A London consultancy attached a Vantyris report and re-scan to its cyber-insurance renewal pack and finalised the renewal with no follow-up evidence requests.

What made them run a scan

The cyber-insurance renewal questionnaire from the firm's insurer included a new line item this year: had the firm commissioned an external vulnerability scan against its public-facing assets in the past 12 months. The practice manager had eight working days to deliver evidence with the renewal pack.

What Vantyris found

1. 01

   Missing security headers on the main marketing site

   medium

   Three of the four recommended headers were absent. The HSTS header was present and correctly configured.

2. 02

   Client portal subdomain on a slightly outdated TLS configuration

   medium

   The portal returned a B grade on SSL Labs due to a deprecated cipher offered alongside modern ones. Not currently exploited.

3. 03

   Session cookie not flagged as Secure on the marketing site

   low

   A partner had disabled the Secure flag during testing and the change had not been reverted. The cookie did not carry sensitive data but the flag should still be set.

4. 04

   No exposed admin services; DMARC enforced at p=reject

   healthy

   The firm's email hygiene was strong, with DMARC, SPF, and DKIM all configured. No admin interfaces were reachable from the public internet.

What they fixed and how

The firm's external IT contractor closed all three findings within 48 hours. A re-scan documented the closure of every item. The PDF of the original scan plus the PDF of the re-scan were attached to the insurance renewal pack, alongside a one-page covering note. The insurer's underwriter accepted the evidence without follow-up questions, three business days before the deadline.

What's next

The firm has set the scan to repeat quarterly, with one annual scan timed to land six weeks before the insurance renewal date. The pattern is now part of the firm's annual cyber-renewal calendar.