Carriers Are Scanning Your Clients
If you think the application is the only thing carriers look at, you're wrong. Every major cyber carrier now runs their own external security assessment before quoting. Coalition, Corvus, At-Bay, and Resilience all scan the prospect's domain as part of their underwriting process.
If the scan reveals something the application didn't mention, the quote gets delayed or declined. Here are the five things they're checking.
1. Email Authentication (SPF, DMARC, DKIM)
This is the number one reason for declines on small accounts. If a company's domain doesn't have SPF and DMARC configured, carriers assume their employees are vulnerable to phishing. Phishing is the entry point for over 80% of cyber claims.
What to check: Does the domain have an SPF record? Is DMARC set to "quarantine" or "reject" (not "none")? These are free to implement and take 30 minutes to configure.
2. SSL/TLS Certificate and Configuration
An expired certificate or outdated TLS version (1.0 or 1.1) is a hard blocker for most carriers. It signals that nobody is maintaining the company's web infrastructure.
What to check: Is the certificate valid and not expiring within 30 days? Is the server using TLS 1.2 or higher?
3. Web Application Firewall
Carriers look for evidence that the company's web traffic is protected by a WAF or CDN like Cloudflare, Akamai, or AWS CloudFront. The presence of a WAF signals proactive security investment.
What to check: Look for Cloudflare, Akamai, or similar headers in the HTTP response. No WAF doesn't automatically mean a decline, but it's a factor.
4. Known Vulnerabilities and Breach History
Carriers check whether the company or its domain has appeared in known breach databases. A prior breach doesn't prevent coverage, but it significantly affects pricing — expect a 40-65% premium surcharge.
What to check: Search the CA Attorney General breach list and HIBP for the domain.
5. DNS Security (DNSSEC and CAA)
These are the "extra credit" checks. DNSSEC prevents DNS spoofing, and CAA records restrict which certificate authorities can issue certs for the domain. Not all carriers check these, but the data-driven carriers (Coalition, Corvus) do factor them into their scoring.
Pre-Scan Before You Submit
Run a free SecureClear scan on your client's domain before submitting to any carrier. If the scan reveals gaps, work with the client to fix them first. A clean scan means faster quotes, better terms, and fewer surprises.