Cyber insurance security evidence
underwriting and renewal proof from the live record

Open vulnerability backlog by severity, closure rate, mean time to remediate by tier, breach rate against the published SLA, and aged finding count. Underwriters and brokers read these numbers as the leading indicator of whether the patch SLA attested in the questionnaire is operating in practice. The evidence reconciles to the live findings record rather than to a screenshot from a single day.

Examples: Critical findings open older than 30 days, high findings closed within SLA last 90 days, repeat reopens by asset tier, exception count by expiry status.

Scheduled and ad-hoc scan execution history, scan coverage against the in-scope estate, authenticated scanning depth on the systems behind login, code scan coverage of the connected repositories, and continuous monitoring of internet-facing services. Insurers want to see that detection runs on a documented cadence, not just at audit week.

Examples: Last 12 months of scheduled scan runs by asset class, authenticated scan coverage of production systems, code scan coverage of repositories, continuous-monitoring sweep cadence.

Workspace MFA enforcement, RBAC scoping by role, named-owner accountability against assets and engagements, and credential storage posture for authenticated scanning. Carriers price MFA enforcement on privileged access as a hard control, and the questionnaire answer has to match the operating evidence on the workspace.

Examples: Workspace-wide MFA enforcement state, owner-and-admin MFA status, RBAC role assignments by user, encrypted credential storage usage for scan jobs.

Mapping of findings, controls, and remediation evidence to the frameworks the policy questionnaire references (SOC 2, ISO 27001, PCI DSS, NIST CSF, CIS Controls). The same control evidence answers the underwriter question and the audit lookback rather than being assembled separately for each.

Examples: Control coverage by framework, findings linked to controls, exception evidence by control, framework-aligned reporting views.

Timestamped state changes against findings, engagements, scans, comments, documents, invoices, and team membership. The CSV export is the artefact the underwriter, broker, claim assessor, or forensic investigator reads when an attestation has to be reconstructed against a date range rather than a single point in time.

Examples: Activity log CSV export covering 30, 90, or 365 day retention by plan, with user attribution, timestamp, and event type per row.

Incident response engagement records, ransomware-readiness evidence, exception register entries with the eight-field decision (linked finding, severity, compensating controls, residual likelihood, residual impact, business rationale, expiry, review cadence), and post-incident closure evidence. Claim assessors read the exception register as the residual-risk inventory the policy was priced against.

Examples: Open exceptions by severity and expiry, exception review cadence evidence, incident response engagement closures, post-incident verification scan evidence.

A questionnaire that claims a 30-day critical patch SLA against a backlog where critical findings are 200 days aged is the kind of inconsistency that downgrades coverage at renewal or denies a claim at incident time. The defensible posture is to answer the questionnaire from the live record so the answer matches the operating evidence rather than the policy intent.

Underwriters and broker pre-questionnaires often ask for scan frequency and scan coverage. A claim that internal scans run weekly without a scan history that shows weekly executions across the in-scope estate reads as an aspirational answer rather than as an operating control. Scan history on the workspace is the anchor for the cadence claim.

MFA enforcement is one of the hardest controls in cyber underwriting and one of the most frequently overstated. A questionnaire that claims MFA is enforced on all privileged accounts against a workspace where owner or admin users have not enrolled is a documented inconsistency at the moment of attestation. The MFA enforcement state and the team management roster are the evidence behind the claim.

Where a finding remains open beyond the policy SLA, the questionnaire often asks for the compensating control that justifies the residual risk. A narrative paragraph in a Word document is not the same evidence as an exception register entry with the eight-field decision and an expiry date. The exception register is the audit-readable record the broker and the claim assessor expect.

A renewal pack assembled from a single screenshot of the dashboard reads as a point-in-time snapshot rather than as evidence of operating effectiveness. Underwriters read the trend in the backlog, the closure rate, the breach pattern, and the exception register over the policy period, not just the state on the renewal date. The activity-log CSV across the policy period is the operating-effectiveness evidence the snapshot cannot supply.

Cyber claims often turn on whether the insured operated the controls the policy is priced against in the days and weeks before the incident. Assembling the scan history, the finding queue, the exception register, and the activity-log trail after the claim is filed produces evidence the assessor reads as reconstructed rather than as contemporaneous. The defensible posture is to hold the evidence on one record between events so the claim pack assembles from the same source the operators run on.

A library of the questions the carrier, the broker, and the renewal questionnaire ask, mapped to the queryable artefact on the workspace each question is answered from. The library is the contract between the questionnaire and the live evidence so the next questionnaire is answered from the record rather than reauthored.

Each question carries an evidence anchor: the engagement view, the dashboard query, the activity-log filter, the exception register filter, the scan history filter, or the framework view that produces the answer. Anchors keep the questionnaire reproducible across renewal cycles and across reviewers.

A reconciliation step before any questionnaire is signed: the answer on the form has to match the number on the live record. Where the two diverge, the reconciliation either updates the answer to match the operating evidence or opens a remediation engagement to close the gap before the questionnaire is filed.

A documented cadence for mid-term re-attestation against material control changes (a new compensating control, a major scan-coverage gap, a change in MFA enforcement, a regulatory data-class change). Carriers expect the insured to update the underwriter on material posture changes between renewals; the cadence captures the trigger, the change, and the evidence on the engagement record.

A pre-assembled list of the artefacts the claim assessor and the breach counsel will request: the activity log CSV across the policy period, the scan history, the open backlog snapshot at incident date, the exception register at incident date, and the closed engagement evidence for the incident response. The pack is held on one record so the claim pack assembles in hours rather than weeks.

Scoped access for the broker and (where the policy permits) the underwriter to read the questionnaire evidence on the workspace through the branded client portal on the tenant subdomain. The scoped access turns the questionnaire from a static PDF into a live view of the operating evidence the broker and underwriter can revisit through the policy period.

Cyber insurance evidence reads from vulnerability SLA management (the patch SLA answer), vulnerability acceptance and exception management (the compensating-control answer), asset criticality scoring (the risk-rank answer), and audit evidence retention and disposal (the retention-and-disposal answer).

Carrier evidence rolls up into security leadership reporting (the renewal cycle is a leadership cadence), compliance audits (the carrier evidence overlaps with the audit evidence), incident response (the claim evidence draws from the response engagement), and control mapping and crosswalks (the carrier control set crosswalks to SOC 2, ISO 27001, PCI DSS, NIST, and CIS).

Every answer on the carrier questionnaire matches the corresponding number on the live engagement record. The reconciliation step before signing is a few minutes rather than a multi-day evidence reconstruction.

The renewal evidence pack regenerates from the same record the operators run on. The trend in the backlog, the closure rate, and the breach pattern are the operating evidence the underwriter reads.

Material control changes between renewals trigger a mid-term re-attestation against a documented cadence. The broker and the underwriter receive the update on the cycle the policy expects.

The activity log, the scan history, the open backlog snapshot, the exception register, and the closed engagement evidence are pre-assembled on the workspace. The claim pack assembles in hours rather than weeks, and the response to a coverage challenge reads from the same source the security team operates on.