Qualys & Converge launch cyber cover tied to risk data

Qualys and Converge have launched a joint cyber insurance offering for organisations using verified security data. The arrangement links insurance premiums to evidence of cyber risk reduction.

The offering uses a new Qualys Converge Connect Insurance Report, or CCIR, generated through Qualys Enterprise TruRisk Management. Converge underwriters use the report to assess a company's security posture through standardised data, rather than relying mainly on manual questionnaires completed by applicants.

Cyber insurance underwriting has come under pressure as ransomware attacks, data breaches and supply chain incidents have increased. Insurers have long depended on self-reported information collected during renewals, a process that can be slow and produce incomplete or inaccurate answers.

Under the new arrangement, automated data from Qualys Enterprise TruRisk Management feeds into the insurance report. The report verifies areas including vulnerability management, patch management and endpoint detection controls, giving underwriters a current view of the security measures in place.

This approach is intended to reduce the administrative burden for customers and make underwriting more consistent. It should also lower the risk of inaccurate self-reporting and allow premiums to reflect an organisation's measured risk level rather than broader industry assumptions.

How it works

The CCIR will cover several products in the Qualys portfolio, including Enterprise TruRisk Management, Vulnerability Management, Detection and Response, TruRisk Eliminate, and Endpoint Detection and Response. The report is generated independently in real time and remains valid for 30 days.

Its metrics are expected to show measurable risk reduction, remediation speed, compliance rates and the breadth of asset coverage. That gives insurers a more direct way to compare applicants' security controls and gives customers a clearer route to demonstrating improvements in their cyber posture.

For companies buying cover, the model creates a financial incentive to maintain stronger security practices between renewals rather than preparing for an annual insurance application. For insurers, it offers a way to track live operational data instead of relying on a static snapshot.

Tom Kang, Chief Executive Officer of Converge, outlined the shift in underwriting the companies are seeking.

"Cyber risk has historically been priced on snapshots and self-reported answers, leaving real exposure invisible between renewals," Kang said.

"With verified data, we will be able to underwrite to a company's live security posture and provide policyholders who do the hard work of reducing risk to see the benefits," he said.

Insurance focus

The launch reflects a broader shift in the cyber insurance market towards using more technical telemetry in pricing and underwriting decisions. As claim costs have risen, insurers have sought more reliable ways to distinguish between organisations with strong controls and those with weaker defences.

Security vendors have also been trying to show that their tools can do more than support technical teams, extending into board-level risk management, compliance and insurance. By tying risk data to insurance pricing, Qualys is positioning its Enterprise TruRisk Management product closer to financial decision-making inside customer organisations.

Qualys has more than 10,000 subscription customers worldwide, including many large multinational businesses. The new insurance report is now available in Enterprise TruRisk Management for customers interested in the joint arrangement with Converge.

Sumedh Thakar, President and Chief Executive Officer of Qualys, said the product was designed to connect operational cyber risk with a business cost companies clearly understand.

"Cyber insurance is key to the overall risk management strategy, but there has to be an easier way to correlate the strength of an organization's cyber posture with what they should pay in insurance," Thakar said.

"That's why we created ETM to provide stakeholders with an accurate picture of their true risk, enabling better business outcomes like cyber insurance savings, and a greater incentive to reduce their cyber risk," he said.