Pre-binding cyber posture assessments for insurers, underwriters, and brokers. Passive, evidence-based, independent. Gives you a credible view of risk before you accept it — without requiring anything from the applicant.
Drawn from a combined GRC and passive OSINT engagement, anonymised. Everything below was observable from outside the organisation — the same view an underwriter, a regulator, or an attacker already has. No systems are ever accessed.
Two abbreviated extracts from real 2026 engagements, anonymised — a commercial lender and a mortgage broker. Each is a selection of findings, not the full report, drawn through a combined GRC and passive OSINT lens. These are the gaps that decide whether cover is offered, how it is priced, and whether a claim is paid. No systems are ever accessed.
Every one of these was answerable from outside the organisation, before a proposal form was ever filled in.
A lender writing in the billions — where a principal’s credentials sat publicly retrievable in an old build of the website, behind password-only access to the systems that move money.
A passive review of the organisation’s historical web footprint surfaced valid credentials belonging to a principal of the business, left behind in an archived build of the public website. They were publicly retrievable. No systems were accessed to find them.
Exposed credentials are the exposure underwriters now price hardest, because they are the one gap where no vulnerability, no patch and no exploit is required. Where MFA is not enforced behind them, most insurers will decline cover or apply a ransomware sub-limit.
In the Latitude Financial breach (2023), a stolen employee login was the entry point — roughly 14 million records taken, including 7.9 million driver licence numbers, and $76 million in pre-tax costs. The ASD found compromised credentials the leading initial-access vector in encryption incidents in 2024–25: 42%, up from 23%, with 9,587 credential-exposure notifications issued in a single year.
One to raise immediately with IT and whoever holds identity. The direction is to treat those credentials as compromised, and to stop relying on a password alone as the barrier to anything that moves money. Maps to Essential Eight (MFA) and APP 11.
Remote and administrative access to the lending platforms rested on username and password alone. Multi-factor authentication was available on some systems and enforced on none of the ones that mattered.
MFA on VPN and administrative accounts is now treated as a near-universal baseline underwriting requirement in the Australian cyber market. Most insurers decline cover, or apply ransomware sub-limits, where it is not enforced — and the distinction at claim time is between MFA deployed and MFA enforced.
In June 2026 the ASD’s ACSC warned Australian organisations of FortiBleed, an active campaign against Fortinet firewall and VPN devices. It exploits recycled credentials and weak passwords with no MFA. There is no patch, because it is not a vulnerability. A single credential campaign against one vendor’s install base can hit a correlated slice of an insurer’s entire book at once, with nothing to remediate at the perimeter.
Sits with IT and whoever holds identity. The direction is to enforce — not merely deploy — multi-factor authentication on remote and administrative access, and to be able to demonstrate it. Maps to Essential Eight (MFA).
The organisation’s public website ran on a WordPress installation months behind on core and plugin updates, with published CVEs against the versions in use. It was observable from the outside, without touching it.
Patching cadence is one of the first things a cyber proposal form asks about, and one of the easiest to verify from outside. An unpatched public system contradicts a declaration of good patching hygiene — and misrepresentation on a proposal form is a coverage problem before it is ever a security one.
The ASD’s ACSC found inadequate patching behind the majority of the significant incidents it responded to. In one Australian case, an unpatched Microsoft Exchange server took attackers four days to reach full encryption. Essential Eight at Maturity Level One is assessed to cut compromise risk by up to 85%.
Sits with IT, or whoever maintains the website. The direction is a patching rhythm someone owns, rather than updates applied when somebody remembers. Maps to Essential Eight (patch applications).
Sensitive borrower financial information was held on platforms hosted or controlled offshore. For at least one, the hosting jurisdiction could not be confirmed, and no cross-border accountability arrangement was evident.
Where data sits determines which laws apply, which regulators can act, and whether a policy’s territorial limits actually respond. An insured that cannot say where its data lives cannot demonstrate the cross-border accountability APP 8 requires — and cannot be confident its cover follows the data.
In the 2Apply / IRE determination (OAIC, 2026), a third-party platform’s handling of personal data drew a landmark ruling, remedied by a mandated independent review. In Latitude, the stolen data sat with service providers, not the lender itself — and the lender still wore it.
Sits with procurement and the privacy function. The direction is to map where the data actually lives, confirm accountability for each recipient, and revisit anything whose location cannot be established. Maps to APP 8 and APP 11.
Governance for disaster recovery had no clear owner. A plan and a patchwork of backups existed, but no single role was accountable, no recovery-time objective was set, and it had never been tested end to end.
Business-interruption cover turns on how quickly an insured can restore operations. An untested plan gives an underwriter nothing to price, and gives the insured no defensible answer at claim time about what recovery was actually possible.
After the HWL Ebsworth breach (2023), review and notification ran for months — some individuals were not told for up to six months. Untested, unowned recovery converts a contained incident into a prolonged business-interruption loss.
The first fix is ownership itself: someone — operations or business continuity, with the board watching — needs to own the plan, set a recovery target, and confirm it actually works. Maps to Essential Eight (backups) and ASD resilience guidance.
The Lender risk profile
Credentials in public and password-only access sit where underwriters look first. Indicative only: each point is a plausible path to compromise, not a prediction.
A small firm that grew quickly, and outpaced the software it was built on — with the borrower application portal, and every identity document in it, reachable from the public internet.
The client application portal — the intake path for borrower identity documents, payslips, bank statements and credit information — was reachable directly from the public internet. It sat outside any firewall restriction and did not enforce multi-factor authentication.
This is the concentration of insurable loss in one place: verified identity documents and financial records behind a single login. Notification costs, identity-restoration costs and regulatory exposure all scale with the number of documents held. An underwriter pricing this portal is pricing every document inside it.
In Optus (2022), a public-facing endpoint that should never have been reachable exposed roughly 9.5 million customers. In Latitude (2023), the material taken was precisely this class of document — 7.9 million driver licence numbers, with the insured reimbursing replacement costs.
One to raise immediately with IT. The direction is to restrict who can reach the portal at all, and to require more than a password of anyone who does. Maps to Essential Eight (MFA) and APP 11.
The firm ran on platforms chosen when it was much smaller, kept in service as volumes grew. Several were past the point of active maintenance, and the security assumptions built into them no longer matched the value of what they now held.
Legacy and unsupported software is a standard exclusion trigger and a standard premium loading. Once a vendor stops issuing updates, an insurer is being asked to carry a risk the insured has no path to remediate.
The ASD’s ACSC repeatedly warns that legacy and unsupported systems provide a direct pathway for compromise: once updates stop, vulnerabilities quickly become public knowledge and heavily targeted.
Sits with IT, but the call is the partners’. The direction is to plan for replacing or retiring what has been outgrown — and, until then, to make sure someone owns it as a known risk. Maps to Essential Eight (patching).
Connections to aggregator platforms, lender panels and the CRM had been established as the business grew and then left alone. Access was broad, credentials were long-lived, and no one had revisited what each connection could reach.
Third-party and dependent-system exposure is where aggregation risk lives for an insurer. One compromised platform in a shared chain can produce claims across many insureds at once — the same correlated-loss problem that makes single-vendor concentration so difficult to price.
ASD’s ACSC lists supply-chain and trusted-relationship compromise among the hardest attacks to detect — the access looks legitimate. In Latitude, the data was taken through service providers connected to the business, not the business itself.
A conversation for IT and whoever owns the aggregator and lender relationships. The direction is to know every connection, keep each to what it actually needs, and review them on a rhythm. Maps to Essential Eight (application hardening).
Security configuration had been assembled reactively — each control added when a specific need or incident prompted it, rather than designed as a whole. There was no documented baseline, so no way to tell what was deliberate and what was left over.
A proposal form asks an insured to declare its controls. A firm with no documented baseline is answering from memory. At claim time, the difference between what was declared and what can be evidenced is where cover is contested.
The OAIC assesses whether an organisation took reasonable steps to protect personal information, judged against its size, resources, and the sensitivity of what it holds. “We added things as we went” is not evidence of reasonable steps.
Sits with IT, with the partners setting the expectation. The direction is a documented baseline — a written statement of what good looks like here — so the firm can evidence what it does, not just declare it. Maps to APP 11.
Governance for disaster recovery had no clear owner. A plan and a patchwork of backups existed, but no single role was accountable, no recovery-time objective was set, and it had never been tested end to end.
Business-interruption cover turns on how quickly an insured can restore operations. An untested plan gives an underwriter nothing to price, and gives the insured no defensible answer at claim time about what recovery was actually possible.
After the HWL Ebsworth breach (2023), review and notification ran for months — some individuals were not told for up to six months. Untested, unowned recovery converts a contained incident into a prolonged business-interruption loss.
The first fix is ownership itself: someone — operations or business continuity, with the board watching — needs to own the plan, set a recovery target, and confirm it actually works. Maps to Essential Eight (backups) and ASD resilience guidance.
The Broker risk profile
An exposed portal concentrates insurable loss in one place. Indicative only: each point is a plausible path to compromise, not a prediction.
A proposal form records what an organisation believes about itself. An external assessment records what can actually be seen. Where those two diverge, cover is priced on the first and contested on the second — and the gap between them is where claims are lost.
Every consequence cited above is drawn from public regulatory, court, or government records. The findings themselves are anonymised and illustrative of real 2026 engagements.
Underwriting practice described reflects observed market practice, not any single insurer’s stated position. Risk ratings are indicative assessments of plausible exposure, not predictions of a certain outcome. No client is named or identifiable.
The applicant's security questionnaire tells you what they think. A passive OSINT assessment tells you what's actually visible from the outside.
Independent pre-binding assessment of the applicant's external posture. Evidence-based, framework-mapped, produced without applicant cooperation — so the view is unfiltered.
Differentiate your brokerage by offering clients a GRC posture assessment alongside the renewal process. Demonstrate value beyond the quote.
Post-incident assessment of what was externally visible before the event. Establish whether the insured's posture matched their policy declarations.
Screen an entire portfolio of policyholders to identify the accounts carrying the highest external exposure before they become claims.
Independent view of cedent portfolio quality. Passive assessment across a sample of underlying risks to validate the book's actual posture.
Embed cyber posture assessment into your binding authority workflow. Evidence-based risk selection without slowing the process.
Stop relying on self-reported questionnaires. See the applicant's actual external posture — email security, credential exposure, infrastructure gaps, privacy compliance — before you commit capital.
Show existing clients what's changed since their last assessment. A year-on-year comparison of their external posture gives them a reason to stay and a reason to invest in remediation.
After a claim, assess what was externally visible before the incident. Establish whether the insured's posture matched their policy representations.
Screen your book to find the accounts with the highest external exposure. Address them proactively before they become loss events.
The following is drawn from a real passive OSINT assessment conducted in 2026. Company details have been anonymised.
A pre-binding assessment of an ASX-listed technology company operating in the regulated wagering space identified five sets of live API credentials sitting in public GitHub repositories. All five were confirmed active against their respective provider APIs on the day of assessment.
The applicant’s security questionnaire had reported no known credential exposure. DMARC was set to p=none — offering zero protection against email spoofing. Five historical origin server IPs were found bypassing the CDN. No WAF was in place.
None of this was visible from the application form. All of it was visible from public data in under 24 hours.
The difference between what an applicant reports and what an independent assessment reveals is the difference between pricing risk and inheriting it.