Well, basic security terminology with respect to cyber insurance is covered in various exams, beginning with ITF+, even.
However, since your friend is not a cyber professional nor is in IT, the training he will need will probably be more insurance centric. Given that insurance requirements can vary based on location (state-to-state in the US, or country to country worldwide), he will want to explore those requirements more closely, rather than the technical suggestions he may get here in the CIN.
A cursory Google search found this:
https://insurancetrainingcenter.com/courses/cyber-insurance-101/
Cyber insurance is like any other insurance, mitigation and transference of risk, in this case, based on risk factors relating to information security. He probably won't need to understand, for example, that Nessus, Greenbone, or Qualys do vulnerability scanning, but he should at least know what vulnerability scanning is, in concept, for example. That would probably come from providers that are insurance tilted, and part of his ongoing CE to maintain insurance licensure.
General response, I know. I would be quite surprised if his insurance company doesn't do internal training for their agents on cyber.
Heck, one way he might help himself out is to get, say, five different cyber policies, read them all, and research what each point of coverage is and the implications of each.
Or as we have often said around here, "Google + Objectives = Study Guide". I see it similarly for this case.
/r
