Privacy is the new MFA.
That line came from the Legal Counsel and Head of Global Cyber Risk & Insurance at WTW -- not from a privacy technology vendor. It came from one of the largest insurance brokers in the world, watching the claims data accumulate in real time.
The observation is not a prediction. It is a description of what is already happening in the cyber insurance market. Privacy violations are now a top driver of cyber insurance claims. VPPA class actions are averaging $11.5M in settlements. Wiretapping class actions are accelerating across California, Pennsylvania, and Florida. Regulatory enforcement is producing material fines across the US and EU. And every one of those claims is a data point in the actuarial model underwriters use to price the policies brokers place.
Brokers who can assess and communicate client privacy risk are no longer simply demonstrating sophistication. They are providing a service the market is actively asking for.
Cyber insurance underwriting has historically relied on two inputs: security ratings and questionnaires. Security ratings measure breach likelihood. Questionnaires capture self-reported program documentation.
Neither measures privacy liability exposure. A company can score well on SecurityScorecard while simultaneously carrying material VPPA exposure from video analytics integrations it has not adequately disclosed. A questionnaire answer about privacy program maturity reflects what the client's compliance team believes to be true internally -- not what is observable from the outside, which is where violations originate.
Underwriters know this. The reason four of the top 10 cyber insurers have embedded outside-in privacy risk intelligence into their underwriting workflows is that the existing signal stack was structurally blind to the fastest-growing claims vector.
The broker who arrives at the underwriting conversation with an outside-in privacy risk assessment has something the underwriter cannot get from the application questionnaire: evidence about what is actually observable about the client's privacy practices. That changes the conversation. It changes placement outcomes. And it changes the broker's competitive position in the account.
1. Application preparation and risk differentiation
The most common broker use case: assess the client's privacy posture before the application goes to market, identify gaps, advise remediation, and document the improvement.
This approach serves two purposes. First, it improves the actual risk profile being placed -- clients who remediate observable consent failures and policy-practice gaps before renewal represent materially better risk than they did at the prior renewal. Second, it gives the broker a documented before-and-after narrative: here is what we found, here is what the client fixed, here is the current outside-in assessment. That narrative is credible to underwriters in a way that a questionnaire answer about ongoing privacy program improvements is not.
The broker is not just submitting a risk. They are presenting a risk they have independently assessed and helped manage. That is a different category of service.
2. New business prospecting
Privaini's outside-in assessment works on any company from a domain name and website. No deployment. No cooperation from the assessed organization.
For brokers, this creates a prospecting capability that does not currently exist in the market. A broker can run a privacy risk assessment on a prospect's digital footprint before the first meeting -- and arrive with a concrete, evidence-backed picture of the prospect's privacy exposure that their current broker almost certainly has not provided.
Here is what we found when we looked at your observable privacy posture from the outside. Here is how it compares to your industry peers. Here is the exposure your current broker has not surfaced. That is a first-meeting conversation that creates differentiation immediately.
3. Renewal season positioning
Privacy claims are a growing driver of cyber insurance pricing. Clients who cannot demonstrate their privacy posture to underwriters will face adverse pricing treatment as the market matures. Clients who can demonstrate improvement -- through independently verified, outside-in assessment -- have a credible basis for negotiating more favorable terms.
The broker who introduces outside-in privacy risk assessment to the renewal process is the broker who controls the renewal narrative. The renewal conversation shifts from here is what our questionnaire says to here is what we independently verified about the client's observable privacy practices, and here is how it has improved since the last renewal.
That is a materially different value proposition. And it is available exclusively to brokers who have adopted outside-in privacy risk assessment.
The cyber insurance broker market is competitive. Clients who have multiple broker relationships -- or who are evaluating broker changes -- make those decisions based on perceived advisory value.
Privacy risk advisory is a differentiation vector that most brokers have not yet developed. The window for early-mover advantage is open and will not stay open indefinitely. The brokers who establish privacy risk advisory capability in 2026 will build client relationships that are difficult to displace when competitors catch up.
The adoption pattern is visible. WTW has publicly described privacy risk assessment as a competitive tool. The two largest brokers in the cyber market have embedded outside-in assessment into their service offerings. The independent broker who develops the same capability is not following a trend -- they are meeting a market standard that is being established by the category leaders.
A Privaini assessment of a client's digital footprint produces findings that are directly relevant to the underwriting conversation:
Consent flow UX -- Are the client's consent mechanisms giving users a meaningful choice, or are dark patterns creating regulatory and litigation exposure? CPPA enforcement in California has focused specifically on consent UX.
Policy-practice gaps -- What data collection and sharing practices are observable but not adequately disclosed in the privacy policy? This is the source of VPPA, wrongful collection, and GDPR inadequate disclosure exposure.
Tracker and technology inventory -- What third-party tools are operating on the client's digital properties, and what are the data sharing implications of each?
Jurisdictional mapping -- Which privacy regulations apply to the client's actual user base, and where are the compliance gaps relative to each applicable framework?
AI governance signals -- What AI tools are deployed, and are the data collection implications of those tools adequately disclosed?
These findings are regulator-grade -- reproducible, timestamped, jurisdiction-specific. They are not questionnaire answers. They are evidence.
Cyber insurance underwriters are looking for brokers who can bring them better information about the risks they are pricing. Privacy risk is the fastest-growing dimension of cyber exposure. The broker who can assess it, communicate it, and demonstrate client improvement over time is the broker who earns the relationship.
Privacy is the new MFA. The brokers who treat it that way in 2026 will compete differently than the brokers who do not.
