Your Policy Probably Covers It. You Just Have to Know Where to Look.
Cyber insurance has evolved significantly over the past five years. Policies that once only covered incident response costs now include proactive security benefits designed to prevent breaches before they happen. Penetration testing is one of the most common preventive services included in modern cyber policies, but most policyholders never use it because they do not know it exists.
The challenge is that insurers rarely highlight these benefits during the sales process. Your broker focuses on coverage limits, deductibles and exclusions. The preventive services section, where penetration testing coverage typically lives, gets minimal attention. That means you could be paying for a benefit you are not using.
Where to Find Penetration Testing Coverage in Your Policy
Cyber insurance policies do not use consistent terminology across carriers. One insurer calls it "pre-breach services." Another calls it "loss prevention." A third buries it under "risk mitigation credits." To determine whether your policy covers penetration testing, search your policy documents for these four terms:
- Security assessment - This is the broadest term and often includes penetration testing, vulnerability scanning and security audits
- Risk mitigation - Some policies offer a risk mitigation budget that can be applied toward penetration testing and other security improvements
- Loss prevention - Carriers that frame pentests as loss prevention are recognizing that a $1,500 test can prevent a $500,000 claim
- Pre-breach services - This is the most explicit category and typically includes penetration testing, tabletop exercises and security awareness training
If any of these terms appear in your policy, read the fine print carefully. There will be a dollar limit, a list of qualifying activities and a process for requesting reimbursement. Most policies require pre-approval before the work begins.
How Much Coverage to Expect
Coverage amounts vary widely depending on the carrier, the policy tier and the size of the insured organization. Based on policies we see regularly through our work with insured clients, here is what to expect:
- Small business policies ($1M-$5M coverage) - Typically include $2,500 to $5,000 CAD annually for preventive security services
- Mid-market policies ($5M-$25M coverage) - Often include $5,000 to $10,000 CAD for risk mitigation activities
- Enterprise policies ($25M+ coverage) - May include $10,000 to $25,000 CAD or more, sometimes with dedicated penetration testing line items
A standard penetration test from Sherlock Forensics starts at $1,500 CAD, which means even the smallest policy allocation can cover a meaningful assessment. Organizations with larger budgets can apply the coverage toward more comprehensive testing that includes internal networks, web applications and cloud infrastructure.
Why Insurers Want You to Get Tested
This is not charity. Insurers offer penetration testing coverage because it directly reduces their exposure. A penetration test identifies vulnerabilities before attackers exploit them. That means fewer claims, lower payouts and better loss ratios for the carrier. It is a straightforward business calculation.
Consider the math from the insurer's perspective. A penetration test costs $1,500 to $10,000 CAD. A single ransomware claim costs $200,000 to $2,000,000 CAD. If testing prevents even one claim per hundred policyholders, the insurer comes out ahead. That is why they are willing to cover it.
This alignment of interests works in your favor. The insurer wants you to find and fix vulnerabilities. You want to find and fix vulnerabilities. The only barrier is awareness and process, knowing that the coverage exists and following the steps to use it.
Common Restrictions and Limitations
Before you schedule a test, understand the common restrictions:
- Pre-approval required - Most carriers require written pre-approval before the test begins. Submitting a claim after the fact often results in denial
- Qualified vendor requirement - Many policies require the testing vendor to hold specific certifications such as CISSP, OSCP or CREST. Sherlock Forensics meets these requirements
- Scope limitations - Some policies only cover external testing or limit coverage to specific asset types
- Annual limits - Coverage is typically capped at one test per policy year
- Reporting requirements - The insurer may require a specific report format or set of deliverables to qualify for reimbursement
Steps to Check Your Coverage Today
You can determine whether your policy covers penetration testing in about 30 minutes. Here is how:
- Pull your full policy document - Not the summary, not the certificate. The actual policy wording
- Search for the four key terms - Security assessment, risk mitigation, loss prevention and pre-breach services
- Read the preventive services section - If one exists, it will list eligible activities and dollar limits
- Call your broker - Ask specifically: "Does my policy include coverage for penetration testing or security assessments?" Get the answer in writing
- Contact us - We help insured clients navigate the pre-approval process every week. We know what carriers require and how to submit for reimbursement
Do Not Leave Money on the Table
You are already paying for your cyber insurance premium. If that premium includes penetration testing coverage, using it costs you nothing additional. And the benefits extend well beyond the test itself. A recent penetration test strengthens your security posture, reduces your premium at renewal, satisfies compliance requirements and provides evidence of due diligence if a breach ever occurs.
Most policyholders never check. Most policyholders are missing benefits they are already paying for. Do not be one of them. Check your policy, talk to your broker and schedule a test that your insurer will reimburse.