Penetration Testing · · 7 min read

How to Submit a Penetration Test to Your Cyber Insurer for Reimbursement

penetration testing insurance reimbursement cyber insurance

To get your penetration test reimbursed by your cyber insurer, follow six steps: check your policy for coverage, get written pre-approval from the carrier, use a qualified vendor with recognized certifications, request an insurer-ready report, submit the complete documentation package and follow up within 30 days. Most carriers reimburse within 30-60 days of complete submission.

Six Steps from Policy Check to Reimbursement

Getting your cyber insurer to reimburse a penetration test is not complicated, but it does require following a specific process. Skip a step and you risk having the reimbursement denied. Follow all six steps and the process is straightforward. We help insured clients navigate this process regularly and our reports are formatted specifically for insurance submission.

Step 1: Check Your Policy for Coverage

Before anything else, confirm that your policy covers penetration testing. Search your policy documents for "security assessment," "risk mitigation," "loss prevention" and "pre-breach services." These terms indicate that your policy includes proactive security benefits that may cover penetration testing.

Look for the specific dollar limit assigned to preventive services. Most policies allocate between $2,500 and $15,000 CAD annually. Note any conditions such as vendor qualification requirements, scope limitations or annual testing limits.

If you cannot find clear language about penetration testing coverage, call your broker. Ask them directly: "Does my policy cover penetration testing under any of its preventive services or loss prevention provisions?" Your broker may not have mentioned this benefit, so you need to ask.

Step 2: Get Written Pre-Approval

This is the most critical step and the one most organizations skip. Before scheduling the penetration test, contact your carrier's risk management team or your broker and request pre-approval in writing. Provide the following:

  • The scope of the proposed penetration test (external, internal, web application, etc.)
  • The name and qualifications of the testing vendor
  • The estimated cost of the engagement
  • The proposed testing dates

Get the pre-approval in writing, whether that is an email confirmation, a letter from the carrier or a form that the carrier provides for this purpose. Verbal pre-approval is not sufficient. If the carrier later disputes the reimbursement, you need documentation that they approved the test before it was conducted.

Step 3: Use a Qualified Vendor

Most carriers require that the penetration testing vendor hold specific certifications. Common requirements include CISSP, OSCP, CREST or equivalent professional credentials. Some carriers maintain approved vendor lists and require you to choose from that list.

Sherlock Forensics meets the qualification requirements for all major Canadian cyber insurance carriers. Our principal examiner holds CISSP, ISSAP and ISSMP certifications and has 20+ years of experience in digital forensics and penetration testing. When you engage us, the vendor qualification requirement is satisfied automatically.

If your carrier requires an approved vendor, confirm that your chosen vendor is on the list before signing an engagement letter. If the carrier allows any qualified vendor, collect the vendor's certification documentation to include with your reimbursement submission.

Step 4: Get an Insurer-Ready Report

Not all penetration test reports are created equal. Insurers look for specific elements in a pentest report that many testing vendors do not include. An insurer-ready report should contain:

  • Executive summary - A non-technical overview suitable for carrier review that summarizes the scope, findings and risk level
  • Scope definition - Clear documentation of what was tested, what was excluded and why
  • Methodology - Description of the testing approach, tools and standards followed (OWASP, NIST, PTES)
  • CVSS ratings - Industry-standard severity ratings for every finding
  • Remediation steps - Actionable recommendations for each vulnerability
  • Tester credentials - Certification numbers and professional qualifications of the testing team

Our reports are formatted for insurance submission. Every report we deliver includes all six elements because we understand that the report is not just a technical document. It is a reimbursement document and a claims-file document.

Step 5: Submit the Complete Documentation Package

Once the test is complete and the report is delivered, compile your reimbursement submission. A complete package includes:

  1. The pre-approval confirmation from Step 2
  2. The penetration test report (executive summary is usually sufficient; full technical report on request)
  3. The vendor's invoice with a clear description of services rendered
  4. Proof of vendor qualifications (certification copies)
  5. The scope of work or engagement letter
  6. Any remediation documentation showing actions taken on findings

Submit this package to your carrier through the process specified in your pre-approval. Some carriers have online portals for preventive services submissions. Others accept email submissions to the risk management team. Your broker can facilitate the submission if needed.

Step 6: Follow Up Within 30 Days

If you have not received confirmation of reimbursement within 30 days of submission, follow up. Contact your carrier's risk management team or ask your broker to follow up on your behalf. Common reasons for delays include:

  • Missing documentation in the submission package
  • Questions about the scope of testing relative to the pre-approval
  • Processing backlogs at the carrier
  • Need for additional vendor qualification documentation

Most carriers process complete reimbursement submissions within 30-60 days. If your submission is denied, ask for the specific reason in writing and address it. Common denial reasons are almost always procedural, such as missing pre-approval or incomplete documentation, rather than substantive.

We Make This Easy

At Sherlock Forensics, we handle insured penetration testing engagements regularly. We know what carriers require, our reports are formatted for insurance submission and we can provide all supporting documentation your carrier needs for reimbursement. If your policy covers penetration testing, we make the process as simple as possible so you can focus on your business while we handle the testing and the paperwork.

Check If Your Policy Covers This Order a Penetration Test

FAQ

Pentest Reimbursement Questions

What documentation do I need to submit for pentest reimbursement?
You need the pre-approval confirmation from your carrier, the penetration test report with executive summary, the vendor's invoice, proof of vendor qualifications such as CISSP or OSCP certifications and any remediation documentation showing actions taken on findings. Some carriers also require a scope of work document and a letter of engagement.
How long does cyber insurance pentest reimbursement take?
Reimbursement timelines vary by carrier but typically range from 30 to 60 days after submission of complete documentation. If you have pre-approval and submit all required documents including the report, invoice and vendor credentials, the process is straightforward. Incomplete submissions or missing pre-approval can extend the timeline or result in denial.
What happens if I did not get pre-approval before the penetration test?
Without pre-approval, reimbursement is not guaranteed. Some carriers will still process the claim if the test meets all other requirements and was conducted by a qualified vendor. Others will deny the claim regardless of the test quality. The safest approach is to always get pre-approval in writing before scheduling the test.