Carriers want to know you have a plan. Most companies don’t — and can’t find one when it matters.
Recommended ModuleGovernance questions show up on every major carrier application. They’re asking whether your company has made deliberate decisions about security — written them down, assigned ownership, and reviewed them at least once a year. Not because carriers expect perfection. Because they’ve learned that companies with no written policies make expensive claims.
The three things they’re really asking: Do you have a written information security policy? Do you do a formal risk assessment at least annually? And does someone own it — not just “IT handles it,” but a named person with actual responsibility? If your answer to any of those is “sort of” or “we talked about it,” that’s what this domain is for.
Name your security owner in writing.
It doesn’t need to be a CISO. It can be your IT lead, your COO, or yourself. Write it down in an email, a Slack message, a shared doc — something with a date on it. Carriers want to see that someone is accountable. A named person with a documented date is better than nothing. Do it before your next renewal.
Create a one-page risk list.
Open a document. Write down the five things that, if they went wrong, would hurt your business most — a ransomware attack, a key vendor going down, an employee clicking a bad link. That’s a risk register. It doesn’t need to be formal. It needs to exist. Save it somewhere you can find it when your renewal form asks whether you conduct annual risk assessments.
Pull your existing policies together.
Most companies have informal rules that nobody wrote down. Ask yourself: what do we tell new employees about passwords? About who can access what? About what happens if a laptop gets lost? Write those answers in a document and call it your Acceptable Use Policy. A rough draft reviewed by one other person is more defensible than nothing.
If the quick wins above showed you the gap but not the path, the kit gives you everything you need to close it — without hiring a consultant or spending a week reading NIST frameworks.
Information Security Policy
Pre-structured for your company size and industry. Edit the highlighted fields, review with your attorney if needed, publish.
Acceptable Use Policy
Plain English rules for how employees use company systems, devices, and data. Pre-filled with the controls carriers ask about most.
Annual Risk Assessment Template
A structured process for identifying, rating, and documenting your top risks. Run it once a year, keep the output on file, show it when asked.
Risk Register
A living document to track identified risks, their likelihood, their impact, and what you’re doing about them. Pre-populated with the most common risks for companies your size.
Policy Acknowledgment Form
Proof that your team read and accepted your policies. Required by most carriers, often missed. Ready to use in 10 minutes.
30/60/90 Day Implementation Roadmap
Week-by-week plan to go from zero governance to documented, reviewed, and carrier-ready. Assign it to one person and follow the steps.
Bonus Template Library
Annual review checklist, policy exception request form, vendor security questionnaire starter, and risk acceptance sign-off template.
Some gaps are bigger than templates can fix.
If your Whitestance score flagged Governance as a critical gap — or if you’re in a regulated industry like healthcare, legal, or finance where the stakes are higher than a standard cyber insurance renewal — a kit gets you started but a full engagement gets you there. Whitestance’s fractional CISO engagements cover your entire IT and compliance environment, use the Whitestance framework as the delivery infrastructure, and produce documented evidence of progress your board, your auditors, and your carriers can see. Engagements start at $40,000 for smaller organizations and scale from there.
Talk to us about a full engagement →