Guidewire’s Cyence Cyber Risk Analytics For Cyber Insurance

Guidewire’s Cyence Cyber Risk Analytics Is Repricing Cyber Insurance. Compliance Is the Variable.

Cyber insurance used to be priced on gut feeling and questionnaires. Underwriters asked applicants to self-report whether they had multi-factor authentication, how often they patched systems, whether they’d had a breach in the last three years — and then largely took the answers at face value. The result was a market that mispriced risk systematically, got punished by a surge of ransomware and breach events in the early 2020s, and then overcorrected with premium hikes, coverage exclusions, and tightened underwriting standards that left many businesses scrambling.

Cyence, now part of Guidewire’s insurance platform, represents the other direction: underwriting built on exposure data rather than self-attestation, risk modeling that draws on real-world threat intelligence, and analytics that let insurers price and manage cyber risk with a level of precision the earlier market never had. For compliance professionals and the businesses they advise, understanding how Cyence works isn’t an academic exercise — it’s increasingly a direct input into how much your cyber insurance costs and whether coverage is available at all.

What Cyence Actually Does

Cyence is a cyber risk analytics platform that provides insurers with quantitative, data-driven models for underwriting, portfolio management, and risk transfer decisions. Guidewire acquired Cyence in 2017 and has since integrated it into its broader insurance cloud platform, giving carriers a purpose-built toolset for cyber specifically rather than an adaptation of property or casualty modeling frameworks that were never designed for digital risk.

The platform operates across two primary functions:

• Risk assessment at the individual account level. Cyence aggregates external exposure data — internet-facing asset inventories, software and infrastructure signals, known vulnerability profiles, supply chain dependencies, and threat actor activity — to model the likelihood and potential severity of a cyber event for a specific organization. This feeds directly into underwriting decisions: whether to write the risk, at what premium, and with what coverage conditions.
• Portfolio-level accumulation modeling. Insurers don’t just need to know whether a single company is risky — they need to know whether a systemic event (a widespread ransomware campaign, a critical infrastructure attack, a cloud provider outage) would trigger correlated losses across their entire book of business. Cyence models these accumulation scenarios, which is how insurers manage catastrophic exposure and make reinsurance decisions.

What distinguishes Cyence from earlier-generation cyber underwriting tools is the data sourcing. Rather than relying primarily on applicant-submitted information, the platform pulls from continuous external scanning of internet-facing infrastructure, threat intelligence feeds, and historical loss data calibrated against real breach events. The applicant’s self-reported security posture is one input — not the only one.

Why This Changes the Underwriting Conversation

The practical consequence for businesses seeking cyber coverage is significant: underwriters using Cyence or comparable platforms may know more about your external attack surface than your own IT team has documented. Open ports, unpatched systems visible from the internet, software with known CVEs running on customer-facing infrastructure, third-party vendors in your supply chain with weak security postures — these signals are collectible without any cooperation from the applicant.

This creates a new dynamic in the underwriting relationship. The days of completing an application questionnaire, checking the MFA box, and receiving a quote based largely on those representations are ending for commercial accounts. Carriers are increasingly pre-screening accounts against external data before the application process even begins, flagging technical risk indicators that an applicant may not have disclosed — or may not have known about.

For compliance teams, this means that the security posture documented in internal audits and policy frameworks must correspond to what is actually visible and detectable externally. A gap between the two — whether from delayed patching, shadow IT, misconfigured cloud infrastructure, or supply chain blind spots — is no longer just an internal risk management problem. It is a factor that can affect coverage availability, premium pricing, and policy conditions at renewal.

The Underwriting Criteria That Compliance Posture Actually Affects

Cyber insurers using data-driven risk models evaluate prospective accounts across several technical and governance dimensions. Compliance frameworks directly influence the signals these models detect and how underwriters interpret them.

External attack surface hygiene. The most directly observable factor. Cyence-style platforms scan internet-facing assets for exposed services, known vulnerabilities, and misconfigured systems. Organizations that have implemented rigorous asset inventory management, regular external vulnerability assessments, and disciplined patch cycles present materially different external profiles than those that haven’t. This is not theoretical — underwriters have declined to quote accounts or required remediation before binding coverage based on external scan results alone.

Authentication and access control signals. Multi-factor authentication adoption, particularly on remote access systems and email, has become a baseline coverage condition at many carriers. Compliance programs that have driven MFA implementation as part of broader access governance — often under SOC 2, ISO 27001, or industry-specific frameworks — produce the technical configurations that underwriting models look for.

Third-party and supply chain risk. Cyence’s accumulation modeling accounts for the fact that a compromise at a shared technology vendor — a managed service provider, a SaaS platform, a cloud provider — can trigger losses across hundreds of insured accounts simultaneously. Carriers are increasingly asking how businesses manage vendor security risk, whether third-party assessments are conducted, and what contractual protections exist. Organizations with mature vendor management programs present lower correlated risk profiles.

Incident response readiness. Loss severity — not just loss frequency — drives insurance economics. An organization that detects a breach quickly, contains it efficiently, and has pre-arranged forensic and legal response resources will have lower average loss costs than one that discovers an intrusion months after initial access. Underwriters are factoring incident response maturity into pricing, and documented IR programs with tested playbooks are a meaningful differentiator.

Historical loss experience. Prior breach events, ransomware payments, and claims history feed into individual account risk profiles. The calibration of Cyence’s models against real historical loss data means that past events carry forward into future underwriting assessments — and that post-incident remediation must be demonstrable, not just asserted.

What Compliance Teams Should Actually Fix

The shift toward data-driven cyber underwriting creates a concrete action agenda for compliance professionals whose organizations carry or are seeking cyber coverage.

1. Commission an external attack surface assessment before renewal. Don’t wait for an underwriter’s external scan to surface problems. Conduct your own assessment — or engage a third party — to identify internet-facing vulnerabilities, exposed services, and misconfigured assets before the underwriting process begins. Remediate findings and document the remediation timeline. Showing a clean current state is more useful than explaining why a previously flagged issue exists.
2. Align your security control documentation to what is actually deployed. Policy documents and control frameworks that describe intended security states rather than actual ones create disclosure risk and undermine credibility with underwriters. Conduct a gap analysis between documented controls and implemented controls. Close the gaps or document the compensating controls that address the same risk.
3. Formalize your vendor risk management program. Build an inventory of third-party vendors with access to your systems or data, tier them by risk level, and establish a cadence for security assessments. Ensure vendor contracts include security requirements, breach notification obligations, and audit rights. This is increasingly a standard underwriting inquiry, and a documented program is a differentiating signal.
4. Test your incident response plan. A written IR plan that has never been exercised is worth significantly less than one validated through tabletop exercises or simulations. Conduct at least annual tabletop exercises covering ransomware, data exfiltration, and third-party compromise scenarios. Document the outcomes and any improvements made. Underwriters ask about IR testing frequency — have a real answer.
5. Prepare a security narrative for the underwriting submission. For commercial accounts, the application questionnaire is increasingly accompanied by a supplemental security summary that contextualizes control implementations, explains any prior incidents and subsequent remediation, and demonstrates governance maturity. Compliance teams should own this document. An underwriter who understands your security program makes better pricing decisions than one working only from checkbox responses.

Cyence, Guidewire, and Where the Market Is Heading

Cyence is not the only cyber risk analytics platform in the market — vendors including CyberCube, RMS Cyber, and others operate in the same space — but Guidewire’s distribution reach means Cyence’s models influence a substantial portion of commercial cyber underwriting. As Guidewire continues integrating Cyence deeper into its cloud platform, the data-driven underwriting approach it represents will become more standard, not less.

The broader trajectory is toward continuous underwriting rather than annual point-in-time assessments. Some carriers are already moving toward real-time monitoring arrangements where coverage conditions and pricing can be adjusted based on ongoing external signals — not just at renewal. For compliance professionals, this means that security posture management is not a pre-renewal sprint but a continuous operational discipline with direct insurance economics attached to it.

Organizations that treat compliance as a cost center disconnected from business outcomes are increasingly exposed to a concrete counterargument: your compliance posture is a variable in the model that prices your cyber insurance. Fixing it has a calculable return.

Captain Compliance Can Help

Captain Compliance works with businesses building the compliance and security governance programs that insurers — and platforms like Cyence — evaluate when underwriting cyber risk and we have complementary software tools that are a perfect fit for integrated into your cyber insurance practice or risk reduction audits for data privacy policies. From attack surface documentation and vendor risk frameworks to incident response program development and underwriting submission support, our team provides the practitioner-grade compliance infrastructure that moves the needle on both coverage availability and premium outcomes.