The Difference Between Vuln Severity and Financial Exposure

Insurers price the probability and magnitude of loss. Security teams, by contrast, often prioritize technical “severity.” Those two lenses only partially overlap, and the gap is where underwriting accuracy and insurance customer portfolio performance are won or lost.

‍

Technical severity is an engineering construct, devoid of many things one typically thinks of when considering risk. It aggregates attributes such as exploit complexity, impact scope in a theoretical company vs a real one, and preconditions into a score. The most common scoring frameworks, such as CVSS, were designed to standardize communication among practitioners, not to estimate claim frequency or payout size, but in fairness, it predates the cyber insurance industry.

‍

A “critical” rating indicates potential technical impact under defined conditions. It does not assert that exploitation will occur at scale, that it will produce business interruption, or that it will trigger insured costs. And yet, it is one of the most ubiquitously used signals that the cybersecurity industry uses, and therefore many of their customers do too.

‍

Financial exposure is an actuarial construct. It is driven by empirical data, such as which weaknesses are repeatedly exploited in the wild, which of those events translate into business loss, how often they lead to a loss, what industries and controls were in scope, and how large those losses are when they occur. Carriers price portfolios using observed loss drivers, not what the security industry has standardized on nor theoretical impact.

‍

As insurers have found, in practice, only a small fraction of vulnerabilities accounts for a disproportionate share of claims. These are the exposures that correlate with ransomware payments, prolonged downtime, regulatory action, and litigation. Many high-severity findings never cross that threshold, because it turns out adversaries don’t care about CVSS base scores, or theoretical severity. They care about what works.

‍

When security teams chase severity, remediation capacity is consumed by items that look alarming but have weak or no historical link to insured loss. The residual risk that remains after industry standard “best effort” patching can still be dominated by a narrow set of routinely exploited weaknesses that did not necessarily stand out in a report. From an underwriting perspective, all of this is busy work and ultimately wasted effort, because the risk remains. And from a pricing perspective, variance increases because the insured’s control posture is measured against a metric (CVSS base score) that is not calibrated to loss.

‍

The industry already recognizes the value of empirical exploitation signals. Lists of known exploited vulnerabilities curated by organizations such as CISA have improved situational awareness of at least some of the vulnerabilities that lead to breach, even if they are not perfectly overlapping with losses. Additionally, CISA’s known exploited vulnerabilities (KEV) specifically address breaches, which could include nation states that intentionally fly under the wire and never lead to a claim or loss, or haven’t to date. But those rarely end up converting into a loss. They act differently from financial adversaries.

‍

Consider two categories that emerge from claims and incident response data. One group is composed of exposures that repeatedly lead to material loss events. These are economically meaningful risk drivers because they map to the frequency and severity of losses. A second group includes exposures that facilitate compromise and lateral movement but do not consistently produce insured loss on their own. The two groups should not be priced or prioritized as if they were equivalent. Conflating them creates risk across the book of business. So while breaches might be bad, they should be treated differently from losses.

‍

For carriers, closing the gap between vulnerability severity and financial exposure amounts to pricing discipline. When the measurement system reflects what actually produces claims, risk selection sharpens, capital is deployed more efficiently, and the conversation with insureds moves from technical posture to economic risk.

‍