Why Security Ratings Don't Work for Cyber Insurance Underwriting (And What Does)

Security ratings platforms like BitSight, SecurityScorecard, and UpGuard have become the de facto standard for third-party risk assessment. They give organizations an A-F score based on passively collected external data — open ports, SSL configurations, malware detections, and DNS records.

But there’s a growing problem: these scores don’t work for cyber insurance underwriting.

Here’s why.

The 3 Fatal Flaws of Security Ratings for Underwriting

1. Passive Data = Stale Data

BitSight and SecurityScorecard collect data passively from external feeds, honeypots, and third-party scanning infrastructure. This means:

• A rating reflects what was observed days or weeks ago, not what’s happening now
• CDN outages and shared hosting IPs can trigger false alerts and score drops
• Remediations that happened yesterday don’t appear in the score

“I cannot describe how hilariously inaccurate their ‘profile’ of my company is.” — Reddit user, r/cybersecurity (2026)

For an underwriter making a binding decision on a €500K policy, a stale, inaccurate score is worse than no score. It creates false confidence in one direction and false rejection in the other.

2. Abstract Scores Don’t Map to Financial Exposure

A “B” rating on SecurityScorecard tells an underwriter… what, exactly? That the company is “above average”? Below average for the industry?

Underwriters don’t need letter grades. They need financial exposure ranges.

• What is the expected loss given a ransomware attack on this company?
• What is the breach cost range based on their specific technology stack, industry, and finding severity?
• How does this risk translate to premium pricing?

Passive ratings platforms offer none of this. They were designed for procurement teams evaluating vendors, not for insurers pricing risk.

3. No Validation Against Reality

SecurityScorecard and BitSight rely on external signals only. They cannot:

• Validate whether a vendor’s security questionnaire responses match technical reality
• Confirm that a patched vulnerability is actually patched
• Account for compensating controls that mitigate a detected finding

FortifyData’s analysis puts it bluntly: “If you need to understand your vendors’ actual technical posture and not just observable signals from external data sources, you’re describing active assessment, not security ratings.”

The CISO Backlash

The criticism is no longer niche. On G2, SecurityScorecard reviews consistently cite:

• “Scoring Issues” — scores fluctuate due to CDN outages, not actual security changes
• “Limited Reporting” — data that’s useful for boards but not operations
• “Lack of Clarity” — opaque methodology that makes remediation prioritization impossible

And regulators are catching up. DORA, NIS2, HIPAA, and SOC 2 don’t accept passive scores as evidence of third-party risk management. Regulators require documented assessment processes, questionnaire responses, and ongoing monitoring — none of which passive ratings provide.

What Underwriters Actually Need

After analyzing the workflows of cyber insurance underwriters across the London market and Lloyd’s, Resiliently identified four requirements that passive ratings don’t meet:

1. Financial Exposure in EUR (Not A-F Scores)

An underwriter needs to know: “If this company gets hit by ransomware, what’s the likely loss?” The answer must be in currency, not letters.

Resiliently’s Domain Exposure Checker + Broker Scorecard converts technical findings into industry-specific financial exposure ranges:

Industry	Base Exposure Range	Per Critical Finding Add
Technology	€20K–€80K	+€30K
Finance	€50K–€200K	+€50K
Healthcare	€15K–€60K	+€25K
Manufacturing	€10K–€50K	+€20K
Energy	€20K–€100K	+€35K

2. Actionable Underwriter Recommendations

Not “B+” rating. Not “medium risk.” Clear, binding guidance:

• Bind — Accept without conditions
• Bind with Conditions — Accept with specific requirements (e.g., “require MFA within 30 days”)
• Refer for Assessment — Escalate for manual review
• Decline — Do not bind

3. Validated, Real-Time Data

Passive ratings rely on whatever the scanner happens to catch. Resiliently uses real-time passive reconnaissance (Certificate Transparency logs, DNS records, HTTP header analysis, SSL/TLS inspection) that reflects the company’s actual current posture, not what was observed last week.

4. Industry Benchmarking

A finance company with score 75 may be below average for its industry (finance average: 82). A technology company with score 68 is above average (tech average: 74). Without industry context, scores are meaningless.

The Resiliently Difference

Feature	BitSight / SecurityScorecard	Resiliently.ai
Data Collection	Passive, cached	Real-time passive recon
Score Format	A-F letter grade	A-F + EUR financial exposure
Underwriter Guidance	None	Bind / Conditions / Refer / Decline
Industry Benchmarks	Generic	Per-industry averages with peer counts
Financial Quantification	No	Yes — EUR exposure estimates
PDF for Carrier Submission	No	Yes — one-page formatted
Pricing	$25K+/yr enterprise	Free tier + €49/mo Broker Pro

The Bottom Line

Security ratings were built for a different use case: vendor risk management at enterprise scale. They work well for procurement teams screening thousands of vendors.

But for cyber insurance underwriting — where decisions involve real financial exposure and regulatory compliance — passive A-F scores are insufficient.

Resiliently’s approach starts where security ratings stop: converting technical findings into financial exposure estimates that underwriters can actually use.

Try the Domain Exposure Checker → — Free. No credit card. See your financial exposure in seconds.

---

Disclaimer: The financial exposure ranges provided are estimates for informational purposes only and do not constitute underwriting advice. Consult your carrier’s specific underwriting guidelines. Resiliently.ai is not a licensed insurance intermediary.