The CISI puts a structured, evidence-based score on the one question boards and CFOs haven't been able to answer — until now. 34 questions. 10 domains. Two dimensions of denial risk. Free assessment. Immediate results.
34 questions · 10 domains · Claimant-side + insurer-side · Immediate results
Domain values reflect forensic significance — the frequency with which each domain appears as a driver of claim denial in post-breach investigations. Domains 1–9 measure claimant-side control failures. Domain 10 measures insurer-side policy exclusion risk independently.
Domain 10 evaluates three specific policy exclusion risks that exist independent of security posture. A Domain 10 flag fires regardless of total score and triggers an immediate Stage 2B recommendation.
Lloyd's-mandated state-backed attack exclusions have been required since March 2023. Healthcare, financial services, critical infrastructure, and defense contractors are primary nation-state targets. If your policy contains this exclusion and it has not been reviewed by qualified counsel, coverage for the most likely threat actor class in your sector may be void.
Standard policies frequently exclude downstream losses from third-party breaches. EHR clearinghouses, billing processors, cloud platforms, fintech APIs, and payment systems create coverage gaps that are unconfirmed until the claim is filed. The Change Healthcare incident produced $3.09B in losses — much of it from organizations that believed their policy covered supply chain events.
The July 2024 CrowdStrike incident generated $400M–$1.5B in insured losses and accelerated insurer exclusion of non-malicious correlated events. Cloud provider failures, software update failures, and widespread infrastructure outages may not be covered under your current policy.
The critical insight: A security team cannot fix a Domain 10 flag. No amount of MFA enforcement, backup isolation, or IR plan testing resolves a nation-state exclusion clause. These gaps are closed through policy review with insurance counsel — not through the security program. The CISI surfaces them so organizations can act before a breach occurs, not after a claim is denied.
34 questions across 10 domains. For each question, select the score that best reflects your current operating environment. Approximately 15 minutes.
Your CISI score updates in real time as you answer each question. Domain breakdown, claim probability projection, and Domain 10 flag status are visible throughout.
Enter your organization details to unlock the full report: executive summary, primary denial drivers, domain critique, financial exposure estimate, and priority recommendations.
Download your complete CISI Assessment Report — formatted for executive and board presentation. The optional analysis debrief with a Cybantage advisor is the recommended next step.
Domain 10 flags are evaluated independently. A score in any band with active D10 flags requires separate policy review regardless of the claimant-side score.
The organizations that survive breaches built their posture before the event — not in response to it. The CISI gives you the scored picture of where you actually stand, 15 minutes from now.