audit examines.

Different carriers ask different questions, and no two applications weigh the same controls identically. Carriers may consider controls such as multifactor authentication, endpoint detection and response, backups, incident response, access management, security training, encryption, remote-access security, and vulnerability management, and requirements vary by carrier, policy, organization, industry, limits, and risk profile. The application asks for answers; the audit looks for the evidence behind them. The assessment covers the areas underwriting questions most often reach:

  • Governance and cybersecurity responsibility
  • Asset inventory
  • Identity and access management
  • Multifactor authentication
  • Privileged and administrative accounts
  • Email security
  • Endpoint protection and endpoint detection and response
  • Remote access
  • Firewalls and exposed services
  • Network segmentation
  • Vulnerability and patch management
  • Backups, isolation, and restoration testing
  • Incident-response planning
  • Security awareness and phishing training
  • Logging and monitoring
  • Data classification and sensitive records
  • Encryption
  • Vendor and managed service provider access
  • Cloud and software-as-a-service environments
  • Business email compromise and funds-transfer procedures
  • Operational technology where applicable
  • Physical access to systems and infrastructure
  • Prior incidents and unresolved corrective actions
  • Documentation supporting insurance-application answers
The exact assessment scope is driven by the carrier's questions, the organization's risk, and the operating environment rather than by a generic checklist. An area the underwriter has not asked about, and that does not affect the account, does not need to consume the engagement.
Onsite Cyber Insurance Assessment

For a larger company, the decisive evidence is often inside the building.

A remote interview establishes what people believe is happening. An onsite assessment is often necessary to determine what is actually happening. Remote document review and technical interviews carry part of every engagement, but for larger and operationally complex organizations they are not always sufficient.

An onsite assessment can identify:

  • Undocumented systems and unmanaged devices
  • Shared workstations and shared credentials
  • Physical access weaknesses
  • Legacy equipment and operational technology
  • Vendor connections and remote support arrangements
  • Incomplete network segmentation
  • Backup systems that are not isolated as described
  • Differences between diagrams and actual connections
  • Controls that exist in policy but not in practice
  • Differences between management, MSP, and employee descriptions of the same control

Small, cloud-based businesses may sometimes be assessed remotely when the environment and the available evidence support that approach. The engagement model is risk-based rather than a rule that every assessment must be onsite. This is the same onsite discipline that runs through the rest of the practice, applied to the specific question an underwriter is asking.

The Role of the MSP

The MSP is part of the evidence, not automatically the problem.

Most businesses that reach underwriting review rely on an internal IT department, a managed service provider, or both. I work with whoever already runs the environment. The purpose of the assessment is not to displace the provider or create unnecessary conflict. The work determines:

  • What services the provider is responsible for
  • What controls are actually deployed
  • Where coverage or responsibility ends
  • What evidence is available
  • Which corrections require provider action
  • Which risks remain management responsibilities

Verbal assurances are useful starting points, and in many engagements the provider's statements turn out to be accurate. The final report nonetheless distinguishes what was stated from what was independently supported, because that distinction is exactly what the underwriting process is asking about.

The Final Report

The report separates verified controls from assumptions.

The deliverable is a Cyber Insurance Readiness Assessment and Control Validation Report: a documented, evidence-based record of the state of the relevant controls as of a defined date, written so that management, the authorized broker, and the carrier's underwriting reviewers can each use it for their own purpose.

What the report contains

  • Executive summary
  • Assessment purpose and scope
  • Locations and systems reviewed
  • Underwriting materials considered
  • Personnel interviewed
  • Evidence examined
  • Control-by-control findings
  • Original deficiencies
  • Remediation completed
  • Remaining exceptions
  • Residual risks
  • Prioritized recommendations
  • Evidence index
  • Management representations
  • Point-in-time limitations
  • Authorized-use statement

How findings are classified

  • Verified
  • Observed
  • Management-attested
  • Partially implemented
  • Not implemented
  • Not applicable
  • Unable to validate

The classifications matter because they are honest. A report that marks every control as verified would not survive scrutiny, and it would not serve the business, the broker, or the carrier. The report is a record of evidence, not a guarantee and not a universal certification.

Scope of the Deliverable

What the report does and does not do.

The report does

  • Provide independent technical findings
  • Document evidence available as of a defined date
  • Support the business's underwriting submission
  • Give the broker and carrier a clearer record
  • Identify remaining exceptions honestly
  • Help management prioritize corrective work

The report does not

  • Guarantee policy issuance
  • Guarantee a premium reduction
  • Eliminate cyber risk
  • Predict whether an incident will occur
  • Replace the carrier's underwriting process
  • Provide legal advice
  • Provide insurance coverage advice
  • Function as a carrier certification
  • Authorize this practice to act as an insurance producer
The carrier retains sole authority to issue coverage, establish premiums, set limits, impose exclusions, or decline the account. The report gives the account a supportable technical record. The underwriting decision belongs to the insurer.
Renewal

Cyber insurance renewal assessments.

Renewal is one of the most common reasons this engagement is retained. A business that answered last year's questionnaire without difficulty can face a harder one this year, because carriers periodically revise their questions, their required controls, and the evidence they expect behind an answer.

A renewal assessment follows the same structure as a new placement engagement, with two practical differences. First, the prior application and the prior policy provide a baseline, so the work can concentrate on what has changed: new locations, new systems, staff turnover, a new MSP, acquisitions, or controls that have drifted since the last submission. Second, the renewal date fixes the schedule, so scoping begins with the deadline and works backward. Businesses that start the review well ahead of renewal leave room to remediate; businesses that start late may need to document the current state honestly and present a remediation plan alongside it.

The output is the same evidence-based report, documenting the state of the relevant controls as of a defined date for the business and its authorized broker to include in the renewal submission.

Why David Koran & Associates

Independent findings, developed in your environment.

I am the founder of David Koran & Associates Inc., an independent cybersecurity advisory practice. My background is more than 30 years in information technology with a cybersecurity specialization dating to 2002, including work in operational, industrial, manufacturing, and other regulated environments where cybersecurity has to coexist with production. I hold the CyberAB Registered Practitioner Advanced credential, I am a Certified ISO 27001 Auditor, and I hold the Cisco CCCA.

The structure of the practice matters as much as the credentials for this kind of engagement. I am not a reseller and I do not sell software. I do not hold or pursue managed service contracts. I do not sell insurance. There is no product agenda behind a finding, which is what allows the report to function as an independent record when it reaches the broker and the carrier.

  • Independent advisory model with no software resale and no managed service contract agenda
  • No insurance-product sales
  • National onsite engagements; I travel to client sites across the United States
  • Evidence-based findings developed in the client's environment
  • Able to communicate with executives, technical personnel, brokers, and outside providers in the terms each of them uses

More about the practice and its three connected practice areas is on the About section of the main site.

Engagement Fit

The engagement is built for accounts where cybersecurity has become an underwriting issue.

Typical situations include:

  • New cyber policy application
  • Upcoming renewal
  • Carrier deficiency notice
  • Coverage declined or restricted
  • Higher limits requested
  • Material change in the business
  • Acquisition or new location
  • Previous cyber incident
  • Multiple facilities
  • Manufacturing or operational technology
  • Unclear MSP responsibilities
  • Technical application answers that management cannot verify

Very small or uncomplicated businesses may begin with a limited remote underwriting-gap review. Larger or complex environments normally require a broader hybrid or onsite engagement. Where the business is also a defense contractor, an industrial operator, or a covered maritime entity, the CMMC, C2M2, and maritime cybersecurity practice areas may be relevant to the same environment, and the work can be coordinated so the organization is not assessed twice for overlapping questions.

Frequently Asked Questions

Common questions about the engagement.

What is a cyber insurance audit?

A cyber insurance audit, as the term is commonly used, is an independent examination of whether the cybersecurity controls represented in an insurance application are implemented, operating, and supported by evidence. In this practice, the formal engagement is called a Cyber Insurance Readiness Assessment and Control Validation Report. It is not a financial statement audit, an insurance regulatory examination, an attestation engagement, or a carrier certification.

What is a cyber insurance readiness assessment?

It is an independent cybersecurity assessment focused on the controls and evidence that matter to a cyber insurance application or renewal. The work determines whether the answers on the application are supported by the actual environment, identifies deficiencies, guides remediation, and produces an evidence-based report the business and its broker can provide to the carrier for consideration.

Is a cyber insurance audit the same as a cybersecurity risk assessment?

The two overlap but serve different purposes. A cybersecurity risk assessment evaluates threats, vulnerabilities, and business risk broadly, often against a framework the organization selects. A cyber insurance audit is narrower and more targeted. It examines the specific controls and evidence that matter to the carrier's questions and the underwriting problem at hand. Findings from one can inform the other, but they are not interchangeable.

When should a business hire a cyber insurance consultant?

The clearest triggers are a declined application, a conditional or restricted quotation, an underwriter deficiency notice, a renewal where the questionnaire has become harder to answer, and any situation where management cannot determine whether its technical answers are fully supported. Engaging before submission is preferable to engaging after a problem develops, but the work is useful at either point.

Does the assessment require an onsite visit?

Not always. Larger or operationally complex organizations, and organizations with multiple facilities, operational technology, or legacy systems, normally require onsite work because the decisive evidence is in the building. Small, cloud-based businesses can sometimes be assessed remotely when the environment and the available evidence support that approach. The model is risk-based.

Can you work directly with our insurance broker?

Yes. Many engagements begin with a broker referral, and the broker is normally included in scoping conversations and receives the final report when authorized by the client. The broker remains responsible for the insurance relationship. I do not sell insurance, do not compete with the broker, and do not receive a percentage of the premium.

Can you work with our existing MSP?

Yes. The engagement is designed to work with the people who already run the environment, whether that is an internal IT department, an MSP, or both. The assessment establishes what the provider is responsible for, what is actually deployed, and what evidence exists. Remediation is normally completed by internal IT or the existing MSP, and I validate the completed work.

What evidence should the business provide?

The most useful materials are the carrier application and any supplemental questionnaires, the deficiency notice or underwriting correspondence, any external scan findings the carrier shared, the renewal or placement deadline, and a basic description of locations, systems, and IT arrangements. Missing items can be developed during discovery.

What happens when deficiencies are found?

Deficiencies are documented and prioritized, with material underwriting blockers distinguished from broader improvement opportunities. The remediation roadmap assigns ownership and sequencing so the business, its internal IT staff, or its MSP can complete the corrective work within the underwriting timeline.

Can you validate remediation completed by our MSP?

Yes. Validation of completed remediation is a defined phase of the engagement. The final report distinguishes what was stated from what was independently supported, and records the evidence examined for each corrected control.

Does the assessment guarantee that coverage will be issued?

No. The carrier retains sole authority to issue coverage, set premiums and limits, impose exclusions, or decline the account. The assessment provides independent findings and evidence that the business and its broker can present to underwriting. It does not guarantee any underwriting outcome.

Can the report be used during renewal?

Yes. Renewal is one of the most common reasons the engagement is retained. The report documents the state of the controls as of a defined date, which the business and its authorized broker can provide to the carrier as part of the renewal submission. Whether and how the carrier weighs the report is the carrier's decision.

Do you sell insurance?

No. I do not sell insurance, act as an insurance producer, negotiate coverage, or receive insurance commissions. The engagement is an independent cybersecurity assessment. The insurance relationship remains between the business, its broker, and the carrier.

Do you provide legal or insurance coverage advice?

No. I do not advise on coverage terms, policy language, exclusions, or the legal implications of application representations. Coverage questions belong with the broker and carrier. Legal questions belong with counsel. The engagement provides independent cybersecurity findings and evidence.

How long does an assessment take?

Duration depends on the size of the organization, the number of locations, the complexity of the environment, the scope of the underwriting concerns, and the deadline. A limited remote review for a small business moves quickly. A multi-site engagement with onsite work and remediation validation takes longer. The schedule is set against the renewal or placement date during scoping.

Get In Touch

Discuss a Cyber Insurance Readiness Assessment

A first conversation should establish why the account has reached underwriting review, what the carrier has requested, the policy or renewal deadline, the size and structure of the business, and whether the environment requires onsite validation. The first conversation carries no commitment and no sales pitch.

Address
Essex Junction, VT
Travel
I travel to client sites nationally.

Discuss an Assessment

Whether the account is a new placement, a renewal, or a deficiency notice with a deadline attached, the starting point is the same: a conversation about what the carrier is asking and what the environment can support.

Discuss an Assessment →
Sources: FTC, Cybersecurity for Small Business: Cyber Insurance (developed with the National Association of Insurance Commissioners); NAIC, Cybersecurity insurance topic overview; NAIC Cybersecurity (H) Working Group, Cyber Insurance Report, which notes tightened underwriting, improved cyber hygiene expectations, and policy terms that may require insureds to maintain specific security controls; CISA, Cross-Sector Cybersecurity Performance Goals; Coalition, Essential Cyber Insurance Requirements, an example of controls a carrier publicly discusses, including MFA, backups, email security, and endpoint detection. Requirements vary by carrier, policy, organization, industry, limits, and risk profile, and the insurer retains the underwriting decision.