Partnerships — Insurers & Brokers

Know What You're Underwriting
Before You Price It.

Pre-binding cyber posture assessments for insurers, underwriters, and brokers. Passive, evidence-based, independent. Gives you a credible view of risk before you accept it — without requiring anything from the applicant.

Pre-Binding Assessment
Independent risk view
Passive OSINT assessment of the applicant's external posture before you price or bind. No applicant involvement required. Results within 7 days.
Portfolio Screening
Batch assessment
Screen multiple applicants or existing policyholders in a single engagement. Identify the highest-risk accounts before renewal season.
White-Label
Your brand, our methodology
We produce the assessment. You deliver it under your brokerage or underwriting brand. The client sees one provider.
See an assessment example ↓

What the Assessment Found

Drawn from a combined GRC and passive OSINT engagement, anonymised. Everything below was observable from outside the organisation — the same view an underwriter, a regulator, or an attacker already has. No systems are ever accessed.

Two abbreviated extracts from real 2026 engagements, anonymised — a commercial lender and a mortgage broker. Each is a selection of findings, not the full report, drawn through a combined GRC and passive OSINT lens. These are the gaps that decide whether cover is offered, how it is priced, and whether a claim is paid. No systems are ever accessed.

3 Critical 6 High 1 Medium
What underwriters check first
MFA enforced, not merely deployedA patching cadence someone ownsRecovery that has actually been tested

Every one of these was answerable from outside the organisation, before a proposal form was ever filled in.

Engagement A

Commercial Lender

A lender writing in the billions — where a principal’s credentials sat publicly retrievable in an old build of the website, behind password-only access to the systems that move money.

Critical F1 · Credential ExposureA principal’s credentials, left in an archived build of the website APP 11Essential Eight

What we found

A passive review of the organisation’s historical web footprint surfaced valid credentials belonging to a principal of the business, left behind in an archived build of the public website. They were publicly retrievable. No systems were accessed to find them.

What it means for cover

Exposed credentials are the exposure underwriters now price hardest, because they are the one gap where no vulnerability, no patch and no exploit is required. Where MFA is not enforced behind them, most insurers will decline cover or apply a ransomware sub-limit.

Left unaddressed

In the Latitude Financial breach (2023), a stolen employee login was the entry point — roughly 14 million records taken, including 7.9 million driver licence numbers, and $76 million in pre-tax costs. The ASD found compromised credentials the leading initial-access vector in encryption incidents in 2024–25: 42%, up from 23%, with 9,587 credential-exposure notifications issued in a single year.

Where this gets owned

One to raise immediately with IT and whoever holds identity. The direction is to treat those credentials as compromised, and to stop relying on a password alone as the barrier to anything that moves money. Maps to Essential Eight (MFA) and APP 11.

Critical F2 · Remote Access & MFAPassword-only access to systems that move money Essential EightAPP 11

What we found

Remote and administrative access to the lending platforms rested on username and password alone. Multi-factor authentication was available on some systems and enforced on none of the ones that mattered.

What it means for cover

MFA on VPN and administrative accounts is now treated as a near-universal baseline underwriting requirement in the Australian cyber market. Most insurers decline cover, or apply ransomware sub-limits, where it is not enforced — and the distinction at claim time is between MFA deployed and MFA enforced.

Left unaddressed

In June 2026 the ASD’s ACSC warned Australian organisations of FortiBleed, an active campaign against Fortinet firewall and VPN devices. It exploits recycled credentials and weak passwords with no MFA. There is no patch, because it is not a vulnerability. A single credential campaign against one vendor’s install base can hit a correlated slice of an insurer’s entire book at once, with nothing to remediate at the perimeter.

Where this gets owned

Sits with IT and whoever holds identity. The direction is to enforce — not merely deploy — multi-factor authentication on remote and administrative access, and to be able to demonstrate it. Maps to Essential Eight (MFA).

High F3 · Unpatched Public SystemsA public-facing WordPress site behind on updates Essential EightASD

What we found

The organisation’s public website ran on a WordPress installation months behind on core and plugin updates, with published CVEs against the versions in use. It was observable from the outside, without touching it.

What it means for cover

Patching cadence is one of the first things a cyber proposal form asks about, and one of the easiest to verify from outside. An unpatched public system contradicts a declaration of good patching hygiene — and misrepresentation on a proposal form is a coverage problem before it is ever a security one.

Left unaddressed

The ASD’s ACSC found inadequate patching behind the majority of the significant incidents it responded to. In one Australian case, an unpatched Microsoft Exchange server took attackers four days to reach full encryption. Essential Eight at Maturity Level One is assessed to cut compromise risk by up to 85%.

Where this gets owned

Sits with IT, or whoever maintains the website. The direction is a patching rhythm someone owns, rather than updates applied when somebody remembers. Maps to Essential Eight (patch applications).

High F4 · Data SovereigntyBorrower financial data held offshore, jurisdiction unclear APP 8APP 11

What we found

Sensitive borrower financial information was held on platforms hosted or controlled offshore. For at least one, the hosting jurisdiction could not be confirmed, and no cross-border accountability arrangement was evident.

What it means for cover

Where data sits determines which laws apply, which regulators can act, and whether a policy’s territorial limits actually respond. An insured that cannot say where its data lives cannot demonstrate the cross-border accountability APP 8 requires — and cannot be confident its cover follows the data.

Left unaddressed

In the 2Apply / IRE determination (OAIC, 2026), a third-party platform’s handling of personal data drew a landmark ruling, remedied by a mandated independent review. In Latitude, the stolen data sat with service providers, not the lender itself — and the lender still wore it.

Where this gets owned

Sits with procurement and the privacy function. The direction is to map where the data actually lives, confirm accountability for each recipient, and revisit anything whose location cannot be established. Maps to APP 8 and APP 11.

High F5 · Resilience — DR OwnershipNo one owned the recovery plan or the patchwork Essential EightASD

What we found

Governance for disaster recovery had no clear owner. A plan and a patchwork of backups existed, but no single role was accountable, no recovery-time objective was set, and it had never been tested end to end.

What it means for cover

Business-interruption cover turns on how quickly an insured can restore operations. An untested plan gives an underwriter nothing to price, and gives the insured no defensible answer at claim time about what recovery was actually possible.

Left unaddressed

After the HWL Ebsworth breach (2023), review and notification ran for months — some individuals were not told for up to six months. Untested, unowned recovery converts a contained incident into a prolonged business-interruption loss.

Where this gets owned

The first fix is ownership itself: someone — operations or business continuity, with the board watching — needs to own the plan, set a recovery target, and confirm it actually works. Maps to Essential Eight (backups) and ASD resilience guidance.

The Lender risk profile

Credentials in public and password-only access sit where underwriters look first. Indicative only: each point is a plausible path to compromise, not a prediction.

High
impact
45
12
Medium
impact
3
Low
impact
Low
Medium
High
Plausibility of exposure →
F1 Principal’s credentials publicly retrievable
F2 Password-only remote access
F3 Unpatched public WordPress site
F4 Borrower data held offshore
F5 DR ownership — no owner
Engagement B

Mortgage Broker

A small firm that grew quickly, and outpaced the software it was built on — with the borrower application portal, and every identity document in it, reachable from the public internet.

Critical F6 · Exposed Application PortalThe borrower application portal, reachable from the public internet APP 11Essential Eight

What we found

The client application portal — the intake path for borrower identity documents, payslips, bank statements and credit information — was reachable directly from the public internet. It sat outside any firewall restriction and did not enforce multi-factor authentication.

What it means for cover

This is the concentration of insurable loss in one place: verified identity documents and financial records behind a single login. Notification costs, identity-restoration costs and regulatory exposure all scale with the number of documents held. An underwriter pricing this portal is pricing every document inside it.

Left unaddressed

In Optus (2022), a public-facing endpoint that should never have been reachable exposed roughly 9.5 million customers. In Latitude (2023), the material taken was precisely this class of document — 7.9 million driver licence numbers, with the insured reimbursing replacement costs.

Where this gets owned

One to raise immediately with IT. The direction is to restrict who can reach the portal at all, and to require more than a password of anyone who does. Maps to Essential Eight (MFA) and APP 11.

High F7 · Legacy PlatformsSystems carried along as the business scaled Essential Eight

What we found

The firm ran on platforms chosen when it was much smaller, kept in service as volumes grew. Several were past the point of active maintenance, and the security assumptions built into them no longer matched the value of what they now held.

What it means for cover

Legacy and unsupported software is a standard exclusion trigger and a standard premium loading. Once a vendor stops issuing updates, an insurer is being asked to carry a risk the insured has no path to remediate.

Left unaddressed

The ASD’s ACSC repeatedly warns that legacy and unsupported systems provide a direct pathway for compromise: once updates stop, vulnerabilities quickly become public knowledge and heavily targeted.

Where this gets owned

Sits with IT, but the call is the partners’. The direction is to plan for replacing or retiring what has been outgrown — and, until then, to make sure someone owns it as a known risk. Maps to Essential Eight (patching).

High F8 · Integration TrustAggregator, lender-panel and CRM connections, never reviewed Essential Eight

What we found

Connections to aggregator platforms, lender panels and the CRM had been established as the business grew and then left alone. Access was broad, credentials were long-lived, and no one had revisited what each connection could reach.

What it means for cover

Third-party and dependent-system exposure is where aggregation risk lives for an insurer. One compromised platform in a shared chain can produce claims across many insureds at once — the same correlated-loss problem that makes single-vendor concentration so difficult to price.

Left unaddressed

ASD’s ACSC lists supply-chain and trusted-relationship compromise among the hardest attacks to detect — the access looks legitimate. In Latitude, the data was taken through service providers connected to the business, not the business itself.

Where this gets owned

A conversation for IT and whoever owns the aggregator and lender relationships. The direction is to know every connection, keep each to what it actually needs, and review them on a rhythm. Maps to Essential Eight (application hardening).

Medium F9 · Reactive ConfigurationSecurity settings added as needs arose, never designed APP 11Essential Eight

What we found

Security configuration had been assembled reactively — each control added when a specific need or incident prompted it, rather than designed as a whole. There was no documented baseline, so no way to tell what was deliberate and what was left over.

What it means for cover

A proposal form asks an insured to declare its controls. A firm with no documented baseline is answering from memory. At claim time, the difference between what was declared and what can be evidenced is where cover is contested.

Left unaddressed

The OAIC assesses whether an organisation took reasonable steps to protect personal information, judged against its size, resources, and the sensitivity of what it holds. “We added things as we went” is not evidence of reasonable steps.

Where this gets owned

Sits with IT, with the partners setting the expectation. The direction is a documented baseline — a written statement of what good looks like here — so the firm can evidence what it does, not just declare it. Maps to APP 11.

High F10 · Resilience — DR OwnershipNo one owned the recovery plan or the patchwork Essential EightASD

What we found

Governance for disaster recovery had no clear owner. A plan and a patchwork of backups existed, but no single role was accountable, no recovery-time objective was set, and it had never been tested end to end.

What it means for cover

Business-interruption cover turns on how quickly an insured can restore operations. An untested plan gives an underwriter nothing to price, and gives the insured no defensible answer at claim time about what recovery was actually possible.

Left unaddressed

After the HWL Ebsworth breach (2023), review and notification ran for months — some individuals were not told for up to six months. Untested, unowned recovery converts a contained incident into a prolonged business-interruption loss.

Where this gets owned

The first fix is ownership itself: someone — operations or business continuity, with the board watching — needs to own the plan, set a recovery target, and confirm it actually works. Maps to Essential Eight (backups) and ASD resilience guidance.

The Broker risk profile

An exposed portal concentrates insurable loss in one place. Indicative only: each point is a plausible path to compromise, not a prediction.

High
impact
710
6
Medium
impact
8
Low
impact
9
Low
Medium
High
Plausibility of exposure →
F6 Application portal publicly reachable
F7 Legacy platforms outgrown
F8 Aggregator / CRM integration trust
F9 Security configured reactively
F10 DR ownership — no owner

A proposal form records what an organisation believes about itself. An external assessment records what can actually be seen. Where those two diverge, cover is priced on the first and contested on the second — and the gap between them is where claims are lost.

The precedents, on the record

Every consequence cited above is drawn from public regulatory, court, or government records. The findings themselves are anonymised and illustrative of real 2026 engagements.

Underwriting practice described reflects observed market practice, not any single insurer’s stated position. Risk ratings are indicative assessments of plausible exposure, not predictions of a certain outcome. No client is named or identifiable.

Insurers Who Want Evidence, Not Self-Assessments

The applicant's security questionnaire tells you what they think. A passive OSINT assessment tells you what's actually visible from the outside.

Cyber Underwriters

Independent pre-binding assessment of the applicant's external posture. Evidence-based, framework-mapped, produced without applicant cooperation — so the view is unfiltered.

Insurance Brokers

Differentiate your brokerage by offering clients a GRC posture assessment alongside the renewal process. Demonstrate value beyond the quote.

Claims Teams

Post-incident assessment of what was externally visible before the event. Establish whether the insured's posture matched their policy declarations.

Portfolio Risk Managers

Screen an entire portfolio of policyholders to identify the accounts carrying the highest external exposure before they become claims.

Reinsurers

Independent view of cedent portfolio quality. Passive assessment across a sample of underlying risks to validate the book's actual posture.

MGAs & Coverholders

Embed cyber posture assessment into your binding authority workflow. Evidence-based risk selection without slowing the process.

What Changes When You Can See the Risk

Before binding

Price with confidence

Stop relying on self-reported questionnaires. See the applicant's actual external posture — email security, credential exposure, infrastructure gaps, privacy compliance — before you commit capital.

At renewal

Retain and upsell

Show existing clients what's changed since their last assessment. A year-on-year comparison of their external posture gives them a reason to stay and a reason to invest in remediation.

Post-incident

Validate declarations

After a claim, assess what was externally visible before the incident. Establish whether the insured's posture matched their policy representations.

Portfolio-wide

Identify concentration risk

Screen your book to find the accounts with the highest external exposure. Address them proactively before they become loss events.

What a Pre-Binding Assessment Actually Reveals

The following is drawn from a real passive OSINT assessment conducted in 2026. Company details have been anonymised.

Assessment Extract — ASX-Listed Technology Company (Regulated Wagering)
Five verified active API credentials found in public code repositories.

A pre-binding assessment of an ASX-listed technology company operating in the regulated wagering space identified five sets of live API credentials sitting in public GitHub repositories. All five were confirmed active against their respective provider APIs on the day of assessment.

The applicant’s security questionnaire had reported no known credential exposure. DMARC was set to p=none — offering zero protection against email spoofing. Five historical origin server IPs were found bypassing the CDN. No WAF was in place.

None of this was visible from the application form. All of it was visible from public data in under 24 hours.

The difference between what an applicant reports and what an independent assessment reveals is the difference between pricing risk and inheriting it.

See what your applicants can't tell you.

Passive. Independent. Evidence-based. No applicant involvement required.

Discuss a Partnership →