What is continuous underwriting?

Key takeaways

• Continuous underwriting replaces annual snapshot underwriting with ongoing assessment of the insured's posture using external scanning, internal telemetry, and (increasingly) continuous testing evidence.
• The model aligns insurer and policyholder incentives: improvements during the term produce demonstrable risk reduction, which the carrier can price into renewal or (with mature implementations) mid-term adjustment.
• Specialty-cyber MGAs (Coalition, At-Bay, Resilience, Cowbell) have pioneered continuous-underwriting models in 2022-2026. The model is becoming standard in the cyber line.
• For mid-market manufacturers, continuous underwriting rewards programs that operate, not just programs that pass an annual questionnaire. Continuous testing evidence becomes the underwriting input.
• ARG's longer-horizon roadmap includes a cyber MGA aligned to continuous underwriting; this entry frames the operational model the future offering would use.

What does continuous underwriting actually change about a cyber policy?

Traditional underwriting is a snapshot. At renewal, the carrier reviews a questionnaire, scans the external attack surface, considers the loss history, and produces terms for the next year. The terms are set for the full policy term regardless of what happens during the term.

Continuous underwriting changes the model in three ways:

1. Ongoing assessment. The carrier continuously monitors the insured's posture during the policy term: external attack surface scanning, threat intelligence on observed exposures, telemetry the insured shares, and (in mature models) continuous testing evidence.
2. Real-time signals. Material posture changes (new exposed services, vulnerable software disclosure, breach indicators) produce signals to the carrier. The carrier may respond with warnings, advisory recommendations, or (in some models) coverage adjustments.
3. Renewal informed by year-long data. Renewal terms reflect the full year's posture, not a single-point assessment. A program that improved produces better renewal terms; a program that drifted produces worse.

The change is structural, not just procedural. The relationship between insurer and insured shifts from transactional (annual policy purchase) to relational (continuous program with insurance built in). The carrier becomes a participant in the security program, not just a payment counterparty.

For the insured, the implication is that what happens during the policy term matters for pricing, not just what was true at the moment of renewal. The continuous engagement matters; the snapshot does not dominate.

How carriers use external scanning, telemetry, and attestation in continuous models

Continuous underwriting draws on three data sources.

External attack surface scanning. The carrier (or a third party) continuously scans the insured's public-facing infrastructure. Findings include exposed services, vulnerable software versions, expired certificates, exposed admin interfaces, suspicious DNS configurations, and similar external indicators. The scanning is invisible to the insured by design; it produces the carrier's view of the perimeter. See What is attack surface management (ASM)?.

Insured-provided telemetry. Some carriers integrate with the insured's systems (with consent) to draw telemetry directly: EDR deployment data, identity provider configurations, conditional access policy state, MFA coverage. The telemetry produces a richer picture than external scanning alone.

Third-party attestations and continuous testing evidence. Increasingly, carriers accept attestations from cybersecurity service providers, continuous penetration testing reports, and adversarial simulation outcomes as underwriting inputs. The evidence supplements scanning and telemetry; it produces a view of what controls actually do under contact, not just whether controls are present.

The three sources combine into a continuous posture score that informs underwriting decisions. The mature implementations weight the sources thoughtfully: scanning provides perimeter signal, telemetry provides internal signal, testing evidence provides operational signal.

For mid-market manufacturers, the implication is that continuous testing evidence increasingly affects insurance pricing directly. Programs that produce documented continuous testing find favor with continuous-underwriting carriers; programs without it are priced as if they have less evidence.

Why continuous underwriting aligns insurer and policyholder incentives

Traditional underwriting produces a specific misalignment. The carrier prices the policy at the start of the year. The insured's posture improvements during the year do not produce mid-term pricing benefit. The insured has reduced incentive to invest mid-term; the carrier has reduced visibility into actual posture.

Continuous underwriting realigns the incentives:

• Insured invests in improvements continuously. Posture improvements during the year produce signals the carrier sees. The carrier rewards the signals at renewal (or, in some models, mid-term).
• Carrier sees posture in real time. The carrier's risk model updates continuously; pricing adjustments at renewal reflect the actual year's data.
• Both sides benefit from incident reduction. Lower claim frequency benefits both the insurer's loss ratio and the insured's renewal terms. The investment that produces lower incidents is rewarded.
• The relationship becomes a partnership. Carriers in continuous-underwriting models often offer services (scanning, advisory, incident response readiness) alongside the policy. The bundle reflects the alignment.

The alignment is not philosophical; it is economic. An MGA earning profit-share on underwriting performance has direct economic incentive to help the insured reduce claim frequency. The continuous-underwriting model is one operational expression of that alignment.

For mid-market manufacturers, the implication is that the right insurance partner can be operationally useful, not just a financial backstop. Selecting an insurance partner becomes a security-program decision, not just a procurement decision.

Examples of continuous-underwriting actions during a policy term

What continuous underwriting looks like in operation:

• Mid-term exposure alert. External scanning surfaces a newly exposed admin interface. Carrier sends an advisory to the insured (often through the broker) with the specific finding and recommended remediation. No coverage change; the alert is informational.
• Posture deterioration warning. Multiple scanning findings accumulate over weeks; the carrier's posture score declines. The carrier warns the broker that renewal terms will reflect the deterioration unless remediation occurs. The insured has time to respond.
• Threat intelligence-driven advisory. Carrier observes targeted threat activity in the insured's sector and pushes specific advisories to the insured: MFA tightening, specific patch priority, awareness messaging on a specific phishing pattern. Some MGAs deliver this at scale.
• Improvement-driven renewal reduction. Year-over-year posture improvement (FIDO2 rollout, EDR coverage expansion, continuous testing program) produces renewal reduction beyond what an annual snapshot would justify. The carrier's continuous view of the improvement is what unlocks the pricing.
• Mid-term coverage adjustment. Some carriers offer mid-term coverage increases or sublimit adjustments when the insured demonstrates material posture improvement. Less common; emerging.
• Non-renewal trigger. Persistent posture deterioration without remediation produces non-renewal notification with sufficient lead time for the insured to seek alternative coverage. The continuous model produces the lead time; traditional snapshot underwriting often produces surprise.
• Incident response acceleration. Continuous-underwriting carriers often have pre-positioned incident response resources. A confirmed incident produces faster response than a transactional carrier could deliver.

The pattern: continuous underwriting produces continuous touchpoints between carrier and insured. The touchpoints are operationally useful when the carrier's services are real; they are administrative friction when the services are marketing.

How to prepare a security program for continuous evaluation

For a mid-market manufacturer expecting to move to a continuous-underwriting model:

1. Map current external attack surface. Run attack surface management before the carrier does. Findings the insured surfaces first can be remediated before the carrier sees them; findings the carrier surfaces first are negotiation positions.
2. Document the security program in carrier-readable form. NIST CSF profile, CIS Controls coverage, IR plan, tabletop documentation, framework alignment. Carrier-readable means structured, current, and tied to evidence.
3. Establish telemetry-sharing comfort. Some continuous-underwriting carriers want direct telemetry access. Decide what the organization is willing to share and how the sharing is governed. Privacy and competitive concerns need explicit treatment.
4. Produce continuous testing evidence. Adversarial simulation, continuous penetration testing, tabletop exercise records. The continuous evidence is what the model rewards.
5. Track posture trend, not just absolute state. The carrier's model values improvement direction. A program demonstrably improving is more valuable than a stable program at the same level.
6. Coordinate broker and IT. The broker is the relationship; IT is the operational reality. Continuous-underwriting carriers communicate through the broker; the broker needs current operational information to negotiate effectively.
7. Plan for material changes proactively. New acquisition, major M&A, significant infrastructure change, ownership change. Each produces posture signals; communicating proactively with the carrier produces better outcomes than waiting for the carrier to surface concerns.
8. Build the renewal package as a byproduct of program operation. Continuous documentation feeds the renewal; annual reconstruction is more expensive and produces weaker evidence. See What is cyber insurance underwriting?.

Best practices for working with a continuously underwriting carrier

The carrier relationship in a continuous model is operationally tighter than in traditional models.

1. Treat advisories as operational input, not marketing. A continuous-underwriting carrier that produces actionable advisories is delivering value. Acting on the advisories produces measurable posture improvement.
2. Use bundled services where they fit. Continuous-underwriting carriers often bundle services (scanning, MDR, IR retainer). The bundle is sometimes a good fit; sometimes a generic alternative is better. Evaluate per-service.
3. Communicate posture changes proactively. Material improvements (new MFA, new EDR, new IR retainer) get communicated to the carrier through the broker. The carrier credits documented improvement; unannounced improvement may not surface in their scanning.
4. Negotiate at renewal with the year's evidence. Renewal preparation in a continuous model includes the full year's evidence, not just the questionnaire. Continuous testing reports, posture trend documentation, advisory response evidence.
5. Maintain alignment between policy and practice. The continuous-underwriting carrier observes the actual practice. The policy's required procedures should match what the organization actually does. Mismatch produces claim disputes regardless of underwriting model.
6. Plan exit options. Continuous-underwriting carriers can decline renewal or restructure terms. Maintain awareness of alternative carriers and brokers; the captive feeling of the continuous relationship should not produce dependency that costs at renewal.
7. Track the carrier's track record. Continuous-underwriting carriers vary in service quality and stability. Industry peers' experience over multiple years produces useful signal on whether the carrier's promises match the practice.

Continuous underwriting FAQs

Can a continuous-underwriting carrier raise my premium mid-term?

Generally not within the term once a policy is bound, but the carrier can use mid-term observations to inform renewal terms and may impose coverage adjustments, deductible changes, or non-renewal at the next renewal. Some carriers can decline new claims or limit coverage extensions mid-term based on observed posture deterioration. Read the policy language explicitly.

Is continuous underwriting the same as outside-in scanning?

No, but related. Outside-in scanning (security ratings, attack-surface monitoring from outside the network) is one input to continuous underwriting. Mature continuous underwriting also includes insured-provided telemetry, third-party attestations, and (increasingly) data from continuous testing and adversarial simulation.

Do continuous-underwriting carriers actually lower premiums after improvements?

Some do, some only adjust at renewal. The carrier's specific practice is in the policy and the broker should confirm explicitly. The model that delivers the strongest value is mid-term premium adjustment for documented improvement; the model that only adjusts at renewal still produces value but on a longer cycle.

How does continuous underwriting relate to ARG's planned MGA?

ARG's medium-term roadmap (18 to 36 months from launch) includes the development of a cyber MGA aligned to continuous underwriting principles. The continuous engagement ARG runs today produces the data that supports continuous underwriting; the future MGA structure converts that data directly into pricing. The vision is operational alignment between the security service and the insurance pricing. See What is a Managing General Agent (MGA)?.

How ARG's continuous adversarial simulation integrates with continuous underwriting

ARG's engagement model produces, by design, the data that continuous underwriting rewards. The integration is operational, not theoretical.

The work is structured by David Ashby on the engagement design and program governance side, with James Wall operating the continuous simulation infrastructure. Each engagement produces:

• Continuous attack surface data. External scanning aligned with what continuous-underwriting carriers observe. Findings remediated before they affect the carrier's view.
• Continuous detection coverage data. BAS and adversarial simulation produce per-technique coverage maps. The data shows what the program actually detects, not what it claims to detect.
• Continuous workflow validation. Adaptive simulation against named individuals exercises the verification workflows that SEF endorsements require. Outcomes feed both program improvement and underwriting evidence.
• Continuous identity and access measurement. MFA migration progress, PAM state, least privilege adherence. Carrier-relevant identity metrics.
• Continuous OT and physical posture evidence. Physical audit, OT security, supply chain coverage relevant to manufacturers specifically.

For founding clients today, the engagement output supports renewal underwriting at any continuous-underwriting-aware carrier. The broker can assemble the renewal package directly from the monthly operational packets and quarterly reviews.

For the longer horizon, ARG's planned MGA structure converts the continuous engagement data into direct underwriting input. The vision is a manufacturing-specialty cyber MGA where the continuous engagement is both the security service and the underwriting basis. The engagement priced today is structured to position founding clients to benefit from that future direction.

The 18-to-36-month roadmap is forward-looking; the operational engagement is current. Manufacturers in need of cyber insurance today work through their existing broker and carrier or MGA relationships. ARG's audit findings and continuous engagement evidence support those relationships immediately.

Apply as a founding client or see how the engagement works for the full delivery cycle.