Underwriting Intelligence
for Cyber Risk

Risk Aperture operates as a standalone intelligence layer at three levels — portfolio management, individual policy underwriting, and ongoing monitoring — without requiring integration with core policy administration, claims, or actuarial platforms.

The Cyber Poverty Line® is the minimum viable security investment threshold for a specific organization's size, sector, complexity, and regulatory environment. It is not a generic industry benchmark — it is calculated from the insured's own assessment data using ten years of proprietary field intelligence.

For underwriters, it answers the question that questionnaire scores cannot: is this insured's security investment structurally sufficient, or are they operating below the threshold where claims become disproportionately frequent and severe?

Generic risk scores apply industry-wide benchmarks uniformly — they tell you how an insured compares to others but not whether their investment is structurally appropriate for their specific profile. A healthcare organization with 500 employees and significant PHI exposure has fundamentally different minimum viable investment requirements than a professional services firm of the same size.

The Cyber Poverty Line® is calculated from the insured's own Foundations assessment data — their revenue, sector, regulatory environment, third-party exposure, staffing capacity, and organizational risk dimensions — using ten years of proprietary field intelligence. The result is a threshold specific to that organization, not a percentile rank relative to peers.

Move from questionnaire-based assumptions to architecture-verified underwriting intelligence.

Pre-bind assessment

Run Foundations and PRISM on a prospective insured to establish ALE, recovery assumptions, Cyber Poverty Line® position, and P/D/R maturity before pricing. The combined output replaces a questionnaire submission with documented, evidence-backed posture data.

Renewal review

Compare current posture to prior year to identify material changes in organizational or technical risk that warrant premium adjustment, coverage modification, or exclusion addition. Continuous monitoring from PRISM surfaces drift before it becomes a claim.

Loss driver analysis

Use Foundations Big 6 organizational data to identify whether claims in a segment are driven by governance failure, staffing gaps, third-party concentration, or budget insufficiency — not just technical control failures. This is the root cause analysis that actuarial claims data reflects but cannot explain.

Mitigation requirements

Generate specific, prioritized remediation requirements from PRISM gap analysis rather than generic checklist mandates. Showstopper and High gaps become policy conditions with evidence requirements attached — conditions that insureds can actually operationalize.

Portfolio segmentation

Group insureds by Cyber Poverty Line® position, recovery window, sector, and P/D/R maturity to identify concentration risk, underwriting quality trends, and where the book is improving versus deteriorating.

Help clients understand what actually changes their risk — not just what the market is charging for it.

• Client risk translation: Use Foundations reports to show clients their ALE, revenue at risk, and Cyber Poverty Line® position in language their CFO and board will act on — before the coverage conversation starts
• Coverage justification: Connect specific coverage terms, retentions, and exclusions to documented risk posture rather than generic market conditions. Clients understand why their terms are what they are.
• Market positioning: Use Risk Aperture assessments to support favorable carrier submissions by demonstrating assessed, documented posture — not just questionnaire responses. Carriers reward evidence quality.
• Value-added remediation guidance: Provide clients with PRISM's prioritized gap analysis and Iris AI recommendations as a service that improves both client outcomes and renewal quality simultaneously
• Retention differentiation: Demonstrate to clients that their broker delivers measurable risk intelligence and actionable guidance — not just premium negotiation

Understand the organizational and technical composition of the books you are reinsuring — before setting treaty terms.

• Treaty-level exposure context: Use portfolio-level Risk Aperture data to understand the Cyber Poverty Line® distribution, average recovery windows, and sector concentration of the ceding carrier's book before pricing treaty terms
• Aggregate risk modeling: Identify common organizational risk patterns — governance deficiencies, third-party concentration, staffing gaps — that create correlated loss potential across the portfolio being reinsured
• Loss scenario validation: Stress-test treaty assumptions against Risk Aperture's ALE and revenue-at-risk modeling for representative insured segments, with recovery timeline data that actuarial tables typically don't capture
• Improving versus deteriorating books: Distinguish between carriers whose portfolio quality is improving (rising posture scores, remediation progress) versus those where drift is accumulating and renewal terms should reflect it
• Cession pricing support: Use documented posture data to support cedant conversations about appropriate attachment points, aggregate caps, and cession rates based on demonstrated book quality

Show that participation in the captive comes with measurable risk reduction — not just pooled premium and shared claims exposure.

• Member benchmarking: Compare member posture across Cyber Poverty Line® position, recovery window, P/D/R maturity, and Big 6 organizational dimensions so members understand their relative standing and what drives it
• Shared risk visibility: Use portfolio dashboards to give captive management and members a current view of aggregate exposure, concentration, and trend — replacing the annual snapshot with continuous intelligence
• Adverse selection management: Identify members whose posture is deteriorating or who are materially below minimum viable investment, triggering structured remediation requirements before renewal rather than after a claim
• Trust reinforcement: Demonstrate to members that participation comes with actionable intelligence, measurable remediation guidance, and documented risk reduction — not just audit checkboxes
• Governance documentation: Produce board-ready reporting that captive trustees and regulators can use to demonstrate defensible oversight of member risk, supporting fiduciary duty obligations

Foundations produces the financial risk outputs that connect directly to underwriting, pricing, and reserve language:

• Annual Loss Expectancy (ALE): Probabilistic loss modeling across 6 incident scenario types — ransomware, data breach, BEC/wire fraud, insider threat, DDoS, supply chain compromise
• Revenue at risk: What a disruption of X days costs this specific organization in its own financial terms — not industry averages
• Daily revenue impact: Acute financial exposure per day of operational disruption, useful for recovery timeline modeling
• Recovery timeline: How long before normal operations are restored — not just systems, but the business functions that depend on them
• Insurance gap analysis: Coverage percentage vs. maximum exposure in the insured's numbers, surfacing under-insurance before a claim
• Cyber Poverty Line®: Minimum viable investment threshold, calculated from the insured's own data using ten years of proprietary field intelligence
• Goldilocks Zone: The investment range where spend produces optimal risk reduction — identifying both under- and over-investment

The Big 6 framework identifies the organizational conditions that drive claim frequency and severity — the factors that actuarial models typically cannot see because they don't show up in control inventories or compliance scores:

• Cyber: Security program maturity, control coverage, and operational readiness
• Enterprise: Governance quality, board oversight, and strategic risk integration
• Data: Data classification, privacy practices, and information lifecycle management
• People: Staffing levels, training effectiveness, and insider risk exposure
• AI: AI governance maturity, model risk, and emerging technology exposure
• Third-Party: Supply chain concentration, vendor access, and dependency risk

Yes. Foundations provides Cyber Risk Signal, Big 6 analysis, full financial quantification (ALE, revenue at risk, recovery timeline, insurance gap analysis, Cyber Poverty Line®, Goldilocks Zone), board-ready reports, and Iris AI recommendations without requiring PRISM.

For carriers that need portfolio benchmarking, exposure modeling, and executive underwriting context as a starting point, Foundations is complete on its own. PRISM can be layered in when technical architecture validation, threat-informed control assessment, and compliance depth are required.

PRISM maps the insured's actual environment — not what the questionnaire says is there, but what is architecturally present, documented, and defensible against real threat techniques:

• DoD Tier 0–3 interactive architecture modeling with asset inventory, data flows, and countermeasure tracking — the insured's real environment, not an abstract control checklist
• MITRE ATT&CK and D3FEND integration: Shows which adversary techniques are covered vs. exposed given current controls. An EDR that appears present in a questionnaire may cover only Tier 1 assets while Tier 2 and 3 remain exposed.
• P/D/R maturity scoring: Protect, Detect, and Respond scored separately per zone and asset type. Most insureds have strong Protect scores and weak Detect and Respond — the gap that determines recovery cost.
• Gap prioritization: Showstopper → High → Medium → Low with evidence requirements and remediation effort for each gap — actionable mitigation requirements, not generic checklists
• Evidence-backed findings: Gaps are supported by architectural evidence, not questionnaire self-attestation — a materially different level of underwriting defensibility

Yes. PRISM classifies every tool in the insured's environment as Fully Redundant, Partially Redundant, Essential, or Sole Satisfier. The What-If simulator then shows the P/D/R maturity change, compliance coverage impact, staffing implications, and 5-year TCO savings from consolidation — before any change is made.

For insurers, this is valuable in both directions:

• Over-invested insureds: Tool consolidation frees budget for higher-impact controls without increasing exposure. The insured spends less and is better protected.
• Under-invested insureds: Apparent tool coverage may be providing limited real protection — multiple overlapping tools satisfying the same technique while core gaps remain unaddressed.

PRISM also models full TCO across licenses, maintenance, FTE allocation, staffing gaps, and 5-year cost projections — because staffing deficiencies are persistent claim drivers that tool inventories don't reveal.

Foundations quantifies the financial and organizational dimensions of risk. PRISM validates the technical reality. An insured's ALE and recovery assumptions are only as reliable as the architectural controls underlying them.

PRISM confirms whether the controls Foundations is modeling are actually present, correctly configured, architecturally sound, and performing against real threat techniques — or whether the financial model is resting on assumptions that a breach would quickly disprove.

Not directly, and that is not the intent. Risk Aperture augments actuarial models with current, forward-looking organizational and technical risk data. It exposes the hidden drivers of loss ratios — governance failure, staffing gaps, architectural weaknesses, investment insufficiency — that historical claims data reflects but cannot explain.

The output is a richer input into actuarial and portfolio decision processes, not a replacement for them. Actuaries get better data. Underwriters get more defensible pricing. Claims teams get earlier warning of deteriorating posture.

GRC tools record compliance activity. Risk scoring tools apply generic benchmarks. Neither produces the forward-looking, insured-specific intelligence that underwriting requires.

• GRC: Records whether controls were documented and tested — not whether they work against real adversary techniques or whether the organization can recover
• Standard risk scores: Rank an insured relative to peers — useful context, but a high peer-relative score does not mean the insured is above their Cyber Poverty Line®
• Risk Aperture: Quantifies insured-specific financial exposure, validates actual architecture against real threat intelligence, surfaces the organizational conditions driving loss, and produces evidence-backed remediation ranked by underwriting impact

Portfolio visibility and individual insured context are available as assessments are loaded and baselines are established — typically within the first 30 days. Initial decision support for underwriters is available earlier, once baseline views are in place.

The platform's continuous monitoring capability then delivers ongoing value between formal assessment cycles, which is exactly where questionnaire-based approaches go silent and where drift accumulates undetected before a claim occurs.

No. Risk Aperture operates as a standalone intelligence layer that underwriters, brokers, reinsurers, captives, and risk engineers can use alongside existing systems. It does not require integration with core policy administration, claims, or actuarial platforms to deliver value — though its outputs can inform all of them.

Each participant in the value chain accesses the intelligence they need for their specific workflow without disrupting adjacent systems or requiring implementation timelines measured in quarters.

Most underwriting data is collected at one point in time — the application or renewal — and then goes stale. The insured's posture changes continuously: new assets are added, configurations drift, staff changes, third-party relationships evolve.

PRISM's continuous monitoring and drift detection capability tracks posture changes between formal assessment cycles, giving carriers and captives a more current view than an annual questionnaire cycle provides. Practically, this means:

• Material degradation can trigger mid-policy review rather than being discovered at renewal or during a claim
• Insureds that improve their posture between renewals have documented evidence to support better terms
• Portfolio managers can flag concentration risks as they develop — not after a correlated loss event