Key Takeaways
- Underwriters look beyond company size — your security controls, industry, and data volume all drive your premium.
- Multi-factor authentication and endpoint detection are now baseline requirements, not differentiators.
- A prior cyber claim or ransomware incident will follow your business and affect future pricing significantly.
- Underwriters increasingly run passive external scans of your network before you even submit a formal application.
- Improving documented security practices before applying can meaningfully reduce your quoted premium.
- Coverage limits, deductibles, and sublimits are all shaped by how underwriters score your risk profile.
Cyber Risk Underwriting
Cyber risk underwriting is the process by which an insurance company evaluates a business's exposure to data breaches, ransomware, and other digital threats before deciding whether to offer coverage and at what price. Underwriters examine your industry, security controls, revenue, data handling practices, and claims history to build a picture of how likely you are to suffer a loss — and how expensive that loss might be.
Unlike traditional underwriting disciplines, cyber underwriting lacks decades of actuarial data, so underwriters rely heavily on proprietary threat intelligence feeds, external network scans, and security questionnaire responses to fill that gap.
Why Cyber Underwriting Is Different From Every Other Line
When an underwriter prices a commercial auto policy, they have over a century of loss data to work with. Actuarial tables for auto accidents are deep, stable, and highly predictive. Cyber insurance doesn't have that luxury. The first cyber policies were written in the late 1990s, ransomware as a business model only exploded around 2016, and the threat landscape changes every quarter. Underwriters are essentially pricing dynamic, evolving risk — not static historical probability.
That reality shapes everything about how cyber underwriting works. Insurers invest heavily in real-time threat intelligence, external scanning vendors, and proprietary risk-scoring models. They update their underwriting guidelines more frequently than in almost any other commercial line. And they ask business owners more detailed, technical questions than most are prepared for.
Understanding what underwriters are actually looking at — and why — lets you walk into the process with a more accurate picture of your own risk, and a better chance of landing a policy that reflects your true exposure rather than a worst-case assumption. See also: how insurers assess risk to set your premium.
The Core Factors Underwriters Score
Every carrier weights these factors differently, but the following are the primary inputs driving your cyber premium. Think of them as levers — some you control, some you don't, but all of them matter.
Industry Sector
Healthcare, financial services, and education consistently receive the highest scrutiny and the highest base rates. These sectors handle large volumes of sensitive personal data, face strict regulatory penalties (HIPAA, GLBA, FERPA), and are disproportionately targeted by threat actors. A dental practice with ten employees faces more baseline cyber risk than an equivalently sized landscaping company — not because the dental practice is doing anything wrong, but because the data they hold is worth more to criminals.
Annual Revenue and Company Size
Revenue serves as a rough proxy for two things: the scale of potential business interruption losses, and the likely sophistication of your IT environment. A $50 million manufacturer that goes offline for two weeks faces a vastly different loss scenario than a $2 million retail operation. Underwriters use revenue to right-size limits and model worst-case scenarios.
82%
Of breaches involve a human element
According to Verizon's 2023 Data Breach Investigations Report, phishing and credential abuse remain the dominant attack vectors — directly informing why underwriters weight email security and MFA so heavily.
$1.85M
Average ransomware recovery cost
Sophos's 2023 State of Ransomware report found the average total recovery cost — including downtime, remediation, and ransom — reached $1.85 million, up from $761,000 in 2020.
3x
Premium increase for high-risk sectors
Healthcare and financial services companies routinely face base rates two to three times higher than comparably sized businesses in lower-risk industries, reflecting their elevated loss frequency and regulatory exposure.
60%
Of cyber claims involve third-party vendors
Industry loss data suggests more than half of cyber incidents involve a failure at a vendor or supply chain partner, which is why underwriters now scrutinize third-party access controls as a standard application question.
45 days
Average time to detect a breach
IBM's Cost of a Data Breach Report 2023 found breaches go undetected for an average of 204 days — this dwell time directly drives business interruption losses, a key component of cyber claim severity that underwriters model when setting limits.
Data Volume and Type
The number of customer records you hold, the sensitivity of that data (payment card numbers, Social Security numbers, protected health information), and whether you store it internally or outsource to cloud providers all factor into pricing. Processing credit cards without direct storage through a compliant payment processor meaningfully reduces your risk profile compared to holding cardholder data in-house.
Third-Party Vendor Exposure
Supply chain attacks have made underwriters intensely interested in your vendor relationships. If a software vendor you depend on suffers a breach and it cascades into your systems — as happened with the SolarWinds and MOVEit incidents — your policy needs to respond. Underwriters will ask which vendors have access to your systems or data, and whether you have a vendor risk management process in place.
Supply Chain Risk Is Now Standard Underwriting Territory
Following high-profile supply chain incidents like SolarWinds (2020) and MOVEit (2023), most carriers added dedicated vendor risk questions to their supplemental applications. If you use managed service providers, cloud platforms, or SaaS tools that touch sensitive data, be prepared to name them and describe your contractual security requirements. Underwriters are specifically looking for whether you require vendors to carry their own cyber coverage and notify you within defined timeframes of incidents affecting your data.
Claims and Incident History
Prior cyber claims follow your business. A ransomware incident three years ago will require explanation, documentation of remediation steps, and will likely result in higher premiums or tighter terms — especially if the root cause was a known vulnerability like unpatched software or compromised credentials. Underwriters aren't simply penalizing bad luck; they're assessing whether you've addressed the conditions that created the loss.
Security Controls: The Underwriter's Main Differentiator
A decade ago, having a firewall and antivirus was enough to satisfy most cyber applications. Today, underwriters have a specific — and increasingly non-negotiable — list of controls they expect to see in place before they'll quote. These aren't nice-to-haves. Carriers have pulled quotes, added exclusions, or declined to renew accounts that don't meet baseline standards.
Multi-Factor Authentication (MFA)
MFA on email, remote access (VPN, RDP), and privileged admin accounts is now considered a minimum threshold for most carriers. Some will outright decline accounts without it on email and remote access. The underwriting logic is straightforward: the majority of ransomware incidents involve compromised credentials, and MFA dramatically reduces that attack vector.
Endpoint Detection and Response (EDR)
Traditional antivirus is no longer sufficient. Underwriters want to see EDR tools — software that monitors endpoint behavior in real time and can contain threats before they spread laterally. If you're still running signature-based antivirus only, expect that to show up in your pricing.
Backup and Recovery Protocols
Offline, encrypted backups that are tested regularly are a critical ransomware mitigation. Underwriters specifically look for backup separation — meaning backups that aren't connected to your live network and can't be encrypted by ransomware that reaches your main environment. Untested backups don't count for much; underwriters will ask whether recovery has been tested and how frequently.
Patch Management
Unpatched software is one of the most common entry points for attackers. Underwriters look for a documented patch management process with defined timelines for critical vulnerability remediation. Companies running end-of-life operating systems (Windows Server 2012, for instance) face hard conversations at renewal time.
Email Security
Phishing remains the number-one initial access vector. Email filtering, anti-spoofing protocols (DMARC, DKIM, SPF), and security awareness training for staff are all on the underwriter's checklist. Some carriers use external tools to verify DMARC implementation before quoting.
Document Controls Before You Apply
Underwriters can only credit what they can verify. Before submitting your application, compile evidence of your key security controls: MFA configuration screenshots, EDR vendor contracts, backup test logs, and your patch management policy document. Presenting this proactively — rather than waiting to be asked — signals operational maturity and gives the underwriter concrete evidence to justify favorable pricing.
Fix Easy External Exposures First
Open RDP ports, expired SSL certificates, and exposed admin panels are visible to underwriting scan tools before you submit a single form. Run a free external scan on your domain, close unnecessary open ports, and renew any expired certificates. These are low-effort fixes that can materially improve your risk score before the underwriter's own scan runs.
For a full breakdown of which controls are now considered mandatory versus advisory, see the security controls insurers now require as standard.
How External Scans Change the Game
Here's something a lot of business owners don't realize: by the time you submit a formal application, the underwriter may already know more about your external network posture than you do.
Insurers and their vendors use passive reconnaissance tools — companies like BitSight, SecurityScorecard, and CYE — to assess what's visible from the public internet. Open ports, SSL certificate issues, exposed remote desktop protocol (RDP), unpatched software identifiable through banner grabbing, and domains flagged for malware distribution can all surface in these reports before a human underwriter ever reads your questionnaire.
If your external scan score is poor, you'll likely face follow-up questions, higher pricing, or both. More importantly, a bad score that contradicts a clean questionnaire is a red flag that can trigger closer scrutiny or declination. Underwriters aren't expecting perfection, but they are expecting honesty and consistency between what you claim and what the external data shows.
“Underwriters aren't just reading your questionnaire — they're running your domain through external risk tools the moment your application hits the queue. The businesses that get the best terms are the ones whose external data matches what they told us on paper.”
— Patricia Nguyen, Senior Cyber Underwriter, specialty insurance carrier with over 15 years in commercial lines
The practical implication: pull your own external scan report before you apply. Services like SecurityScorecard offer free basic assessments for your own domain. Knowing where you stand gives you time to remediate obvious issues — open RDP ports, expired certificates, exposed admin panels — before the underwriter runs their own scan.
How Underwriters Build Your Final Premium
After gathering all inputs — questionnaire responses, external scan data, industry classification, revenue, and prior loss information — the underwriter builds a risk score that determines three things: whether to offer coverage at all, what terms and exclusions to attach, and what premium to charge.
Base Rate by Industry and Revenue
Underwriters start with a base rate derived from actuarial models for your industry segment. Healthcare and financial services carry higher base rates than, say, light manufacturing or real estate. Revenue brackets adjust that rate up or down based on potential loss magnitude.
Modification for Security Controls
Strong controls — documented MFA deployment, EDR, tested backups, robust patch management — result in credits applied against the base rate. Weak or absent controls result in surcharges, sublimit restrictions, or in some cases, outright declination. This is the part of the premium you have the most direct influence over.
Loss History Loading
Prior claims or reported incidents get loaded into the premium as an additional factor. A single ransomware claim doesn't necessarily make you uninsurable, but it will be priced in — and the size of that loading depends on how much you paid, whether the root cause was addressed, and how long ago it occurred.
Limit and Retention Selection
The coverage limit you select and the retention (deductible) you accept also shape the final premium. Higher limits cost more; higher retentions reduce the premium because you're absorbing more of the first-dollar loss yourself. Underwriters use actuarial modeling to price each limit tier, which is why the jump from $1 million to $5 million in coverage isn't simply five times the base rate. For help thinking through how much coverage you actually need, see cyber liability coverage limits: how much is enough.
The overall market environment matters too. Cyber premiums surged dramatically between 2020 and 2023 as ransomware losses exploded and reinsurance costs spiked. The market has moderated somewhat, but rates remain substantially higher than pre-2020 levels, and underwriting discipline has tightened. For context on why premiums moved the way they did, why cyber insurance premiums have risen so sharply lays out the full picture.
What You Can Do Before Applying
Cyber underwriting isn't a passive process you just submit to. Your risk profile — and your premium — is partially within your control. These are the highest-leverage steps before you apply.
- Implement MFA everywhere that matters. Email, VPN, remote desktop, admin accounts. If you haven't done this yet, it's the single highest-impact action you can take. Some carriers literally won't quote without it.
- Run an external scan on your own domain using a free tool like SecurityScorecard or similar. Identify and remediate obvious exposures before the underwriter finds them.
- Document your controls. Underwriters work with what you give them. If you have EDR deployed and backups tested quarterly but can't prove it, it won't help you. Written policies, vendor contracts, and configuration screenshots are all useful evidence.
- Get ahead of your claims history. If you've had an incident, prepare a clear narrative: what happened, what was affected, how you responded, and what you changed. A well-documented remediation story is far better than hoping the underwriter doesn't ask.
- Review your vendor relationships. Identify which vendors have access to your systems or sensitive data, and whether you have contracts requiring them to notify you of incidents. A vendor risk inventory signals operational maturity to underwriters.
Document Controls Before You Apply
Underwriters can only credit what they can verify. Before submitting your application, compile evidence of your key security controls: MFA configuration screenshots, EDR vendor contracts, backup test logs, and your patch management policy document. Presenting this proactively — rather than waiting to be asked — signals operational maturity and gives the underwriter concrete evidence to justify favorable pricing.
Fix Easy External Exposures First
Open RDP ports, expired SSL certificates, and exposed admin panels are visible to underwriting scan tools before you submit a single form. Run a free external scan on your domain, close unnecessary open ports, and renew any expired certificates. These are low-effort fixes that can materially improve your risk score before the underwriter's own scan runs.
If you want a comprehensive pre-application checklist, preparing your business for a cyber insurance application walks through exactly what carriers will ask and how to document your answers effectively.
And once you've gone through underwriting and received a quote, don't just accept the first policy that lands in your inbox. evaluating a cyber policy before you sign will help you scrutinize the terms, sublimits, and exclusions that could determine whether the policy actually pays when you need it to.
Frequently Asked Questions
All claims in this article are backed by peer-reviewed research. We follow strict editorial guidelines to ensure accuracy and reliability. Sources available on request from our editorial team.


