Why hackers and insurers scan your website.

01The underwriting shift.

The big change is simple: cyber underwriting moved from "trust the questionnaire" to "verify it ourselves." Roughly three out of four carriers now run external attack-surface scans during underwriting, and self-attestation is no longer the end of the conversation.

Your public-facing website and infrastructure is the cheapest, fastest signal a carrier has. It's what an attacker sees first, so it works as a proxy for your overall security maturity — an outside-in rating. Tools like SecurityScorecard, BitSight, and their peers show what an external attacker — or an underwriter using the same tools — can see about your public-facing infrastructure.

Why this line of insurance leans on it so heavily: cyber is the only major commercial line where the exposure itself is technologically determined. Attack surface and defensive posture shift in months rather than decades, which breaks the assumptions behind standard ratemaking. Property underwriters look at your building; cyber underwriters can't, so they look at your data, your attack surface, and your ability to survive an incident.

How it reaches the premium.

Documented controls can swing premiums twenty to forty percent in either direction at renewal — and one unprotected entry point can void a claim. The baseline carriers check for is consistent: enforced MFA, EDR/MDR on every endpoint, immutable backups with tested restores, a written incident-response plan with a recent tabletop, and a documented patch-management program. Missing those doesn't just raise your rate — it can get you declined outright.

And there's a sting in the tail. Carriers are now denying claims when forensic review finds the controls a policyholder attested to weren't actually in place at the time of the incident. The scan does double duty: pricing the policy, and fraud-proofing the attestation behind it.

For financial firms specifically, industry is the second-biggest pricing factor. Financial services, healthcare, and technology pay significantly more — they hold high-value data and operate under stricter regulatory environments.

02Why hackers bother.

Mostly money. The dominant playbook today is attackers logging into third-party services, dumping the data, and monetizing it through extortion — ransomware, data theft for resale, business email compromise, and wire fraud.

Beyond profit, some organizations steal trade secrets from competitors, and nation-state actors breach systems for political or military intelligence. But the center of gravity is financial.

The website is the literal front door — public, always-on, internet-facing — and one that's constantly being probed.

Web-application attacks contribute to 26% of breaches, ranking as the second-most prevalent attack pattern, and 17% of all cyberattacks target vulnerabilities in web applications. Much of that probing isn't even human: malicious bots represent over 60% of all bot traffic on the internet, scanning the web at scale for sites with known weaknesses.

03How they get in.

The common entry routes, roughly in order of prevalence:

• Phishing and stolen credentials.

  The top initial vector. Phishing is the most common data-breach attack vector at about 16% of breaches, and stolen or compromised credentials account for another 10% — and the latter can take up to 186 days to identify.

• Weak and reused passwords.

  Because users reuse passwords across platforms, attackers replay credentials leaked in prior breaches to access accounts — which is exactly why unique passwords and two-factor authentication matter.

• SQL injection and web-app / API flaws.

  SQL injection targets poorly secured websites and can compromise millions of records in a single breach; in severe cases attackers can manipulate or delete entire databases. Unsecured APIs leak data at scale.

• Unpatched software and vulnerable plugins.

  The WordPress problem. Known CVEs in extensible components — plugins, themes, core — are an open door that requires no skill to walk through.

• Cloud misconfigurations and supply-chain compromise.

  Attackers scan for misconfigured cloud storage to grab large volumes of data without advanced tools, and weak vendor security gives them an indirect way in.

A detail that makes all of this worse: it's quiet. Breaches happen in silence, and administrators are notified much later — by which point the potential or actual losses to the business and its data can be large.

04What it costs the firm.

The risk is a stacked set of consequences from a single incident:

• Direct financial loss and ransom.

• Business interruption while systems are down.

• Exposure of customer PII or financial data.

• Regulatory penalties.

  For a financial-services firm, that's squarely Reg S-P territory — breach-notification obligations and potential SEC scrutiny.

• Reputational damage and erosion of client trust.

• Legal liability.

• Denial of the insurance claim.

  The cruel finale — if the audit later shows a control you attested to wasn't actually in place at the time of the incident.

The same externally-visible weaknesses an attacker exploits are the ones the underwriter scans for. Shrink that surface and you lower your real risk and your premium at once.

That is the entire argument for moving off WordPress and onto a hardened, static front end. There is no admin login to brute-force, no plugins to exploit, no database to exfiltrate, and nothing executing on a server. The cleanest report you can hand an underwriter is one with almost nothing on it.

© Elephant · 2026 · elephant.ca · figures are industry-reported and illustrative; your scan results will reflect your own infrastructure.