Cyber Insurance and Your External Attack Surface: What Underwriters Are Actually Checking

Cyber insurance premiums have risen 50 to 300% over the past three years depending on sector and risk profile. Policies that were straightforward to obtain in 2020 are now subject to rigorous technical questionnaires, external scans, and in some cases active verification of your security controls. Here is what underwriters are looking for, and how external risk monitoring directly affects your coverage and premium.

If you applied for cyber insurance three years ago, you probably answered a questionnaire that asked whether you had MFA enabled, whether you had an incident response plan, and whether you backed up your data. You checked yes, yes, and yes, and you got a policy.

That process has changed significantly. The cyber insurance market has hardened substantially following a wave of costly ransomware claims, and underwriters have responded by getting considerably more sophisticated about how they assess applicants' actual security posture. Increasingly, this means they do not just ask you about your security, they look for themselves.

How Modern Cyber Insurance Underwriting Works

Leading cyber insurance underwriters now combine self-reported questionnaires with external technical assessments, automated scans of your organisation's external attack surface, conducted by the underwriter or a third-party security firm they retain. These scans look at the same things an external security platform would: your internet-facing infrastructure, your SSL configuration, your open ports, your unpatched software versions, and in some cases your dark web exposure.

The results of these external scans inform both the underwriter's coverage decision and the premium they quote. A company with a clean external attack surface, evidence of regular monitoring, and no critical unpatched vulnerabilities is a materially different risk than one with an exposed admin panel, outdated software, and employee credentials circulating on dark web markets. Underwriters price that difference.

What Underwriters Are Specifically Looking For

Based on publicly available underwriting guidelines and standard questionnaire requirements from major cyber insurers (Coalition, Beazley, Chubb, AXA XL, and others), here are the external risk factors that consistently affect coverage decisions:

Remote Access Exposure

Open RDP (Remote Desktop Protocol, port 3389) and exposed VPN endpoints are among the most scrutinised findings in cyber insurance underwriting. Ransomware groups consistently target exposed RDP as their primary initial access vector. Some insurers will not write a policy if your assessment reveals internet-facing RDP without MFA. If you have this exposure, it should be your first remediation priority before any insurance conversation.

Real-world scenario, The RDP Denial: A logistics company applied for cyber insurance renewal and received a technical pre-screening from the insurer. The scan identified three servers with RDP accessible from the internet. The insurer declined to renew the policy until the exposure was remediated and a follow-up scan confirmed closure. The company spent 90 days without coverage while remediating, during which they experienced a ransomware incident. The RDP servers were the entry point. External attack surface monitoring would have surfaced this exposure before the insurance renewal conversation.

End-of-Life and Unpatched Software

Software versions with known Critical CVEs, particularly on internet-facing systems, are high-priority findings for underwriters. End-of-life software, software that is no longer receiving security patches from its vendor, is particularly concerning because no fix is available. Common examples: outdated versions of WordPress, Drupal, or other CMS platforms; legacy web server software; outdated SSL/TLS library versions.

Email Security Configuration

Underwriters check whether your email domain has properly configured SPF, DKIM, and DMARC records. These DNS records help prevent email spoofing, attackers sending emails that appear to come from your domain. Missing or misconfigured email authentication records are a common finding and a reliable signal to underwriters about the general maturity of your security configuration. They are also easy to fix.

MFA Enforcement

Multi-factor authentication is now a near-universal requirement for cyber insurance rather than a nice-to-have. Underwriters typically require MFA for: email (Microsoft 365 / Google Workspace), VPN access, remote desktop, and any cloud-hosted administrative systems. Policies written without MFA enforcement are increasingly non-renewable; some insurers have added MFA requirements as mid-term policy conditions.

Dark Web Credential Exposure

A growing number of underwriters now check whether your domain's email addresses appear in dark web breach datasets as part of underwriting. Significant credential exposure, particularly for privileged accounts, is treated as an elevated risk factor. Some insurers reduce premiums for organisations that can demonstrate active dark web monitoring and credential hygiene programs.

Third-Party Risk Controls

Questions about how you assess and monitor your vendors' security have become standard in cyber insurance questionnaires, driven by the high volume of supply chain incidents. Underwriters want to see that you have a vendor risk management process, not necessarily a sophisticated one, but evidence that you know who has access to your systems and data and have done some level of security assessment.

The Certificate of External Monitoring

An emerging trend in cyber insurance is the use of continuous external monitoring reports as underwriting evidence. Some insurers are beginning to accept, and in some cases actively request, monthly external security reports as part of the renewal process. A company that can provide six months of external risk reports showing declining vulnerability counts, proactive credential monitoring, and systematic remediation is demonstrating due diligence in a way that self-reported questionnaires cannot.

Think of it like this: a car insurance company does not take your word for it that you are a safe driver, they check your licence history. The cyber insurance market is moving toward a similar model where external evidence of security posture matters as much as self-attestation.

What Happens When You Have a Claim

Cyber insurance coverage is not just about whether you get a policy, it is about whether that policy pays out when you need it. A significant area of dispute in cyber insurance claims is the policy's coverage exclusions and the underwriter's ability to argue that the insured organisation did not maintain adequate controls.

If a breach occurs and the investigation reveals that the entry point was a Critical vulnerability that had been present in your external attack surface for six months, and you had no monitoring or remediation programme in place, your insurer may argue that you failed to maintain the security standards represented during underwriting. Cyber insurance policies typically include security maintenance warranties: obligations to maintain the security controls you represented you had when the policy was written.

Continuous external monitoring does not just help you get better insurance, it helps you keep it, and it creates a documented evidence trail that demonstrates your security programme was active at the time of any incident.

Practical tip for renewals: When your cyber insurance renewal is approaching, run a fresh external scan at least 60 days before the renewal date. This gives you time to identify and remediate any exposures that would flag in the underwriter's own scan, before they see them. Walking into a renewal conversation with a clean external risk report is a materially stronger position than waiting for the underwriter's scan to surface issues you did not know about.

The Questionnaire Questions You Should Know How to Answer

Modern cyber insurance questionnaires include questions that are easy to get wrong if you have not assessed your actual posture. Here are the ones that most commonly catch organisations out:

"Do you monitor for credential leaks or dark web exposure?"

Many organisations answer no because they have not thought about it. The question is increasingly standard, and a yes answer, backed by an actual monitoring programme, is a positive underwriting signal. A no answer combined with significant credential exposure (which the underwriter may find in their own scan) is a very bad combination.

"What is your mean time to patch Critical vulnerabilities?"

If you have no monitoring, you have no answer to this question. A company with continuous external monitoring can point to a documented record: Critical findings surfaced, assigned, and remediated within X days. Without monitoring, patching happens reactively, after incidents, or after someone manually checks, and there is no evidence trail.

"Do you conduct regular external vulnerability assessments?"

Annual penetration tests satisfy this in some policies, but increasingly underwriters want to see evidence of continuous external assessment, not annual point-in-time scans. The ability to say "we run continuous external monitoring and I can provide the last six months of reports" is a qualitatively different answer.

"How do you manage third-party vendor access to your systems?"

Having a documented vendor assessment process, even a simple one based on standard questionnaire templates, is significantly better than "we trust our vendors." The ability to show vendor risk management records, even at a basic level, demonstrates programme maturity.

The Bottom Line

Cyber insurance underwriting has become a de facto external security assessment. Underwriters are increasingly skilled at identifying organisations whose security questionnaire answers do not match their actual external posture, and they price, restrict, or decline coverage accordingly.

The organisations that navigate this market most successfully are not necessarily the ones with the most sophisticated security programmes. They are the ones who know their external attack surface, actively manage it, and can demonstrate that management with documented evidence. A monthly external risk report is both a security tool and an insurance asset.

Frequently Asked Questions

What do cyber insurance underwriters check?

Underwriters now conduct automated external scans of your internet-facing infrastructure as part of the quoting process. They specifically look for exposed RDP and VPN endpoints, unpatched software with known Critical CVEs, email authentication configuration (SPF, DKIM, DMARC), MFA enforcement across key systems, and dark web credential exposure for your domain. The results of these scans directly influence whether you receive coverage, what exclusions apply, and how much you pay.

How does external attack surface monitoring affect premiums?

Organisations that can demonstrate continuous external monitoring and a documented remediation history consistently receive more favourable premium quotes. Underwriters treat ongoing monitoring as evidence of security programme maturity, similar to how a clean driving record affects car insurance rates. Providing six months of monthly external risk reports showing declining vulnerability counts and proactive credential management gives underwriters measurable proof that your organisation actively manages its risk posture.

What security controls do insurers require?

The baseline controls now required by most cyber insurers include MFA on email, VPN, and remote access systems, a documented incident response plan, regular data backups with tested recovery procedures, endpoint protection on all corporate devices, and email authentication records (SPF, DKIM, DMARC) properly configured. Some insurers will decline to write or renew a policy if internet-facing RDP without MFA is detected during their technical assessment.

Does continuous monitoring reduce cyber insurance costs?

Yes, in measurable ways. Continuous monitoring reduces premiums by demonstrating ongoing risk management rather than point-in-time compliance. It also protects you during claims: if a breach occurs and your monitoring records show active vulnerability management and timely remediation, you are in a significantly stronger position than an organisation whose investigation reveals unpatched Critical vulnerabilities that sat exposed for months. Several insurers now explicitly request or accept monthly external risk reports as part of the renewal process.