Security Posture Report FAQ

Powered by Beazley Security, the Security Posture Report is a personalized cyber risk assessment that provides organizations with valuable insights into their external cyber security posture. The report highlights areas of potential risk, providing customized and actionable recommendations to strengthen their defenses, reducing the likelihood of an attack.

Why does Beazley Security provide this report?

As part of a new cyber insurance application, and on behalf of its Beazley insurance affiliates (“Beazley”), Beazley Security performs a network infrastructure scan of the client organization using a proprietary technology called Karma to identify potential vulnerabilities. The key results from Karma are described in the Security Posture Report (SPR), which enables organizations to learn more about the vulnerabilities, understand the extent a risk may pose to their cyber security posture, and offer corrective actions to reduce the risk of a cyberattack.

Who is this report for?

The Security Posture Report provides tangible benefits to multiple stakeholders in the insurance buying process. Specifically, the SPR provides insureds and prospective insureds with greater insight into their security vulnerabilities to help reduce the likelihood of cyberattacks. The SPR also allows brokers to better position themselves to advise clients on their cyber security posture during insurance coverage discussions.

How does Beazley Security find these issues?

Beazley Security has built a solution to automatically scan an organization’s publicly accessible network infrastructure and find vulnerabilities. Karma begins with an organization’s domain—such as example.com—and uses different sources to discover the organization’s related subdomains—such as forms.example.com or store.example.com. After identifying the subdomains, Karma identifies which IP addresses host content for each domain.

After identifying the IPs, Karma works to identify all the open ports and software hosted on each IP. Finding open ports is critical because it allows Beazley Security to understand an organization’s exposure and gather more details about its attack surface. Karma uses these open ports to gather key information about the services and software running on a port. This information is used to identify high-risk software and other vulnerabilities that impact an organization’s cyber security posture and provides the areas of weakness to improve client’s personal cyber security journey.

What kind of vulnerabilities does the scan attempt to uncover?

Beazley Security looks for open ports, exposed services, software vulnerabilities, and other important risk factors associated with an organization. These risk factors fall into a few areas:

• ‍Attack Surface: Hostnames, IP addresses, and known exploited vulnerabilities‍
• Email Security: DKIM keys, DMARC settings, and SPF settings‍
• Security Certificates: Expired certificates and assets without encryption‍
• High-Risk Software: Software that should not be directly exposed to the internet

These types of vulnerabilities increase exposure to cyberattacks and assess an organization’s cyber security posture.

What are Known Exploited Vulnerabilities (KEVs)?

Known Exploited Vulnerabilities (KEVs) are weaknesses in software, hardware, or applications that are being actively exploited by attackers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) maintains a catalog of KEVs to inform organizations of risks. KEVs are considered the most immediate threats and require prioritization to reduce cyber security threats.​ If Known Exploited Vulnerabilities are identified, the results will be listed in the Attack Surface section of the Security Posture Report.

What High Risk software requires action?

The table below shows the High Risk software that Beazley requires to be addressed to bind an insurance policy with Beazley. If the Karma scan identifies any of this software is available on an organization’s internet perimeter, it will be displayed in the ‘High Risk Software’ section of the Security Posture Report ‘alongside an “Action Required” flag. Organizations will be able to click a ‘Fix It’ button to begin the required remediation journey and seek additional support via chat or telephone if needed.

There may be other High Risk software that Beazley Security has identified but the items above are the only ones that Beazley currently requires to be addressed prior to binding.

What action should an organization take after reviewing the report results?

After reviewing the report results, identify which issues in the report to resolve:

• Action Required: These are critical security issues that Beazley requires you to address before purchasing or renewing your cyber insurance policy.
• Action Recommended: These are critical security issues that we strongly recommend you fix as soon as possible. Addressing these items is not required to move forward in the insurance process, but they still present considerable risk to your organization.
• Action Suggested: These are moderate-risk issues that we recommend you fix when possible. Addressing these items will improve your security posture and reduce risk to your organization.
• Needs Review: These are informational findings that you should investigate further to see whether they reflect your intended configuration.‍
• Looks Good: These areas show no issues to report. No action is necessary.

If the recipient of the report within the organization does not have the direct technical skill to fix the issues, Beazley Security recommends sharing the report with their IT provider for additional support. If technical questions arise about the report, an organization can submit a support request to the Attack Surface Management (ASM) helpdesk at [email protected] or leverage the chat feature directly available within related "Fix It" Guides. To ensure a timely response, please include the scan date, the organization the report was prepared for, and the organization’s domain when engaging support.

What are Fix It Guides?

Beazley Security’s Fix It Guides are designed to provide organizations with technical support and guidance on how to resolve commonly identified issues. These guides can be accessed directly from the Security Posture Report and include an interactive series of questions to ensure the content applies to the organization’s software or infrastructure.

Additionally, Beazley Security created Fix It Guides related to 4 primary Beazley underwriting controls. These controls represent essential security measures that should be implemented to improve an organization's resilience against cyber threats. Adopting these measures is a proactive step in mitigating risks.

• MFA on Web-Based Email
• MFA on Remote Access Solutions
• Backups of Critical Data
• Implement Antivirus/EDR Solutions

What if the report shows vulnerabilities from a third-party provider?

The Security Posture Report might show IPs, hostnames, or vulnerabilities associated with a third party, such as a managed service provider, software-as-a-service provider, or IT provider. Findings associated with a third party are still a part of an organization’s network infrastructure and contribute to its overall attack surface. Because these issues can serve as an attack vector into the organization’s own network, they’re still important to address.

In these cases, Beazley Security recommends organizations work with the third-party provider to resolve the issues identified in the SPR.

Are there potential network vulnerabilities that this report might not uncover?

Yes. The Security Posture Report provides valuable insights into an organization’s network security, but Karma works to passively identify issues and is not a “vulnerability scanning” solution. As such, Karma cannot uncover all potential vulnerabilities. Security threats are constantly evolving, so some risks may go undetected, and other risks may emerge after the date of the scan. Even if no vulnerabilities are identified in the report or all listed issues are addressed, the risk landscape is evolving and it’s important an organization remains aware of its security posture beyond this report.

What level of support can Beazley Security provide to an organization?

Beazley Security supports organizations by answering general and technical-related questions to the Security Posture Report and Fix It guides. However, Beazley Security does not directly resolve or make changes on behalf of the organization to resolve the identified risks within the report. Instead, organizations should work directly with their IT provider to implement the necessary changes.

If additional support is needed, Beazley Security professional services can be engaged to discuss potential solutions. For more information about our Professional Services capabilities and how Beazley Security can help you reduce risk, please Contact Us or take a look at our capabilities brochure.

For questions about the technical content of the report or to discuss certain findings, please reach out to Attack Surface Management (ASM) Support via the following email address: [email protected]. To ensure a timely response, please include the scan date, the organization the report was prepared for, and the organization’s domain when engaging support.

For questions about your insurance policy or any other insurance-related matter, please contact your licensed insurance broker.

The Underwriting standards and controls noted in this communication are determined by Beazley, and determinations as to compliance with any such standard or control are made by Beazley.

‍Last Updated: April 2025

‍