By Ryan Windt | Head of Growth Marketing | Updated June 2026
Vulnerability management doesn’t generate headlines the way ransomware does. It’s not a flashy control. But ask any underwriter what they’re looking at when a claim comes in, and unpatched systems appear near the top of the list.
Carriers have paid out enough claims tracing back to known, patchable vulnerabilities that they’ve changed how they underwrite. Patch management is no longer a box you check on the application. It’s a program they want to see evidence of, and in some cases, a condition of coverage.
This post explains what underwriters are looking for, how they verify it, and what you need to document before your next renewal.
Why Vulnerability Management Matters to Underwriters
Cyber underwriters are working from claims data. When they see the same root cause appear across losses, they build it into their underwriting criteria. Unpatched systems have been the entry point in a significant share of ransomware attacks and data breaches over the past several years.
The mechanism is straightforward: a known vulnerability gets a CVE and a CVSS score. Proof-of-concept exploit code gets published. Within days or weeks, threat actors are actively scanning for unpatched instances. Organizations that haven’t applied the patch are exposed to a known, documented risk that could have been closed.
Underwriters see this dynamic in their claims data. When they pay a ransomware claim and the root cause traces back to an unpatched VPN appliance or Exchange server, they ask why the patch wasn’t applied. When that answer is “we didn’t have a formal patch management process,” that information informs future underwriting.
The result is that vulnerability management has moved from a general best practice into a specific underwriting criterion at many carriers, particularly for accounts above a certain revenue threshold or in sensitive industries.
What Underwriters Are Actually Asking
The questions on cyber insurance applications have become more specific over time. Where earlier applications might have asked a yes/no question about patch management, current applications from many carriers go further. Common questions include:
Patching timelines. Carriers want to know how quickly you apply patches to critical systems after they’re released. Common benchmarks: critical patches within 14 to 30 days, high-severity patches within 30 to 60 days. If you can’t articulate a timeframe, that’s a flag.
Coverage of internet-facing systems. Underwriters are particularly focused on externally accessible systems, including VPN appliances, remote desktop endpoints, mail servers, and web applications. These are the attack surfaces most actively scanned by threat actors. Your internal patch cadence matters less if your perimeter is six months behind.
Vulnerability scanning. Some applications now ask whether you run regular vulnerability scans and how frequently. The expectation is typically monthly scanning at minimum, with more frequent scanning for critical or internet-facing systems.
Treatment of end-of-life systems. Systems that no longer receive vendor security patches represent a different category of risk. If you’re running end-of-life operating systems or software, underwriters want to know whether compensating controls are in place and whether there’s a migration timeline.
Critical infrastructure patches. High-profile vulnerabilities that receive mass exploitation, such as those affecting widely deployed enterprise software, get specific attention. A carrier may ask directly whether your environment was affected and remediated.
How Carriers Verify Your Answers
This is where the underwriting process has evolved. Attestation on the application is still the starting point, but carriers have added verification mechanisms, particularly for larger accounts.
Active scanning at quote. Several cyber carriers, including Coalition and At-Bay, conduct external-facing scans of your infrastructure as part of the underwriting process. They’re checking for open ports, outdated software versions, and known vulnerabilities on your public IP footprint. If your VPN appliance is two versions behind a critical patch, they can see it before they issue a quote.
Risk scoring platforms. Underwriters use third-party security ratings tools that continuously monitor publicly observable security signals. These scores factor into pricing and can trigger re-underwriting at renewal if they’ve declined since the prior year.
Technical questionnaires for larger accounts. For accounts with higher limits or more complex risk profiles, carriers may require more detailed technical supplementals that go beyond the standard application. These can include questions about your vulnerability management tooling, scanning frequency, and how remediation is tracked.
Claims investigation. If a claim is filed, carriers investigate root cause. If the breach traces to an unpatched system, and your application represented that you maintain a timely patch program, that discrepancy can create a coverage dispute or grounds for rescission. Application accuracy matters.
What a Defensible Vulnerability Management Program Looks Like
You don’t need a sophisticated enterprise security operation to satisfy underwriting requirements. What you need is a documented, consistently executed program. The elements underwriters want to see:
An asset inventory. You can’t patch what you don’t know you have. Underwriters understand this. A basic, maintained inventory of your systems, including software versions and ownership, demonstrates intentional management of your environment. This is a foundational requirement.
Regular scanning. Run authenticated vulnerability scans against your environment on a defined schedule. Monthly is the common baseline. Tools range from enterprise platforms to accessible options that work for smaller organizations. The key is consistency and documentation of results.
A defined patching cadence with severity tiers. Critical and high-severity patches should have a defined remediation timeline. Document it. The specific timeframes matter less than the fact that you have defined thresholds and follow them. Fourteen days for critical patches is a common industry benchmark.
Prioritization of internet-facing systems. Your perimeter gets patched first. VPN appliances, firewalls, remote access tools, and publicly accessible applications should be on an accelerated patch cycle compared to internal systems.
A process for end-of-life systems. If you have systems that can’t be patched because the vendor no longer supports them, document why they exist, what compensating controls are in place, and whether there’s a migration or decommission plan. Underwriters understand that EOL systems exist in real environments. What they want to see is that you’re managing the risk deliberately.
Tracking and closure documentation. Vulnerability management isn’t just scanning. It’s remediating findings and tracking them to closure. A scan report showing 200 critical findings with no evidence of remediation is worse than no scan at all. The workflow from identification to closure needs to be documented.
Documentation That Supports Your Application and Renewal
Underwriters can’t audit your environment directly in most cases, so documentation is your evidence. The following materials, when available, strengthen your position:
A vulnerability management policy that defines your program scope, scanning frequency, patching timelines by severity, and ownership of the remediation process. This doesn’t need to be long, but it should exist as a formal document.
Scan reports, even summarized ones, that show regular scanning cadence and demonstrate remediation activity over time. Carriers who ask for supporting documentation may request these for complex accounts.
Patch completion metrics. If you can show that 95% of critical patches are applied within your defined window, that’s a meaningful data point. It demonstrates not just intent but execution.
A list of any known exceptions, meaning systems that are behind on patches, with documented rationale and compensating controls. Undisclosed exceptions are a risk at claim time. Disclosed, managed exceptions are far less so.
Vulnerability Management and Specific Industries
Certain industries face additional expectations because of the sensitivity of their data or the regulatory frameworks they operate under.
Healthcare. Unpatched medical devices and legacy hospital systems have been a recurring factor in healthcare cyber incidents. The Change Healthcare breach and other high-profile events have sharpened underwriter focus on healthcare organizations’ patching practices, particularly for systems connected to clinical networks. HIPAA’s Security Rule requires a risk management process that encompasses vulnerability remediation.
Financial services. SEC cybersecurity disclosure rules and state-level regulations create pressure on financial institutions to demonstrate active vulnerability management. Underwriters for banks, RIAs, and broker-dealers often apply more rigorous underwriting standards.
Manufacturing. Operational technology environments present a particular challenge because many OT systems weren’t designed for regular patching and may have limited vendor support. Underwriters serving manufacturers are increasingly asking how IT and OT patching are managed separately and whether OT systems are segmented from corporate networks.
MSPs. Managed service providers introduce a different dimension: their vulnerability management posture affects not just their own environment but their clients’. Underwriters evaluating MSPs look at both the MSP’s internal patch program and the tooling and processes they use to manage patching for clients. An MSP with strong RMM-based patch automation and documentation is in a materially better position than one relying on manual processes.
Common Application Mistakes
Overstating your program. Representing that you apply critical patches within 14 days when your actual average is closer to 60 is a misrepresentation. If it’s discovered at claim time, it creates grounds for denial. Answer accurately and address the gap rather than obscure it.
Ignoring internet-facing systems. Organizations sometimes have reasonable patch programs for internal systems but fall behind on perimeter devices because they’re handled by a different team or vendor. Underwriters specifically probe this. Your VPN appliance patching cadence matters more than your printer fleet.
No documentation. You may have a well-run patch program but no paper trail to support it. This is a fixable problem before renewal. Implement basic tracking, even in a spreadsheet, and retain scan outputs.
Not disclosing EOL systems. Attempting to hide end-of-life systems from underwriters is a bad strategy. They may find them through external scanning. Disclose them, document the risk management approach, and include a remediation timeline.
How This Connects to Other Underwriting Requirements
Vulnerability management doesn’t stand alone. It connects to several other controls underwriters evaluate:
EDR and Cyber Insurance: What Underwriters Require, What They Actually Verify, and How to Document It — endpoint detection and response tools often surface vulnerabilities in addition to active threats, and underwriters look at EDR and patch management together.
MFA and Cyber Insurance: What to Deploy, How to Document It, and What Underwriters Require — multi-factor authentication protects access even when a vulnerability exists; these controls are evaluated in combination.
Privileged Access Management and Cyber Insurance: What Underwriters Are Starting to Ask — limiting privileged access reduces the blast radius when an unpatched vulnerability is exploited.
Email Security Controls and Cyber Insurance: What DMARC, DKIM, and SPF Mean for Your Coverage — phishing via email remains a primary initial access vector, often targeting unpatched mail infrastructure.
The full picture of what underwriters evaluate is covered in The Security Controls Underwriters Check Before They Quote You.
Frequently Asked Questions
Will poor patch management cause my cyber insurance application to be declined?
Not automatically, but it affects pricing and terms. Carriers with external scanning capabilities may identify unpatched internet-facing systems and either price accordingly, require remediation before binding, or apply sublimits to certain coverage areas. For accounts with significant known vulnerabilities, some carriers will decline. The more common outcome is a higher premium and conditional requirements.
What patching timeline do underwriters expect?
There’s no universal standard, but 14 to 30 days for critical patches and 30 to 60 days for high-severity patches is a common benchmark across carriers. The more important factor is that you have a documented policy with defined timeframes and evidence that you follow it.
Do underwriters scan my systems when I apply for coverage?
Some carriers do conduct external scans as part of underwriting, particularly at higher limit thresholds. Coalition and At-Bay are known for this approach. The scan is limited to what’s publicly observable from the internet. They’re looking at exposed services, software versions on public-facing systems, and known vulnerabilities.
What if I have end-of-life systems I can’t immediately replace?
Disclose them and document your compensating controls. Network segmentation, enhanced monitoring, and a documented migration plan all reduce underwriter concern. Attempting to hide EOL systems is riskier than disclosing them because carriers may discover them through scanning, and non-disclosure can affect claims.
How does vulnerability management affect my premium?
Organizations with documented, well-executed vulnerability management programs generally see better pricing than comparable accounts without them. The delta varies by carrier and account characteristics, but controls quality is one of the factors that creates room to negotiate at renewal.
Is a third-party vulnerability scan required?
Not universally, but some carriers recommend or require it for accounts above certain revenue or limit thresholds. Running your own scans with documented results is acceptable for most accounts. The key is consistency and evidence of remediation.
Related Resources
- Cyber Insurance Requirements: What Underwriters Actually Check
- Cyber Insurance Underwriting: What Carriers Evaluate and How to Prepare Your Application
- The Security Controls Underwriters Check Before They Quote You
- EDR and Cyber Insurance: What Underwriters Require, What They Actually Verify, and How to Document It
- What Small Businesses Actually Need from Cyber Insurance and What Most Policies Miss
Vulnerability management is one of the controls where the gap between what organizations represent on applications and what they actually do shows up clearly at claim time. If your program is solid, document it. If it has gaps, address them before renewal. Either way, knowing what underwriters are looking for puts you in a better position to get coverage that holds when you need it.
Ready to discuss your cyber insurance program? Contact us or review your coverage options.