Underwriters ask thirty questions on the renewal application. We have the answers — and the evidence pack to prove them. A fixed-scope, fixed-price audit against the ten controls insurers verify, cross-mapped to specific carrier questionnaires so your broker can take the result straight to renewal. Starting at $4,500.
The renewal questionnaire isn't a marketing form. It's the document a carrier will point to when they deny a claim. The questions have multiplied year over year, and the controls behind each question have hardened. The good news: the same audit satisfies most carriers, because the underlying controls converge.
Cyber liability premiums have stabilized, but applications have grown. Most renewal questionnaires now run 25–50 questions, with technical evidence required for nearly every one. A "yes" with no proof is worse than a "no" — it's a defensible denial waiting to happen.
Underwriters and claims adjusters increasingly require screenshots, configuration exports, policy excerpts, and audit logs to back each application response. "We have MFA" no longer suffices when the carrier needs to see the conditional access policy.
A commercial P&C broker writing cyber liability is rarely a security technologist. When the client can't answer the questionnaire, the broker is left to guess — or to send back blank fields, which the underwriter reads as risk.
The ten domains carriers consistently verify, cross-mapped to specific questionnaires from Chubb, Travelers, Coalition, At-Bay, and Cowbell, and aligned to CIS Controls IG1. Every finding ties back to a specific question on the application you're about to submit.
Email, VPN, RDP, cloud apps, and all administrative accounts. Conditional access verified, enforced, and evidenced.
EDR or MDR coverage across endpoints, alerting policies, response runbook, and proof of active monitoring.
Immutable backups, encryption verification, restore testing cadence, recovery time objectives documented.
Patch cadence, exception handling, end-of-life inventory, and compliance reporting against carrier expectations.
Anti-phishing posture, sender authentication (SPF/DKIM/DMARC), attachment sandboxing, user reporting workflow.
VPN configuration, RDP exposure analysis, jump server posture, third-party remote access controls.
Admin account inventory, separation of duties, just-in-time elevation, service account audit.
Training cadence, phishing simulation results, completion rates, and the evidence trail an underwriter will request.
Written IR plan, tabletop exercise cadence, breach notification workflow, retainer with IR counsel where applicable.
Third-party inventory, contractual cyber requirements, ongoing posture monitoring of critical vendors.
Every audit produces a single, underwriter-ready binder. Not a 60-page PDF nobody reads — a structured document an insurer or broker can open, scan, and use. The cover identifies the engagement. The contents map every finding to the specific questionnaire it answers. The evidence sits next to the finding it proves. The remediation roadmap is prioritized by impact, not by alphabet.
Predictable rhythm, scoped before kickoff. You know what we're doing, what we need from you, and what you'll hold at the close.
A 30-minute call. Renewal date, current carrier, recent claim history, the questionnaire that's coming, and a quick read of what's already in place.
We walk the ten control domains across identity, endpoints, network, backups, vendors, training, and documentation. Working sessions with your IT lead. Configuration exports, log samples, policy excerpts collected.
Findings packaged into the Evidence Pack: posture rating, control-by-control read, proof appendix, carrier crosswalk, and prioritized remediation roadmap.
Live review with your team and (if you'd like) your broker. We translate findings into questionnaire answers, discuss the remediation roadmap, and confirm the three remediation paths.
After remediation closes, we re-audit against the same standard and produce a delta report — what moved, what improved, what's still open. Optional add-on or bundled with Compliance Care.
The renewal letter raises specific questions. Below are the ones we hear most often. Email [email protected] if yours isn't here.
Fixed fee, scoped before kickoff. Starting at $4,500 for small environments (up to 25 endpoints, single location). Scales with endpoint count and locations. Custom multi-site environments are quoted after a discovery call. No hourly billing — productized work is fixed-price, full stop.
2–3 weeks for typical small and mid-size environments. We need a few hours of your IT lead's time across the engagement — most of the working sessions are 60-minute blocks with optional follow-up. Larger or multi-site environments run 3–5 weeks.
The Evidence Pack is cross-mapped to the major commercial cyber liability carriers: Chubb, Travelers, Coalition, At-Bay, and Cowbell. If your carrier isn't on that list, send us the application. The underlying ten control domains cover 90%+ of what every carrier asks; we add a carrier-specific crosswalk during synthesis.
That's the point. The remediation roadmap prioritizes by impact, and you have three paths: we do the remediation, we lead your IT team or MSP through it, or we coordinate an outside firm. We don't leave you holding a report and a problem.
Yes. The ten control domains overlap heavily with HIPAA Security Rule safeguards, CIS Controls IG1, and most enterprise vendor questionnaires. We can extend the audit to include HIPAA-specific items as an add-on, or run the HIPAA Security Rule Readiness Assessment as a separate engagement.
Often, yes. We coordinate the questionnaire response with your broker so the answers and the evidence line up. We never replace your broker relationship — we're the technical voice in the room. If you'd like, we can walk the broker through the Evidence Pack so they can present the strongest possible application.
You should not have to wire a five-figure fee to a firm on faith and hope the deliverable does its job. So we structure the engagement so the risk sits with us.
If your underwriter rejects the Evidence Pack as insufficient for the questions it maps to, we revise it free until it is accepted — or we refund the engagement fee in full.
Half to start, half only when the Evidence Pack is in your hands and you have reviewed it. You see the work before the second invoice.
The Evidence Pack is delivered within 15 business days of kickoff for a standard single-location environment. The date is in the proposal, not a hope.
Your team gives us about 90 minutes of access and one interview. We do the configuration exports, the log collection, and the documentation. The audit does not become your staff's second job.
A 30-minute conversation with a senior consultant. Bring the renewal date and (if you have one) the application. You'll leave with a clearer read on what the carrier will accept — and a fixed-fee proposal if it makes sense to engage.