Security ratings have become foundational infrastructure in cyber insurance underwriting. BitSight, SecurityScorecard, and their competitors have built sophisticated outside-in assessment tools that measure attack surface exposure, patching velocity, SSL/TLS configuration, open ports, and a range of technical indicators that correlate with breach risk. These tools are genuinely useful for the problem they were designed to solve.
That problem is breach risk. And breach risk is no longer the whole picture.
Security ratings platforms build their scores by passively scanning internet-facing systems, collecting data from honeypots and threat intelligence feeds, and assessing the observable technical posture of an organization's digital infrastructure. The signals they collect are real and meaningful: how quickly does this company patch known vulnerabilities? Are their SSL certificates properly configured? Do they have open ports that shouldn't be exposed? Are their email servers correctly configured against spoofing?
These are legitimate indicators of the likelihood that an organization will suffer a breach event — an intrusion, a ransomware attack, a data exfiltration. For underwriters trying to assess the probability that a company will file a breach claim, security ratings provide genuinely useful signal.
What they do not measure: whether the company's website is transmitting video viewing history to Meta. Whether its mobile application is collecting location data inconsistent with its privacy policy. Whether its use of session replay tools creates liability under California's Invasion of Privacy Act. Whether it has enrolled users in biometric data collection without the disclosures required by Illinois BIPA. Whether its privacy policy accurately describes its actual data practices in ways that matter to regulators.
Breach risk and privacy litigation risk have different drivers, different observable indicators, and different relationships to the security controls that underwriting has historically assessed.
Breach risk is primarily a function of security controls: how well-defended is the network perimeter, how quickly are vulnerabilities remediated, how robust is access management, how resilient are backup and recovery systems? A company with strong security controls has meaningfully lower breach risk. Security ratings are a reasonable proxy for this.
Privacy litigation risk is primarily a function of data practices: what data does the company collect, how does it share that data with third parties, does it have valid consent for the sharing that occurs, and does its observable behavior match its stated policies? None of these questions are answered by a security rating. A company can score 900 on BitSight and simultaneously be running Meta Pixel on pages where users watch videos — a configuration that creates seven-figure VPPA exposure regardless of how well-secured the network perimeter is.
"We had two accounts file BIPA claims in the same quarter. Both had security ratings above 750. Both had been through our standard questionnaire process. Neither the ratings nor the questionnaires flagged anything." — Cyber underwriter, specialty lines carrier
Privacy litigation risk has its own set of observable indicators — and like security ratings, they can be assessed from outside the company without any questionnaire or self-reporting. But they require different tools and different expertise.
The presence of Meta Pixel on pages with video content is directly observable by anyone who visits the website and inspects its JavaScript. The presence of session replay tools — FullStory, LogRocket, Hotjar, and similar platforms — is detectable from outside the organization. Whether a mobile application is collecting location data in ways inconsistent with its stated permissions can be determined through dynamic analysis. Whether an organization's privacy policy accurately describes its actual data collection practices is a comparison that can be made by anyone with access to the policy and the ability to observe the website's actual behavior.
These are precisely the observations that regulators and plaintiffs' counsel make before initiating enforcement actions or filing lawsuits. The FTC examined Facebook's actual data practices against its stated policies before bringing its enforcement actions. State attorneys general have identified privacy violations by scanning websites for third-party tracking deployments. Plaintiffs' firms have built dedicated scanning infrastructure to identify VPPA targets by looking for the coexistence of video content and tracking pixels.
The outside-in view of privacy risk is available. It just requires looking for different signals than security ratings are designed to capture.
The practical implication for cyber insurance underwriting is that current intake processes — security ratings plus questionnaires — are systematically missing the privacy litigation risk component of the exposure being written. Companies with excellent security ratings and clean questionnaire responses are filing claims driven by BIPA, VPPA, CIPA, and other privacy theories. The correlation between security ratings and privacy litigation claims is weak because they are measuring different things.
Closing the gap requires supplementing security ratings with privacy risk intelligence that measures the observable indicators of privacy litigation exposure: third-party data sharing behavior, tracking technology deployment, consent mechanism quality, privacy policy accuracy, and regulatory compliance signals. This intelligence is available from outside the company, using the same outside-in methodology that security ratings pioneered for breach risk — applied to the different set of signals that drive privacy litigation.
The underwriters who move first on building this capability will have a meaningful selection advantage: the ability to distinguish between companies with genuinely low privacy litigation risk and companies whose clean security ratings obscure significant exposure that their competitors are writing without understanding.
