Your Premium Already Includes This. Use It.
You pay thousands of dollars a year for cyber insurance. Buried in most policies is a provision that covers preventive security services, including annual penetration testing. The insurance carrier wants you to use it because organizations that test their security regularly file fewer claims. Yet the vast majority of policyholders never take advantage of this benefit.
This is not a secret. It is just poorly communicated. Brokers rarely highlight preventive service benefits because they focus on coverage limits and exclusions during the sales process. The result is that organizations pay for a benefit they never use while their security posture remains untested.
Where to Find It in Your Policy
Open your cyber insurance policy document. You are looking for one of these sections:
- Preventive Services: Some policies explicitly list penetration testing as a covered preventive service with an annual dollar limit.
- Risk Management Benefits: Other policies provide a risk management fund that can be applied to security assessments, including penetration testing.
- Loss Prevention Services: A third common structure offers loss prevention credits or services that policyholders can access during the policy period.
- Proactive Security Endorsement: Some carriers offer this as an endorsement or rider that adds preventive testing coverage to the base policy.
If you cannot find it, call your insurance broker. Ask specifically: "Does my cyber policy include coverage for preventive security assessments or penetration testing?" If the broker does not know, ask them to check with the carrier directly. This is a straightforward question and the answer should take minutes, not days.
How Much Is Typically Covered
Coverage amounts vary by policy but here are the ranges we commonly see:
- $5,000 - $10,000 CAD for small business policies. This typically covers a focused external penetration test or web application assessment.
- $10,000 - $25,000 CAD for mid-market policies. Enough for a comprehensive external and internal penetration test.
- $25,000 - $50,000 CAD for enterprise policies. Covers full-scope assessments including social engineering and wireless testing.
Even the lower end of coverage is enough to fund a meaningful penetration test. A focused web application test or external network assessment from Sherlock Forensics starts at $1,500 CAD. If your policy covers $5,000, you have more than enough for a thorough assessment of your most critical assets.
How to Submit the Request
Here is the step-by-step process that works with most carriers:
Step 1: Confirm coverage with your broker. Before anything else, confirm that your policy includes preventive security services and what the dollar limit is. Get this in writing, even if it is just an email confirmation.
Step 2: Get a quote from your penetration testing vendor. Contact Sherlock Forensics (or your preferred vendor) and request a formal quote. Make sure the quote describes the scope of testing in terms your insurer will understand: external network penetration test, web application security assessment, internal network assessment and so on.
Step 3: Submit the pre-approval request. Most carriers require pre-approval before the engagement begins. Your broker submits the vendor quote along with a brief justification. The justification is simple: you want to test your security posture to reduce the risk of a claim. That is exactly what the insurer wants to hear.
Step 4: Wait for approval, then schedule. Approval typically takes 5-10 business days. Some carriers approve within 48 hours. Once approved, schedule the penetration test with your vendor. Make sure the engagement starts and completes within the policy period.
Step 5: Submit the invoice for reimbursement. After the penetration test is complete, submit the vendor invoice along with the final report (or executive summary) to your carrier for reimbursement. Some carriers pay the vendor directly. Others reimburse you.
What If Your Policy Does Not Cover It?
If your current policy does not include preventive services, ask your broker to add it at your next renewal. Many carriers offer preventive service endorsements for a modest premium increase. The math works in the carrier's favor because tested organizations are less likely to file claims, so most carriers are happy to add it.
Even without insurance coverage, a penetration test is one of the highest-value security investments you can make. Starting at $1,500 CAD for a focused assessment, it costs a fraction of what a breach costs. But if your insurance already covers it, there is no reason not to use the benefit.
Why Insurers Want You to Do This
This is not adversarial. Your insurer wants you to test your security for the same reason your health insurer wants you to get an annual physical. Prevention is cheaper than treatment. An organization that discovers and fixes a SQL injection vulnerability during a penetration test is an organization that does not file a $500,000 data breach claim six months later.
Carriers that offer preventive testing benefits have seen the data. Organizations that conduct regular penetration testing file fewer claims, have smaller losses when incidents do occur and are easier to underwrite at renewal. It is a win for everyone involved.
Make the Call This Week
This is not complicated. Call your broker. Ask about preventive services. Get a quote from Sherlock Forensics. Submit the request. Get a professional penetration test at no out-of-pocket cost.
Your premium already includes this. Use it.