A new partnership between Qualys and Converge wants to do for cyber insurance what fitness trackers did for health premiums: reward the people actually doing the work.

[For more news, click here]

Cyber insurance has always had a trust problem.

When a company applies for coverage, the process looks something like this: a stack of questionnaires lands on someone's desk, a harried IT manager fills them in as accurately as time allows, and an underwriter somewhere tries to price a policy based on answers that are, at best, a reasonable approximation of reality and, at worst, a liability waiting to happen. Nobody is lying, exactly. But nobody is telling the whole truth either, because the whole truth is genuinely hard to capture in a form.

That mismatch has real consequences. Insurers are pricing policies based on guesswork dressed up as data. Companies are paying premiums that may not reflect how seriously they take security. And when claims roll in, everyone is surprised. The result is a cyber insurance market that has struggled for years to get its footing even as the threats it is supposed to cover keep getting more sophisticated and more costly.

A new joint offering from Qualys and Converge is trying to fix that, and the mechanism is simpler than you might expect: give the underwriters actual data.

What Qualys and Converge Are Actually Doing

The partnership, announced in May 2026, allows companies using Qualys' Enterprise TruRisk Management (ETM) platform to generate something called a Converge Connect Insurance Report, or CCIR. Think of it as a verified security transcript, one that pulls live, automated data from across an organization's security infrastructure and translates it into a standardized format that Converge underwriters can read quickly and trust.

The report covers the metrics that actually tell you something meaningful about an organization's risk profile: vulnerability management practices, patch management cadence, endpoint detection controls, remediation velocity, compliance rates, and the breadth of asset coverage. It is generated independently and remains valid for 30 days, which means it reflects a company's security posture as it exists right now, not as it existed during last year's renewal cycle.

For organizations that have invested in reducing their cyber risk, the payoff is tangible: the potential to qualify for meaningfully lower insurance premiums.

Why the Old System Was Already Broken

To understand why this matters, it helps to understand just how poorly traditional cyber insurance underwriting has worked.

The ransomware surge of the early 2020s exposed a fundamental structural problem: insurers were pricing policies based on industry averages and self-reported questionnaires, not verified security data. A company in a high-risk sector that had done everything right could end up paying the same rates as a peer that had done almost nothing, simply because there was no reliable way to tell the difference.

This is not a minor inconvenience. It is the kind of information asymmetry that can destabilize an entire market. And it has, repeatedly. Premiums spiked. Coverage narrowed. Some insurers pulled back from the cyber market entirely. Others added more and more questionnaires, which only compounded the self-reporting problem without actually solving it.

"Cyber risk has historically been priced on snapshots and self-reported answers, leaving real exposure invisible between renewals," said Tom Kang, CEO of Converge. "With verified data, we will be able to underwrite to a company's live security posture and provide policyholders who do the hard work of reducing risk to see the benefits."

That last phrase is worth sitting with: "policyholders who do the hard work." Because what the current system effectively does is penalize them by failing to distinguish them from organizations that have not done that work.

The Data Problem at the Heart of Cyber Insurance

There is a concept in insurance called adverse selection, the tendency for people with higher risk to seek out more coverage, which in turn drives up premiums for everyone, which in turn drives out lower-risk customers, which makes the problem worse. Cyber insurance has been wrestling with a version of this for years.

The root cause is information. When an insurer cannot accurately assess the risk profile of the company in front of them, they default to averages. Averages are a reasonable response to uncertainty. But they are deeply unfair to organizations that have invested heavily in their security posture, and they remove one of the most powerful incentives for companies to improve: the financial one.

If doing the hard work of securing your systems costs money but does not save you money on insurance because your insurer has no way of knowing you did it, the business case for that investment gets harder to make. That is particularly true for mid-market companies and organizations without large, dedicated security budgets, where every dollar spent needs to justify itself.

The Qualys-Converge model attempts to restore that incentive by making the security work visible. Automated data from ETM flows into the CCIR without requiring someone to fill out a form, removing not just the administrative burden but the distortion that comes with self-reporting. The report does not ask what your patch management policy is. It shows what your patch management actually looks like.

What This Means for Security Teams

For security practitioners, there is something genuinely valuable in this model beyond the premium savings: it creates a common language between the security function and the business.

One of the persistent frustrations of working in cybersecurity is the difficulty of quantifying what good looks like in terms that resonate with finance and the board. A reduced attack surface is real, but it is hard to put a dollar figure on. A faster mean time to remediation matters, but it does not show up on a balance sheet.

A lower insurance premium does. And if a verified security report can translate the quality of an organization's security hygiene directly into measurable cost savings, that becomes a powerful internal argument for continued investment in security infrastructure.

"Cyber insurance is key to the overall risk management strategy, but there has to be an easier way to correlate the strength of an organization's cyber posture with what they should pay in insurance," said Sumedh Thakar, president and CEO of Qualys. "That's why we created ETM to provide stakeholders with an accurate picture of their true risk, enabling better business outcomes like cyber insurance savings, and a greater incentive to reduce their cyber risk."

The CCIR covers a broad range of Qualys tools, including ETM, Vulnerability Management Detection and Response (VMDR), TruRisk Eliminate, and Endpoint Detection and Response (EDR). The report is generated live and independently, with a 30-day validity window that keeps the data fresh and relevant to actual current conditions.

The Bigger Picture

What Qualys and Converge are building is, in a sense, an infrastructure for trust. The cyber insurance market has long wanted to reward good security behavior. It has simply lacked the tools to verify it. Verified, automated, real-time data changes that equation.

If the model proves effective, it could push the broader market toward similar approaches, creating competitive pressure on other insurers to offer data-driven pricing and creating competitive pressure on companies to demonstrate the security posture that earns them better rates. That is a feedback loop that could genuinely improve security outcomes at scale, not just for individual organizations but across industries.

The Qualys CCIR is available now within the ETM platform. Organizations interested in the joint offering can access it at qualys.com/lp/converge.