When the insurance company is about to write a claim on a house, they will do a drive-by and inspect the home to see the condition of the property before writing the policy to keep their cost competitive. Why are insurance companies not doing that before they write a policy on cyber security insurance? Insurance companies can keep the cyber security policy reasonable to their long-term customers if they scan and inspect their clients' networks before quoting them an overpriced policy. For the company, most will have a Multi-Factor Authentication (MFA) in place, and some businesses will have a reputable Endpoint Detection and Response (EDR) solution. Most companies will have this in place when they talk to an insurance company. Unfortunately, this gives a false since of goodness to the insurance company. For the policy writer, they might need to do some extra sniffing and hire a white hat hacker to scan the potential customer to see if someone left the back door open or if legacy software has openings the new security hardware is not protecting. Ransomware is getting more expensive and could take away millions in profit for the insurance company. For the customer, it’s important to know that the true cost of buying cyber insurance includes more than the monthly premium. They should be doing monthly tests on the policy holder networks to keep one step ahead of the cybercriminal. If the inevitable happens, the cyber insurance carriers might pay for the ransom but will not pay you back for the time you lost when the network was down and the potential clients you lost when the word gets out of the vulnerabilities you left open for hackers. Now, insurance companies that write policies for cyber defense require that businesses implement basic IT security and controls before they provide coverage. Besides having a great idea, you will need to be more security-minded adding these solutions alongside foundational practices such as network segmentation, a rigorous password policy, and regular employee cyber security training. If you are an insurance company that needs an extra pair of eyes on your clients or need a rating on what a hacker might find if they walk around the company's building or see if anyone clicks on a link to the company's email list, then give me a call and I will help you out. James Henderson 832-338-2926