AI & Insurtech

Security Ratings and Attack-Surface Scanning in Indian Cyber Underwriting: When the Insurer Scans You Before You Apply

Indian cyber insurers are replacing static questionnaires with continuous, AI-driven external attack-surface scans and security ratings run before they bind cover. This post explains to brokers how those scans work, how to read and contest a poor rating, where SME maturity gaps trigger declines, and how to prepare a client's external posture ahead of a cyber placement.

Sarvada Editorial TeamInsurance Intelligence
6 min read

Listen to this article

Audio version • 6 min read

cyber-insuranceattack-surfacesecurity-ratingsunderwritingsme-riskai-insurtechirdai

Last reviewed: June 2026

The scan happens before the conversation

A decade ago a cyber placement began with a proposal form: the client answered questions about firewalls, backups, multi-factor authentication and incident response, and the underwriter priced the risk on those self-reported answers. That model is fading. Roughly three out of four major cyber carriers now run an external attack-surface scan before they bind, using ratings services such as SecurityScorecard or BitSight to look at the applicant from the outside, the way an attacker would, before a human underwriter has read a single answer.

The scan does not need the client's permission or cooperation, because it only touches what is already public: exposed services on internet-facing IP addresses, software versions with known vulnerabilities, leaked or compromised credentials circulating on criminal forums, expired certificates and misconfigured DNS or email authentication records. From that, the rating engine produces a security rating, often expressed as a letter grade or a numeric score, that the underwriter sees alongside, or sometimes ahead of, the proposal form.

For the broker, the practical consequence is a reordering of the process. The client's external posture is being assessed before the submission lands, so a weak external footprint can shape terms, or trigger a decline, before the broker has had a chance to present the risk. The proposal form still matters, but it is no longer the first thing the insurer sees.

What the rating engine actually measures

A security rating is not a single judgement; it is a composite of signals that an outside-in scanner can collect without internal access. Understanding the categories helps a broker explain a poor score and direct remediation.

  • Exposed and vulnerable services: open ports running outdated software, remote-access services reachable from the public internet, and unpatched systems matched against known vulnerability catalogues.
  • Compromised credentials: employee email and password combinations found in breach dumps and credential-stuffing lists, which signal that accounts may already be exposed.
  • Email and DNS hygiene: missing or misconfigured SPF, DKIM and DMARC records, which make the organisation easier to impersonate in phishing, and stale DNS entries pointing to abandoned infrastructure.
  • Certificate and encryption posture: expired TLS certificates and weak cipher configurations on public services.

The shift this represents is from a point-in-time questionnaire to continuous risk assessment built on real-time telemetry, threat intelligence and security ratings. The underwriting value is straightforward: external signals are observed rather than self-reported, which improves pricing accuracy and reduces adverse selection, the problem of the weakest risks being the keenest to buy and the least candid on a form.

How to read and contest a poor rating

When a client receives a low rating, the broker's first task is to get the underlying findings rather than the headline grade. Ratings services and carriers will usually share the specific observations behind a score, and most findings fall into one of three groups.

Findings that are real and fixable

An exposed remote-desktop port, an unpatched public server or a missing DMARC record is a genuine exposure the client should close regardless of the placement. These are the easiest to act on and the fastest to improve a score, because the scanner re-checks and the rating moves once the issue is resolved.

Findings that are stale or misattributed

Ratings engines sometimes attribute IP ranges or domains to the wrong organisation, or flag infrastructure the client decommissioned months ago. A leaked-credential finding may relate to a personal account or a years-old breach already remediated by a password reset. These are the findings to contest, and a broker who documents the correction gives the underwriter a reason to look past the raw score.

Findings that need context

Some exposures are deliberate and managed, an intentionally open service behind compensating controls the scanner cannot see. Here the answer is explanation rather than remediation: the broker presents the control narrative the outside-in view misses.

Where SME maturity gaps turn into declines

The harder cases sit in the small and mid-sized segment, where the scan often confirms a real gap rather than a misattribution. SME cybersecurity maturity gaps are one of three structural constraints on faster Indian cyber-insurance growth, alongside premium affordability barriers and a shortage of specialised cyber underwriters.

For a smaller client the external scan frequently surfaces the predictable pattern: no email authentication, a self-managed server with an old operating system, employee credentials in breach dumps, and no evidence of multi-factor authentication on remote access. Each finding is genuine, and together they can push a rating below the threshold a carrier will bind at, producing a decline or a heavily conditioned quote before any negotiation.

This is where the broker's role shifts from placement to preparation. A client that walks into a scan-led market with an unmanaged external footprint will struggle, not because the cover is unavailable but because the insurer's first impression is formed by signals the client never knew were visible. The constructive response is to run the client through a basic external hygiene exercise before the submission, so the first scan the insurer sees is not the client's worst.

Preparing a client's external posture before placement

The practical broker playbook in a scan-led market is to assume the insurer will see the client from the outside and to make that view as clean as it honestly can be. A short, repeatable pre-placement routine covers most of the ground.

  1. Run an outside-in check first. Use a ratings or attack-surface tool to see what the carrier will see, so there are no surprises in the submission.
  2. Close the obvious exposures. Shut unnecessary public services, patch internet-facing systems, and remove abandoned DNS records and dead infrastructure that scanners still attribute to the client.
  3. Fix email authentication. Configure SPF, DKIM and DMARC, a low-cost change that improves both the rating and the client's real resistance to impersonation.
  4. Force credential resets where breaches show. Where leaked credentials appear, reset and enable multi-factor authentication, then document it for the underwriter.
  5. Prepare the context narrative. For any managed exposure the scan will flag, write the short explanation the underwriter needs so the finding does not read as negligence.

There is a regional dimension worth noting in client conversations. The Indian cyber-insurance market has been growing at roughly twenty to thirty percent a year, and South India, the Bengaluru, Hyderabad and Chennai corridor, commands about a third of it on the strength of its IT and digital-services concentration. Clients in that segment are both the most exposed and the most scrutinised, so the pre-placement hygiene work matters most there.

Doing this well depends on understanding how a given carrier's wording responds to the exposures a scan surfaces, which conditions and warranties attach to a conditioned quote, and how the rating feeds the terms. Sarvada gives commercial insurance brokers structured, searchable access to insurer policy wordings and the intelligence around them, so a cyber placement can be argued on the detail of cover and not just the headline grade. Request Access to bring that depth to your next cyber submission.

Frequently Asked Questions

How can an insurer scan my client before they even apply for cyber cover?
The scan only touches information that is already public, so it needs no permission or cooperation from the client. Attack-surface and security-ratings services such as SecurityScorecard or BitSight examine internet-facing systems the way an attacker would: open ports and exposed services, software versions with known vulnerabilities, leaked credentials circulating on criminal forums, expired certificates, and misconfigured DNS or email authentication. From these external signals the engine builds a rating that the underwriter sees alongside, or ahead of, the proposal form. Roughly three out of four major cyber carriers now do this before binding, which means the client's external posture is being judged before the broker has presented the risk.
What should I do if a client gets a poor security rating?
Get the underlying findings rather than the headline grade, then sort them into three groups. Real and fixable exposures, such as an open remote-access port or a missing DMARC record, should be closed because the scanner re-checks and the score moves once resolved. Stale or misattributed findings, like IP ranges wrongly assigned to the client or years-old leaked credentials already reset, should be contested with documentation. Managed exposures the scanner cannot interpret should be explained with a control narrative. A score that improves between the first scan and binding signals responsiveness to the underwriter, which itself helps the placement, so treat the report as both a remediation list and a negotiation document.
Why do small and mid-sized clients struggle most in a scan-led cyber market?
For smaller clients the external scan usually confirms a genuine gap rather than a misattribution, because SME cybersecurity maturity gaps are one of the three structural constraints on Indian cyber-insurance growth, alongside premium affordability and a shortage of specialised underwriters. A typical SME scan surfaces missing email authentication, a self-managed server on an outdated operating system, employee credentials in breach dumps, and no multi-factor authentication on remote access. Together these can push a rating below the threshold a carrier will bind at, producing a decline or a heavily conditioned quote. The fix is preparation: run the client through basic external hygiene before submission so the first scan the insurer sees is not the worst one.
How do I prepare a client's external posture before a cyber placement?
Assume the insurer will scan the client from outside and make that view as clean as you honestly can. Run your own outside-in check first so there are no surprises. Close obvious exposures by shutting unnecessary public services, patching internet-facing systems, and removing abandoned DNS records and dead infrastructure that scanners still attribute to the client. Configure SPF, DKIM and DMARC, a low-cost change that improves both the rating and real resistance to impersonation. Reset credentials where breaches show and enable multi-factor authentication, then document it. Finally, prepare a short context narrative for any managed exposure the scan will flag so it does not read as negligence to the underwriter.

Related Glossary Terms

Related Insurance Types

Related Industries

Related Articles

Sarvada

Ready to see Sarvada in action?

Explore the platform workflow or start a product conversation with our underwriting automation team.

Explore the platform