Pentesting and cyber insurance: what insurers require in Spain

Getting a cyber risk policy without having tested your security is getting harder: insurers have tightened requirements after years of high ransomware and CEO-fraud loss ratios, and now ask for concrete technical evidence before issuing a policy or offering better terms. A recent pentest isn't a paperwork formality for the insurer — it's the proof the underwriter uses to estimate how much risk they're actually taking on.

Why insurers ask for technical evidence before underwriting

The cyber insurance market has moved from loose self-assessment questionnaires to much stricter underwriting. The reason is purely actuarial: ransomware and credential-compromise claims have driven up the sector's loss ratio, and insurers need objective data — not client declarations — to price the risk. MFA on all remote access, isolated or immutable backups, network segmentation and evidence of recent security testing have become market-access conditions, not optional extras that improve pricing.

What pentesting evidence insurers typically require (and what doesn't count)

Insurers and their cyber-risk brokers typically ask for: (1) a recent pentest report (usually within the last 12 months) covering critical assets — web, perimeter network, Active Directory; (2) evidence that critical and high findings were actually remediated, not just the original report; (3) for higher-coverage policies, continuous vulnerability assessment, not a one-off. An automated vulnerability scan alone usually isn't enough for the higher coverage tiers: insurers distinguish between a scan (which detects the known) and manual pentesting (which demonstrates real exploitability), and weight the latter more heavily.

How pentesting lowers your premium

Beyond being a market-access requirement, a history of recurring pentests with remediated findings is one of the most direct levers to lower your premium: it reduces the perceived probability of a claim, translating into better terms or higher coverage limits at the same price. Some insurers explicitly offer discounts or expanded coverage in exchange for evidence of periodic security testing — annual or semi-annual — versus a single, old audit.

What happens if you claim without having tested your security

The risk isn't just pricing — it's effective coverage. If, during a claims process after an incident, the insurer determines you declared security measures that weren't actually in place — for example, MFA that didn't actually cover all access points, or controls a pentest would have revealed as absent — they can invoke the misrepresentation clause to reduce or deny the payout. A recent pentest and its documented remediation plan are, in practice, the evidence that protects you both at underwriting and at claim time.

FAQ

How recent does a pentest report need to be for an insurer?

It depends on the insurer and the policy size, but the usual requirement is a report from the last 12 months. For higher-coverage policies or regulated sectors, some require mandatory annual cadence as a renewal condition.

Can the same pentest be used for multiple insurers or brokers?

Yes — a technical pentest report following a recognized methodology (OWASP, PTES) with clear evidence is valid to present to different insurers or brokers while comparing policies. You don't need to repeat the audit for every quote.