The CISI puts a structured, evidence-based score on the one question boards and CFOs haven't been able to answer — until now. 34 questions. 10 domains. Two dimensions of denial risk. Free assessment. Immediate results.
34 questions · 10 domains · Claimant-side + insurer-side · Immediate results
Domain point values reflect forensic significance — the frequency with which each domain appears as a driver of claim denial in post-breach investigations. Domains 1–9 measure claimant-side control failures. Domain 10 measures insurer-side policy exclusion risk independently.
Total: 34 questions · Domain 10 evaluates independently of total score
Domain 10 is unique in the CISI framework. These three flags are evaluated independently of your total score. A 210/215 score with a D10-NS flag is a high-risk situation that a strong Domains 1–9 posture cannot address. These risks are resolved only through policy review, legal counsel, endorsements, or supplemental coverage.
Lloyd's-mandated state-backed attack exclusions have been required since March 2023. Healthcare, financial services, critical infrastructure, and defense contractors are primary nation-state targets. If your policy contains this exclusion and it has not been reviewed by qualified counsel, coverage for the most likely threat actor class in your sector may be void.
Standard policies frequently exclude downstream losses from third-party breaches. EHR clearinghouses, billing processors, cloud platforms, fintech APIs, and payment systems create coverage gaps that are unconfirmed until the claim is filed. The Change Healthcare incident produced $2.3B in losses — much of it from organizations that believed their policy covered supply chain events.
The July 2024 CrowdStrike incident generated $400M–$1.5B in insured losses and accelerated insurer exclusion of non-malicious correlated events. Cloud provider failures, software update failures, and widespread infrastructure outages may not be covered under your current policy. Business interruption coverage for events originating outside your organization requires explicit confirmation.
The critical insight: A security team cannot fix a Domain 10 flag. No amount of MFA enforcement, backup isolation, or IR plan testing resolves a nation-state exclusion clause. These gaps are closed through policy review with insurance counsel, endorsements, or supplemental coverage — not through the security program. The CISI surfaces them so organizations can act before a breach occurs, not after a claim is denied.
34 questions across 10 domains. For each question, select the score that best reflects your current operating environment and the evidence type supporting your answer. Approximately 15 minutes.
Your CISI score updates in real time as you answer each question. Domain breakdown, claim probability projection, and Domain 10 flag status are visible throughout the assessment.
Enter your organization details to unlock the full report: executive summary, primary denial drivers, domain critique, financial exposure estimate, and priority remediation recommendations.
Download your complete CISI Assessment Report — formatted for executive and board presentation. The paid analysis debrief with a Cybantage advisor is the recommended next step.
Note: Domain 10 flags are evaluated independently. A score in any band with active D10 flags requires separate policy review regardless of the claimant-side score.
The organizations that survive breaches built their posture before the event — not in response to it. The CISI gives you the scored picture of where you actually stand, 15 minutes from now.