Pricing Blind: When You Can't See the Risk You're Insuring

A cyber underwriter receives a submission. The broker’s cover note lists revenue, headcount, industry, and IT budget. The application form has 42 checkboxes. The prospective insured checked 38 of them.

This is the data point on which a €5M cyber policy gets priced.

The problem isn’t the checkboxes. The problem is what’s not on the form.

What You’re Not Seeing

Traditional underwriting relies on what the insured tells you. But threat actors don’t read your application — they scan the attack surface. The gap between what appears on a submission and what’s actually exposed is the underwriting visibility gap, and it’s wider than most pricing models account for.

Consider what a typical submission doesn’t include:

• Shadow IT assets. The marketing team’s trial SaaS accounts, the developer’s forgotten cloud instance, the API key in a public repo. A 2025 survey by the Cloud Security Alliance found that the average enterprise has 10x more cloud assets than its IT team is aware of (Source: CSA 2025 Cloud Security Report).

• Domain exposure. Subdomain takeover risks, expired TLS certificates, dangling DNS records, and email misconfigurations. These are externally observable — but only if you look. Most underwriters don’t.

• Supply chain dependencies. You may underwrite company A, but company A uses vendors B, C, and D — and you have zero visibility into their security posture. Third-party breaches doubled as a share of all incidents in 2025 (Source: CrowdStrike 2025 Global Threat Report).

• Historical incident data. Has this organization had a breach before? Most application forms don’t ask, and most applicants don’t volunteer that information.

The Pricing Consequence

When you can’t see the actual risk, you compensate with uncertainty — and uncertainty shows up as either over-pricing (losing competitive deals) or under-pricing (accumulating adverse selection).

The result is a market where:

• Good risks are overcharged because underwriters lack the data to differentiate them from bad ones
• Bad risks are underpriced because the application looks clean — the gaps are in what’s not disclosed
• Adverse selection compounds — organizations that know they have issues are incentivized to conceal them, while organizations with strong security programs are penalized by broad risk buckets

This isn’t theoretical. A 2024 study by the Geneva Association found that cyber insurance loss ratios averaged 65% over the previous five years — with significant volatility driven by the very visibility gaps described here (Source: Geneva Association, Cyber Insurance: A Growing Market Challenge, 2024).

What External Data Actually Shows

An underwriter who supplements submissions with external telemetry sees a different picture:

This isn’t a hypothetical scenario. It’s the pattern that shows up consistently when submission data is cross-referenced with external attack surface intelligence.

The Fix Isn’t More Paperwork

The instinct is to add more questions to the application. A 200-question form doesn’t solve a visibility problem — it creates a completion problem. Brokers push back, applicants guess, and the data quality stays low.

The fix is external data enrichment:

1. Domain and certificate scanning — automated checks that reveal real exposure without asking the insured
2. Supply chain mapping — identifying third-party dependencies from public data
3. Threat intelligence correlation — matching the insured’s sector and profile against active threat campaigns
4. Historical incident databases — cross-referencing breach databases for prior events

These data points don’t replace the underwriter’s judgment. They inform it — the same way a motor underwriter uses a claims database rather than asking “have you had any accidents?”

The Risk Register as a Decision Tool

This is where a FAIR-quantified risk register changes the underwriting conversation. Instead of pricing in the dark, you model:

• Loss Event Frequency based on observed threat data, not self-reported confidence levels
• Loss Magnitude ranges tied to sector-specific breach costs, not arbitrary bands
• Monte Carlo simulation that produces probability distributions rather than point estimates

The risk register doesn’t eliminate uncertainty. It makes it visible, measurable, and comparable across submissions.

What Changes When You Can See

An underwriter with visibility supplement data makes different decisions:

• A submission that looks identical on paper to another can be priced differently based on actual attack surface exposure
• Dynamic pricing models replace flat premiums with risk-adjusted rates
• Renewal conversations shift from “your premium increased 15%” to “here are three specific exposures we identified”

The industry is already moving in this direction. AI risk loading is an early signal — insurers adding 10-15% surcharges because traditional pricing can’t capture AI-related exposures. That’s a Band-Aid on a visibility problem.

The better approach: see the risk, then price it.

Michael Guiao is the Founder of Resiliently.ai and the author of Resiliently. He holds CISM, CCSP, CISA, and DPO (TÜV) certifications and has 8+ years of experience across insurance, auditing, and consulting at firms including AXA, Xella Group, and PwC.