Cyber Insurance: Navigating the Digital Age Securely

Cyber is the hardest line to underwrite in property and casualty insurance. Loss frequency moves with attacker tradecraft, single events can cascade across portfolios, and the controls that matter on a policyholder's network change every quarter. The carriers and InsurTechs that compound here are the ones that treat cyber insurance as a software product to ship rather than a paper policy to issue.

The insurers that win the next decade in cyber will look more like security software companies with balance sheets attached. Their advantage will not be a sharper actuarial table. It will be the data they pull from policyholder environments, the speed at which their platform updates pricing and exclusions, and the engineering posture of their claims operations when a portfolio-wide event hits.

Why cyber insurance is fundamentally a software problem

Property, motor and life have decades of stable loss data. Cyber does not. The 2024 Change Healthcare ransomware event paralysed US claims and pharmacy payments for weeks, and the Snowflake-related credential exposures hit dozens of large enterprises in a single quarter. A single threat actor changing tactics can shift expected loss across an entire portfolio in days.

That tempo means three things for the people building a cyber line:

• Underwriting models go stale faster than any other line, so the platform that powers them has to ingest fresh signals continuously rather than at annual reviews.
• Wordings, exclusions and sub-limits need to be updateable across in-force books, which requires a policy administration layer engineered for change rather than fixed at bind.
• Aggregation risk is engineering risk. A single cloud provider, identity vendor or open-source library can sit underneath thousands of insureds, and the insurer's platform needs to model that exposure across its book.

None of those problems are solved by buying a policy template and laying actuarial tables on top of it. They are solved by treating the cyber line as a long-running software product, with telemetry, release cycles, regression testing and a roadmap.

Underwriting cyber: from questionnaires to telemetry

Traditional cyber underwriting leans on a static questionnaire and a security score from an outside-in scanner. Both are weak signals. Questionnaires are self-reported and dated by the time they are read. Outside-in scanners see what the public internet sees, which is a small fraction of the controls that determine ransomware loss.

The carriers and InsurTechs producing better loss ratios are moving toward continuous, consented telemetry. Policyholders share read-only signals from identity providers, endpoint protection, cloud configuration and email security. The insurer's platform turns those signals into a live picture of control posture and prices accordingly. Premiums adjust mid-term when posture degrades. Exclusions trigger automatically when a critical control disappears.

That model only works if the insurance platform is built to handle it. The data integration surface area is closer to a security operations platform than a traditional policy admin system. Connectors into Microsoft Entra, Okta, CrowdStrike, SentinelOne, Wiz, Mimecast, Proofpoint and the major cloud providers become first-class product features, not optional add-ons.

Reference threat intelligence then drives the pricing engine. Public sources such as CISA's cybersecurity advisories and sector-specific ISACs feed alongside private telemetry, so the platform reprices the book as known-exploited vulnerabilities and active campaigns shift.

Claims operations engineered for cyber events

Cyber claims do not look like motor or property claims. The first hours after a ransomware notification involve incident response retainers, forensic preservation, breach counsel, regulatory notification timelines, ransom decisions and business-interruption forensic accounting. Multiple specialists need to be coordinated inside the same SLA window, and the carrier's platform either supports that workflow or gets in the way.

Claims engineering for a cyber line typically needs:

• A panel management layer that routes incident response, breach counsel, ransom negotiators and forensic accountants to the right vendor based on event type, geography and policyholder size.
• Evidence handling that preserves chain of custody for forensic artefacts the same way a regulator or court would expect, not just unstructured email attachments on a claim file.
• Real-time aggregation views that flag when multiple claims share an indicator, vendor or tactic, so the insurer can spot a portfolio event before it shows up in the loss ratio.
• Regulatory clocks that count down notification deadlines per jurisdiction without anyone having to remember them by hand.

The carriers that compound through cyber events are not the ones with the largest panels. They are the ones whose platforms turn the panel into orchestrated software rather than a list of phone numbers.

Regulatory expectations shaping cyber underwriting and pricing

Cyber insurance sits at the intersection of insurance regulation, data protection law and operational resilience regimes. The platform that supports the line has to absorb that complexity rather than push it onto underwriters and claims handlers.

Three regimes matter most for builders right now:

• Operational resilience for financial firms. The EU's Digital Operational Resilience Act (DORA) sets ICT risk, incident reporting and third-party risk obligations on financial entities, including insurers. Carriers writing cyber are both subject to DORA themselves and exposed to insureds with their own DORA programmes.
• AI use in underwriting and claims. The EU Artificial Intelligence Act classifies certain insurance pricing and claims models as high risk, with documentation, monitoring and human oversight obligations. Any AI used in a cyber pricing or claims pipeline needs to be ready to evidence those controls.
• Insurance-specific cybersecurity expectations. The NAIC's work on insurance data security and EIOPA's supervisory work on cyber underwriting set expectations for how insurers govern their own and their insureds' cyber risk.

A platform that treats these as configurable controls rather than ad-hoc tickets gives the carrier room to expand into new jurisdictions without rewriting the stack each time.

What separates the cyber carriers that compound from those that retrench

Across the carriers and InsurTechs writing cyber today, a short list of traits separates the ones that compound through hard markets from the ones that retrench when losses spike.

1. Live data over static questionnaires. Compounding carriers price off continuous telemetry. Retrenching ones still re-rate annually off a PDF.
2. Modular policy administration. Compounding carriers can change wordings, sub-limits and exclusions across an in-force book within days. Retrenching ones need an endorsement project to do the same job.
3. Engineered claims orchestration. Compounding carriers run claims as a software-orchestrated workflow with panels, clocks and chain of custody. Retrenching ones run claims out of inboxes.
4. Portfolio-level aggregation modelling. Compounding carriers know which cloud providers, identity vendors and software libraries sit underneath their book. Retrenching ones find out during an event.
5. Discipline about AI in pricing and claims. Compounding carriers treat AI models as governed components with monitoring, documentation and human review. Retrenching ones bolt LLMs onto pricing without an audit trail and discover the regulator agrees with the policyholder.

Build, buy or partner for a cyber line

Most cyber carriers and InsurTechs do not build the entire stack themselves. The honest question is which parts to build, which to buy and which to partner on.

Off-the-shelf insurance platforms such as Guidewire, Duck Creek, Socotra and Insly cover policy administration, billing and core claims well. They are sensible defaults for a new cyber line that wants to focus its engineering capacity on the parts that differentiate.

The pieces that almost always need custom engineering for cyber are the telemetry ingestion layer, the live pricing engine, the aggregation view across the portfolio and the orchestration that sits behind claims. Those are the components that decide whether the line compounds or not, and they are the components most likely to fall outside any vendor's roadmap.

The right mix tends to be a configured core platform with a custom data and decisioning layer wrapped around it. A reference build sketched out in our analysis of what Lemonade actually proved about the insurance industry shows the same pattern from the personal-lines side.

How Scrums.com partners with insurers and InsurTechs on cyber

Scrums.com works with insurers and InsurTechs as a software development partner on the parts of a cyber line that vendors do not cover. That typically includes telemetry ingestion from policyholder environments, live pricing engines that respond to threat intelligence, aggregation modelling across the portfolio, and claims orchestration that turns a panel into a workflow.

Where a carrier already runs Guidewire, Duck Creek, Socotra or Insly, our teams build the data and decisioning layer that wraps around it. Where a carrier is greenfield, we help decide what to configure on a vendor platform and what to build, so engineering capacity goes into the parts of the stack that actually move the loss ratio.

Frequently asked questions about building a cyber insurance line

Why is cyber insurance harder to underwrite than other lines?

Cyber lacks the decades of stable loss data that motor, property and life rely on. Attacker tradecraft shifts faster than annual review cycles, and single events can cascade across many policyholders at once. That makes underwriting a continuous engineering problem rather than a once-a-year actuarial exercise.

What technology do modern cyber underwriters actually use?

The carriers producing better loss ratios are moving from static questionnaires to consented, continuous telemetry from identity, endpoint, cloud and email systems. They combine that with public threat intelligence such as CISA advisories and sector ISAC feeds, and reprice exposure as posture and active campaigns change.

How should a cyber carrier handle aggregation risk?

By modelling the shared dependencies underneath the book. The same cloud provider, identity vendor or open-source library can sit beneath thousands of insureds. A platform that maps those dependencies across the portfolio can flag concentration before an event rather than during one.

Where do regulations like DORA and the EU AI Act fit in?

DORA imposes ICT risk, incident reporting and third-party obligations on financial entities including insurers. The EU AI Act treats certain insurance pricing and claims models as high risk, with documentation, monitoring and oversight requirements. Both shape what a cyber underwriting and claims platform has to evidence.

Should a new cyber line build a platform from scratch?

Rarely. Configuring a core insurance platform such as Guidewire, Duck Creek, Socotra or Insly for policy administration, billing and core claims, then building a custom telemetry, pricing and aggregation layer around it, is usually the better economics for a focused cyber line.