Learn · FAQ
Frequently Asked
Frequently Asked
Questions
71 answers across OT cyber risk quantification, industrial security frameworks, vulnerability management, and AI-powered underwriting.
71 questions
OT Cyber Risk Quantification
What is OT cyber risk quantification and why does it matter?
OT cyber risk quantification is the practice of translating the security posture of an industrial control system environment into financial terms — specifically, the probability and magnitude of loss that a cyber incident could cause. It matters because security decisions in OT environments are ultimately investment decisions: where to spend a limited budget, which controls to implement first, when to transfer risk to insurance. Without a financial number, those decisions are made on intuition or compliance checklists. With one, they can be defended in a boardroom.
How is OT cyber risk quantification different from IT cyber risk quantification?
IT risk quantification benefits from decades of actuarial data — breach costs, ransomware payouts, incident frequencies by industry and company size. OT has far less of that. More importantly, the consequences are structurally different. An IT incident produces data loss, regulatory penalties, and business disruption. An OT incident can destroy physical equipment, halt production at hundreds of thousands of dollars per hour, trigger safety events, and cascade across interconnected infrastructure. The financial model for OT risk must account for production downtime, equipment replacement, startup and recovery costs, waste materials, and physical consequence chains.
What does "inside-out" data mean in the context of OT risk quantification?
Inside-out data is the starting point for facility level cyber risk assessment — the telemetry that comes from within the industrial environment itself, including device inventories, vulnerability scan results, security control posture, network architecture, alarm logs, and configuration data from PLCs, DCS, historians, and HMIs. It answers the question: what does this specific facility actually look like, right now? Inside-out data is what makes a risk model facility-specific rather than generic.
What does "outside-in" data mean and why is it necessary?
Outside-in data covers everything external to the organization that shapes its risk profile — threat intelligence feeds, sector-specific attack statistics, adversary TTPs mapped to MITRE ATT&CK for ICS, publicly disclosed incidents, vulnerability disclosures for the specific vendors and products deployed in the environment, and firmographic data. Combined with inside-out data, it allows the model to reflect both the attacker's capability and the defender's actual posture.
Why can't you just use CVSS scores to quantify OT cyber risk?
CVSS scores measure technical severity — how exploitable a vulnerability is and what an attacker could theoretically do with it. They say nothing about the probability of exploitation in a specific environment, the financial consequence if exploitation succeeds, the operational constraints that might prevent patching, or the interdependencies between systems that determine blast radius. Quantification requires modeling the full attack path and its financial consequence — not scoring individual CVEs in isolation.
What financial outputs should OT risk quantification produce?
The minimum useful outputs are Annual Expected Loss (AEL) — the probability-weighted financial loss over a 12-month period — and Value at Risk (VaR) — the maximum loss at a given confidence level, typically 95th or 99th percentile. Beyond those, loss exceedance probability curves show the full distribution of possible outcomes. Action points — each control ranked by the expected loss reduction it produces per dollar of investment — are what CISOs need to prioritize remediation.
What is bottom-up portfolio risk aggregation and why does it matter for industrial operators?
Bottom-up aggregation means building the portfolio risk picture through OT cyber risk modeling at each individual facility, rather than applying a top-down multiplier to a single average. Each facility gets its own risk model based on its inside-out data. Those facility-level results are then aggregated to the portfolio level, capturing the actual distribution of risk across sites and identifying which facilities drive the tail exposure. Industrial operators with 10, 50, or 200 facilities cannot manage risk at the average — they need to know which sites are outliers and why.
How does OT cyber risk quantification support cyber insurance decisions?
It provides the structured financial evidence that insurers need to underwrite OT risk accurately. Without quantification, an operator submits a narrative questionnaire and receives a coverage offer based on qualitative judgment. With quantification, the operator can present AEL, VaR, and a documented control posture — and negotiate coverage terms based on evidence rather than perception.
How often should OT cyber risk quantification be updated?
Continuously, or at minimum quarterly. Risk changes when the threat landscape changes, when the environment changes, and when incident data is updated. A static annual assessment is a snapshot of a moment that no longer exists. For organizations asking how to quantify OT cyber risk continuously, the answer is a live model fed by inside-out telemetry and outside-in threat intelligence — not a periodic assessment.
What is the difference between a risk score and a quantified risk number?
A risk score is an ordinal ranking — high, medium, low, or a number like 72/100. It tells you relative priority but nothing about absolute exposure. A quantified risk number is a financial figure with a probability attached: "$4.2M annual expected loss" or "$18M at 95th percentile VaR." The difference matters enormously for governance. A CFO can defend a capital reserve against a dollar figure. A board can evaluate a cyber insurance program against a dollar figure.
Cybersecurity Frameworks
OT Cyber Risk Quantification
Because the environments have fundamentally different architectures, operational constraints, and risk profiles. IT frameworks are built around protecting data — they assume assets can be patched, rebooted, monitored with software agents, and taken offline for maintenance. OT environments run physical processes where availability is the primary requirement, assets may run for 20–30 years without patching, and many devices cannot support installed software at all.
What is NIST CSF and is it appropriate for OT environments?
The NIST Cybersecurity Framework organizes security activities into five functions — Identify, Protect, Detect, Respond, Recover. For OT environments, NIST CSF is useful as an overarching framework providing the management vocabulary that boards and executives understand. But it does not provide the OT-specific technical requirements that make a control program actually implementable in an industrial environment. US organizations typically use NIST CSF as the governance layer with IEC 62443 providing the OT-specific technical requirements underneath.
What is IEC 62443 and why was it developed specifically for industrial environments?
IEC 62443 is the international standard series for Industrial Automation and Control Systems security. It was built from the ground up for environments where availability takes precedence over confidentiality, where assets have long lifecycles, where patching follows operational windows rather than IT schedules, and where the consequence of a security failure is physical rather than informational. It covers the full ecosystem — asset owners, system integrators, and product suppliers.
What is MITRE ATT&CK for ICS and how does it differ from the Enterprise matrix?
MITRE ATT&CK for ICS is a knowledge base of adversary tactics and techniques specifically observed in attacks against industrial control systems. It differs from the Enterprise matrix in what adversaries are trying to achieve: in Enterprise, the goal is typically data theft or ransomware; in ICS, the goal is to manipulate or destroy a physical process. The ICS matrix includes tactic categories with no Enterprise equivalent — Inhibit Response Function and Impair Process Control.
What is NIST SP 800-82 and how does it relate to IEC 62443?
NIST SP 800-82 is the US National Institute of Standards and Technology guide for OT security. It provides guidance on securing industrial control systems across critical infrastructure sectors. It is complementary to IEC 62443 rather than competitive — both address OT security, but IEC 62443 is more internationally recognized and structurally rigorous for certification purposes. Many organizations map both simultaneously.
Is ISO 27001 sufficient for industrial environments?
No. ISO 27001 governs information security management systems and was designed for IT environments and information assets. For organizations with both IT and OT environments, ISO 27001 is typically implemented for the IT side while IEC 62443 governs the OT side. Attempting to stretch ISO 27001 to cover OT creates compliance gaps — the standard's controls are simply not designed for environments where availability is non-negotiable and assets have 20-year lifecycles.
What is NERC CIP and who does it apply to?
NERC CIP is the set of cybersecurity standards developed by the North American Electric Reliability Corporation, mandatory for bulk electric system operators in North America. It applies to utilities, transmission operators, and generation owners that meet specific impact thresholds. For energy sector organizations, CIP and IEC 62443 are often implemented in parallel — CIP provides the mandatory baseline, IEC 62443 provides the structured technical depth.
What is NIS2 and which organizations does it affect?
NIS2 is the EU Network and Information Security Directive 2, effective October 2024. It requires essential and important entities across 18 sectors — including energy, water, transport, manufacturing, and chemicals — to implement appropriate cybersecurity measures and report significant incidents. For OT environments in scope, regulators explicitly recognize IEC 62443 as the appropriate technical standard for demonstrating compliance.
How do these frameworks relate to each other in practice?
They operate at different levels and serve complementary purposes. NIST CSF and ISO 27001 provide governance structures. IEC 62443 provides technical control specifications for OT environments. MITRE ATT&CK for ICS provides the threat model vocabulary. NIST SP 800-82 provides sector-specific guidance for US critical infrastructure. NERC CIP and NIS2 provide the mandatory compliance baseline for their respective jurisdictions.
How does DeNexus map its risk outputs to these frameworks?
DeRISK produces governance outputs aligned to NIST CSF, ISO 27001, and the DeNexus proprietary framework (DNX CSF), which is built on IEC 62443 and NIST principles. Attack scenarios in the quantification engine are structured on MITRE ATT&CK for ICS tactic and technique categories. For organizations subject to NIS2 or NERC CIP, the platform's control assessments can be mapped to the relevant regulatory requirements.
OT Risk Management
What does OT risk management mean in practice?
OT risk management is the ongoing process of identifying cyber risks in industrial control system environments, quantifying their financial impact, prioritizing mitigation based on expected loss reduction, implementing controls within operational constraints, and transferring residual risk where appropriate. In practice it means making three decisions continuously: which risks to treat, which risks to accept, and which risks to transfer to insurance or other instruments.
Why can't OT environments simply adopt IT security practices?
Five structural incompatibilities prevent it. First, OT assets cannot be patched on IT schedules. Second, availability is the primary constraint — security tools that introduce latency or require reboots are operationally unacceptable. Third, endpoint agents cannot be installed on PLCs, RTUs, and embedded controllers. Fourth, IT log management platforms cannot ingest OT process data directly. Fifth, IT segmentation approaches can disrupt deterministic OT traffic flows.
What is the relationship between OT risk management and cyber insurance?
They are complementary parts of a complete risk strategy. Risk management reduces the probability and magnitude of loss through controls and process improvements. Cyber insurance transfers the residual financial exposure after those controls are in place. The connection between them is quantification: a risk management program that produces AEL and VaR numbers can use those numbers to right-size insurance coverage and negotiate better terms.
How should OT risk be prioritized when resources are limited?
By expected loss reduction per dollar of investment — not by CVSS score, not by compliance checklist completion, and not by the size of the vulnerability backlog. A segmentation project that costs $500K and reduces annual expected loss by $2M is a better investment than a vulnerability scanning tool that costs $200K and reduces AEL by $100K, even if the scanning tool closes more CVEs. Financial quantification converts every security decision into an ROI calculation.
What is the role of asset inventory in OT risk management?
It is the foundation. You cannot assess, model, or manage risk for assets you do not know exist. Industrial environments frequently have undocumented legacy devices, informal network connections, and equipment deployed by contractors without full IT/security visibility. A Crown Jewels assessment — identifying which assets would produce the highest operational and financial impact if compromised — requires a complete and accurate asset inventory as its starting point.
How do you manage OT cyber risk across a portfolio of facilities?
Through bottom-up aggregation: model each facility individually based on its actual inside-out data, then aggregate those models to produce portfolio-level metrics. This reveals which facilities are driving the tail risk, where the correlated exposures are, and where investment produces the greatest portfolio-level loss reduction. Managing risk at the average across a 50-facility portfolio means under-managing your worst facilities and over-investing in your safest ones.
What is the IT/OT boundary and why is it the most critical risk surface?
The IT/OT boundary is the interface between corporate IT networks and industrial OT networks — typically mediated by historian servers, remote access solutions, engineering workstations with dual connectivity, and DMZ architectures. It is the most critical risk surface because virtually every documented OT attack in recent years has crossed it: attackers establish a foothold in the IT network and then move laterally into OT. Protecting this boundary is the single highest-ROI control investment in most industrial environments.
How does OT risk management change as environments become more connected?
The threat model expands and the attack surface grows. Cloud connectivity, remote monitoring, vendor access channels, and integration with enterprise systems each create new paths from the internet into the control environment. Risk management must scale with that connectivity: each new connection must be assessed, the IT/OT boundary must be continuously monitored, and the risk model must be updated to reflect the new architecture.
What does good OT risk governance look like at the board level?
It looks like a defensible financial number reviewed quarterly, supported by evidence that specific controls are being maintained and specific risks are being managed. Boards need to understand the organization's Annual Expected Loss, how it compares to industry peers, what the worst-case scenario looks like, and what the organization is doing to reduce it. The CISO's job is to produce that financial translation. The risk management program's job is to make it credible.
How does OT risk management relate to operational resilience?
Directly. Operational resilience — the ability to maintain critical processes through disruptions — is what OT risk management is protecting. A cyber attack that causes loss of control or loss of view in a production environment is an operational resilience failure. Risk management programs built from process-centric threat models are more effective than those built from asset-centric vulnerability lists, precisely because they start from what the organization is actually trying to protect.
DeRISK CRQ
What is DeRISK CRQ?
DeRISK CRQ is the cyber risk quantification platform within the DeRISK Platform. It translates OT cyber exposure into dollars — Annual Expected Loss, Value at Risk, and loss exceedance probability curves — at the facility level and aggregated to the portfolio. It is powered by the URMS (Unified Risk Modeling System) engine, calibrated on more than 300 real industrial deployments across power generation, energy transmission and distribution, manufacturing, and hyperscale data centers.
How does DeRISK CRQ collect data about a facility?
Through two complementary channels. Inside-out data comes from integration with deployed OT security tools — passive network monitoring solutions from Dragos, Claroty, Nozomi, Forescout, and Tenable — which provide device inventory, vulnerability data, and network topology without active scanning. Outside-in data comes from the DeNexus proprietary knowledge base, aggregating threat intelligence, sector-specific incident data, adversary TTPs from MITRE ATT&CK for ICS, and firmographic data.
What financial outputs does DeRISK CRQ produce?
Four primary outputs. Annual Expected Loss (AEL): the expected annual loss expressed as a dollar figure. Value at Risk (VaR): the maximum loss at a specified confidence level. Loss exceedance probability curves: the full distribution of potential outcomes. Action points: specific controls ranked by the expected loss reduction they produce — a prioritized investment roadmap in financial terms. All outputs carry a traceable evidence chain from facility inputs through model assumptions to final numbers.
What sectors and environments does DeRISK CRQ support?
Currently four sectors: Power Generation, Electrical Transmission and Distribution, Manufacturing, and Hyperscale/Data Centers. Each sector has a purpose-built model reflecting the operational characteristics, asset types, process interdependencies, and threat profiles specific to that industry. A natural gas generation facility and a discrete manufacturing plant face different adversaries, have different asset lifecycles, and have different financial consequences from disruption — the model accounts for all of these differences.
How is the risk model calibrated and what makes it defensible?
The URMS engine has been calibrated on more than 300 real industrial deployments, incorporating actual facility data, observed incident outcomes, and sector-specific loss patterns. Defensibility comes from traceability: every output can be traced back to the specific inputs that produced it — facility asset count, control posture scores, network architecture characteristics, threat intelligence at the time of assessment.
How does DeRISK CRQ support investment prioritization?
Through what-if simulation. For any proposed control investment — a network segmentation project, an endpoint detection deployment, a patch management program — the platform models the expected reduction in Annual Expected Loss. This converts every security project into an ROI calculation: investment required versus expected loss reduction. Projects can be ranked by that ratio, sequenced within real operational constraints, and presented to the CFO and board with financial justification.
How does DeRISK CRQ handle the challenge of limited OT incident data?
Through a combination of sector-specific modeling and outside-in data enrichment. Where historical OT incident data is sparse — which is common, because OT incidents are significantly underreported — the model uses sector-specific threat profiles, adversary capability data from MITRE ATT&CK for ICS, and the DeNexus knowledge base of proprietary incident and loss data accumulated across 300+ deployments. The model is explicit about uncertainty — outputs include confidence ranges, not just point estimates.
How does DeRISK CRQ support peer benchmarking?
The platform includes peer comparison at both site level and portfolio level, allowing operators to benchmark their AEL, VaR, and control posture against industry peers in the same sector. This serves two purposes: it validates that the risk model is producing numbers consistent with the broader industry picture, and it gives CISOs and CFOs a reference point for board conversations.
What does the deployment process for DeRISK CRQ look like?
DeRISK CRQ deploys as SaaS on AWS. Integration with existing OT security tools — Dragos, Claroty, Nozomi, Forescout, and Tenable — typically takes one to two weeks per site. From DeNexus's experience across several hundred site deployments, data input for a single facility can be completed in as little as one week. The platform then runs 50 million simulations weekly per site to keep risk outputs current.
Who uses DeRISK CRQ and for what decisions?
CEOs and boards use it for board level cyber risk reporting. CFOs use it to justify cybersecurity capital expenditure, set cash reserves, and evaluate insurance program sizing. CISOs use it to prioritize remediation investments and communicate security posture in the language of the boardroom. Chief Risk Officers use it as the evidence base for risk transfer decisions. The common thread: replacing judgment-based security decisions with evidence-based financial decisions.
DeRISK QVM
What is DeRISK QVM?
DeRISK QVM (Quantified Vulnerability Management) is the OT vulnerability management financial prioritization product within the DeRISK Platform. It translates every CVE in the environment into its expected financial impact rather than its CVSS severity score. The output is not a severity-sorted list — it is a remediation roadmap ordered by financial impact, sequenced within operational constraints.
Why is traditional vulnerability management inadequate for OT environments?
Two structural problems. First, CVSS-based prioritization ranks vulnerabilities by technical severity without regard to exploitability in the specific environment or the financial consequence of exploitation. Second, OT environments accumulate vulnerability backlogs that cannot be cleared on IT schedules — patching requires maintenance windows, vendor coordination, and operational approval. Without financial prioritization, teams work through CVEs in severity order and may spend months remediating low-consequence vulnerabilities while high-consequence ones wait.
How does DeRISK QVM rank vulnerabilities differently from CVSS?
DeRISK QVM calculates the expected loss reduction for each CVE — the difference in Annual Expected Loss between the current state and the state where that vulnerability is remediated. This accounts for exploitability probability in the specific environment, the attack path the vulnerability enables, the asset criticality within the industrial process, and the financial consequences of the attack scenarios that path supports. A vulnerability that enables lateral movement into a Crown Jewels controller will rank higher than a vulnerability on an isolated legacy device, regardless of their relative CVSS scores.
What does "constraint-aware sequencing" mean?
It means the remediation roadmap respects the real operational constraints of an industrial environment: maintenance windows, vendor patch availability, process uptime requirements, and staffing capacity. A theoretically optimal remediation order that requires taking production offline three times in a month is not actually optimal — it is unexecutable. DeRISK QVM sequences remediation within the constraints the organization actually operates under, producing a plan that can be implemented rather than one that looks good on paper.
How does DeRISK QVM integrate with existing OT security tools?
Through the same connector framework as DeRISK CRQ — integrations with Dragos, Claroty, Nozomi, Forescout, and Tenable provide the vulnerability data, asset context, and network topology that QVM needs as inputs. The financial prioritization layer sits on top of the vulnerability intelligence these tools already produce. QVM does not replace existing vulnerability detection tools — it translates their output into financial terms and produces an operationally executable prioritization.
How does QVM help CISOs communicate with CFOs?
By converting vulnerability remediation from a technical to a financial conversation. Instead of presenting a list of 847 CVEs and a request for budget, a CISO using DeRISK QVM can present: "Our top 20 remediation projects, if executed in the recommended sequence, reduce our Annual Expected Loss by $3.1M at a total implementation cost of $680K." That is a capital allocation conversation, not a security briefing.
What governance framework outputs does DeRISK QVM produce?
QVM produces control and remediation outputs mapped to NIST CSF, ISO 27001, and the DeNexus proprietary framework (DNX CSF). This means every remediation recommendation can be cross-referenced to the framework requirement it addresses, simplifying regulatory reporting, board governance documentation, and audit preparation. Organizations subject to NIS2, NERC CIP, or other compliance frameworks can use QVM outputs directly in their compliance documentation.
How does DeRISK QVM handle end-of-life assets?
By modeling them explicitly as a risk factor rather than flagging them for impossible remediation. Many OT environments have legacy devices for which vendor patches no longer exist. QVM accounts for the elevated risk these assets represent in the financial model and recommends compensating controls — network isolation, enhanced monitoring, access restrictions — that reduce their contribution to expected loss without requiring remediation that is not available.
Is DeRISK QVM a standalone product or does it require DeRISK CRQ?
QVM shares the CRQ platform infrastructure and connector framework, and the financial prioritization in QVM is grounded in the same risk model used by CRQ. In practice, most deployments include both — CRQ for portfolio-level financial risk visibility and QVM for operational-level remediation planning. The two products share data and connectors, so there is no incremental integration effort for organizations deploying both.
How does DeRISK QVM improve over time?
The underlying risk model is updated continuously as new vulnerability data, threat intelligence, and incident information enters the DeNexus knowledge base. New CVE disclosures are incorporated immediately. Sector-specific incident data updates the financial loss parameters. If the threat landscape shifts — a new adversary campaign targets a specific vendor's equipment — that shift is reflected in the financial prioritization the next time QVM calculates expected loss reduction for vulnerabilities in that vendor's products.
DeRISK UWA Agentic
What is DeRISK UWA Agentic?
DeRISK UWA Agentic is the industrial cyber insurance underwriting platform built on agentic AI. It accepts insurance submissions in any format and produces a full actuarial output in 10 to 20 minutes: Annual Expected Loss, Value at Risk, loss exceedance curves, a structured insurance program with coverage terms, and explicit binding conditions with deadlines. It is built on a five-agent architecture — Ingestion, IT Risk, OT Risk, CTI, and Financial Logic — each performing a specialized role in the underwriting workflow.
Who is DeRISK UWA Agentic designed for?
Primarily for insurers, reinsurers, and brokers underwriting industrial cyber risk. Underwriters use it as a complete underwriting cyber risk assessment tool — from submission intake to binding-ready actuarial output in minutes rather than hours or days. Actuaries use the loss model output for reserve setting and loss ratio analysis. Chief Underwriting Officers use portfolio-level accumulation modeling. Chief Risk Officers at industrial operators use it as the bridge between internal CRQ evidence and external risk transfer.
How does the five-agent pipeline work?
The pipeline runs five specialist agents in sequence. The Ingestion Agent normalizes the submission. The IT Risk Agent evaluates IT security controls against NIST CSF and ISO 27001. The OT Risk Agent performs OT cyber insurance assessment specifically against IEC 62443 and NIST SP 800-82. The CTI Agent injects real-time threat intelligence, re-scoring the risk if relevant vulnerabilities are disclosed during underwriting. The Financial Logic Agent runs the actuarial calculation — AEL, VaR, and the OEP curve used for premium indication.
What is the "Sound of Silence" methodology and why does it matter?
Sound of Silence is the principle that unanswered questions are treated as risk signals, not neutral data. When an applicant leaves OT security questions blank, a generic AI averages around the missing data. DeRISK UWA Agentic flags the omissions explicitly — calculating separate confidence scores for IT and OT domains and flagging the structural gap between them. In one documented validation case, an applicant with strong IT controls left 72% of OT questions unanswered. UWA flagged it as a high-risk structural pattern and recommended referral.
What questionnaire formats does DeRISK UWA Agentic support?
UWA has been pre-trained on questionnaire formats from Aon, AXA XL, Beazley, DB Insurance, Lockton, Marsh, STREAM, and generic OT/ICS supplementals and ransomware supplementals. It can also be configured for proprietary carrier formats on demand. The Ingestion Agent is format-agnostic — PDF, Excel, Word, images, JSON, XML — and maps fields to the DeNexus schema regardless of the source format.
How does DeRISK UWA Agentic handle the OT-specific complexity that generic AI tools miss?
Through the dedicated OT Risk Agent, which evaluates industrial security posture against OT-specific standards and is specifically trained to distinguish between IT and OT control quality. It recognizes that strong IT controls say very little about OT security posture. An organization with a world-class IT security program and an unmonitored, flat OT network is a high OT cyber risk regardless of its IT score. Generic AI tools applying a single generalist model cannot make this distinction reliably.
What does the actuarial output look like?
It includes: Annual Expected Loss in dollars, Value at Risk at specified confidence levels, an Occurrence Exceedance Probability curve showing the full loss distribution, a structured insurance program recommendation with explicit coverage terms and binding conditions, and a premium indication. Every number traces back to the specific inputs and agent reasoning that produced it. The system also surfaces missing data explicitly, so underwriters know what information gaps exist before making a binding decision.
How does DeRISK UWA Agentic protect customer data?
Through an in-context learning architecture that processes submission data in an isolated session context and does not use it to train any model or update any model weights. Client data is never used to improve other clients' outputs. The platform is SOC 2 Type II certified and encrypts data in transit (TLS 1.3) and at rest (AES-256). For insurers with strict data residency requirements, single-tenant and private deployment options are available on AWS, Azure, or GCP.
How does DeRISK UWA Agentic integrate with existing underwriting systems?
Via API and sidecar integration. UWA can connect to existing binding workflow systems — including Guidewire and Rulebook — to ingest submissions and return structured data plus the PDF report within the existing underwriting workflow. The system supports SSO and RBAC integration with enterprise identity providers (Okta, Azure AD), with role-specific access. All access is logged for audit purposes.
What regulatory requirements does DeRISK UWA Agentic cover?
The platform maps outputs to 28 regulatory requirements across four jurisdictions: US (NAIC), UK (FCA), Lloyd's market, and EU (EIOPA). This means every actuarial output is produced in a form that meets the documentation and evidence requirements of the relevant regulatory framework — whether the underwriter is writing London market, US admitted, or EU domestic business.
How does DeRISK UWA Agentic support cyber insurance accumulation modeling?
DeRISK UWA Agentic supports cyber insurance accumulation modeling for OT by producing structured, comparable risk outputs across all submissions in the book. Every output includes scenario-level loss data that feeds directly into portfolio accumulation models. For CUOs managing systemic OT cyber exposure, this converts individual risk assessment into portfolio-level insight. The financial output is expressed as AEL, VaR, and OEP curves that accumulation models can consume directly.
Agentic AI
What is Agentic AI and how is it different from generative AI?
Generative AI is passive. It waits for a prompt, produces an output, and stops. Agentic AI is active. An agent perceives its environment, sets sub-goals, uses tools, evaluates its own output, and executes multi-step workflows to complete a complex task without requiring human input at each step. The difference is between an AI that answers "how do I underwrite this risk?" and an AI that underwrites it — reading the submission, querying threat intelligence, running the actuarial calculation, producing the report, and flagging the gaps that require human review.
What does a multi-agent architecture mean and why does it produce better results than a single model?
A multi-agent architecture assigns different specialized roles to different agents — each trained, prompted, and tooled for a specific task — and orchestrates them to work together. A single generalist model trying to simultaneously extract data, evaluate OT security controls, query threat intelligence, and calculate premium indications produces mediocre results across all four tasks. A team of specialist agents produces expert-level results in each domain. The quality improvement comes from specialization: narrow, well-defined roles reduce hallucination, improve consistency, and allow each agent to be independently calibrated and validated.
What is RAG (Retrieval Augmented Generation) and why does it matter for industrial cyber insurance?
RAG connects an AI agent to a private, curated knowledge base — allowing it to retrieve relevant, up-to-date information at inference time rather than relying solely on its training data. For industrial cyber insurance, this matters because threat intelligence changes daily and the specific technical characteristics of deployed industrial equipment are not in any public AI training dataset. DeRISK UWA Agentic's agents are RAG-enhanced — the OT Risk Agent has open-book access to OT security standards and the DeNexus knowledge base.
What is the "Sound of Silence" principle and why can't generic AI replicate it?
Sound of Silence is the principle that missing data in an insurance submission is itself a risk signal. Generic AI models treat missing fields as unknown — they average around gaps or ignore them. DeRISK UWA Agentic's agents are specifically trained to flag omissions as structural risk patterns, calculating separate confidence scores for IT and OT domains and surfacing the gap between strong IT disclosure and absent OT disclosure as a distinct risk finding. This requires domain-specific training and OT expertise embedded in the agent's evaluation logic.
How do Agentic AI systems handle uncertainty and avoid hallucination?
Several mechanisms in combination. Structured agent roles reduce variance — each agent has a narrowly defined task. Temperature controls set analytical agents to deterministic mode. RAG ensures agents retrieve facts from a curated knowledge base rather than generating them from training data. Confidence scoring flags fields where the agent is uncertain. The Financial Logic Agent uses deterministic actuarial calculations — Monte Carlo simulation with fixed parameters — rather than having an LLM estimate a financial number.
What are the levels of AI autonomy and where does DeRISK UWA Agentic sit?
Level 1 is notification. Level 2 is recommendation. Level 3 is conditional automation — AI executes within defined parameters with human oversight. Level 4 is high automation — AI operates independently on standard cases, escalating exceptions. Level 5 is full autonomy. DeRISK UWA Agentic operates at Level 3–4 depending on risk type. For standard risks, it operates in Auto-Pilot mode producing a binding-ready output. For complex or borderline risks, it operates in Co-Pilot mode flagging it for human review with the reasoning made explicit.
How does DeRISK UWA Agentic ensure its AI outputs are auditable and explainable?
The platform is designed for traceability as a first principle. Every finding traces back to a specific source document, page number, and agent reasoning step. The chain of thought — why a particular flag was raised, what evidence supported it, what evidence was missing — is preserved and viewable. If a regulatory auditor or senior underwriter challenges an output, the full reasoning chain is available for review. The system retains a comprehensive audit log of inputs, transformations, and outputs for every submission processed.
How does DeRISK UWA Agentic use Cyber Threat Intelligence (CTI) in real time?
Through the CTI Agent, which continuously monitors live advisory feeds — CISA, MITRE, and vendor alerts — and extracts adversary TTPs and specific product vulnerabilities. If a zero-day vulnerability affecting a technology stack present in an active submission is disclosed during the underwriting process, the CTI Agent interrupts the workflow to update the risk assessment before the output is finalized. Every CTI-driven risk flag includes a citation with source type and timestamp.
What enterprise security and data governance standards does Agentic AI need to meet for insurance deployment?
At minimum: data isolation between clients, processing within the client's chosen deployment boundary, encryption in transit and at rest, customer-managed key support, RBAC integration with enterprise identity providers, comprehensive audit logging, configurable retention and purge schedules, and regulatory compliance documentation. DeRISK UWA Agentic meets all of these. The platform uses in-context learning rather than fine-tuning, which means client submission data is never used to update model weights.
What is the practical business case for deploying Agentic AI in insurance underwriting?
Three dimensions: speed, quality, and scale. Speed: submission to full actuarial output in 10–20 minutes versus 10–30 hours of manual assessment — a 30–50x cycle time reduction. Quality: OT-specific evaluation that generic tools and manual processes cannot match, including Sound of Silence detection, real-time CTI injection, and bifurcated IT/OT confidence scoring. Scale: underwriters can process significantly more submissions with the same team, focus human judgment on complex risks, and apply consistent evaluation criteria across the entire book.
No questions found matching your search.