Why did carriers start demanding this?
Cyber insurers spent years paying ransomware claims that traced back to the same handful of causes: exposed remote access without MFA, unmanaged endpoints, connected backups, and no one testing any of it. The questionnaires are actuarial memory. Each control they now require maps to a loss pattern they're tired of funding.
The practical consequence for a Louisiana small business: the questionnaire is no longer paperwork. Answers determine premium, coverage limits, and — critically — whether a claim gets paid. A misstatement discovered during a claim investigation is grounds for denial, which makes honest answers with documented gaps strictly better than optimistic checkbox-ticking.
Scan, assessment, or penetration test — which do they want?
| Engagement | What it is | Typically satisfies |
|---|---|---|
| Vulnerability scan | Automated tooling lists potential weaknesses | Basic questionnaire lines; internal hygiene |
| Vulnerability assessment | Broader expert review, lighter than a full test | Mid-tier requirements; first-time baseline |
| Penetration test | Authorized experts validate and chain real exploits, with evidence | Explicit pentest requirements; enterprise vendor reviews |
Read your specific requirement carefully — 'periodic security testing' language sometimes accepts an assessment, while enterprise customer security reviews usually mean a genuine penetration test with a report they can read. Buying more than required wastes money; buying less voids the point.
How to prepare so the test is worth its price
- Fix the known-knowns first — MFA everywhere, dead accounts disabled, exposed remote access closed. Paying testers to rediscover what you already know wastes scope.
- Inventory what's actually yours: systems, applications, cloud tenants. You can only authorize testing of what you own.
- Define scope around what matters — the systems holding client data and money, not the marketing site alone.
- Plan remediation capacity before the report lands; findings with no one assigned to fix them age poorly.
- Keep the paperwork: scope, dates, methodology, findings, and remediation status are what the carrier or enterprise customer actually reads.
A first test on an unprepared environment produces a long report of basics. A first test on a prepared environment produces the interesting findings — the ones you genuinely couldn't see yourself. The second report is the one worth paying for.