Safeguard
SBOM

SBOM adoption in underwriting and actuarial software

Insurers price risk with software built on unvetted open-source code. Here's how SBOM underwriting software closes that blind spot.

Marina Petrov
Compliance Analyst
7 min read

In March 2022, a mid-sized commercial insurer discovered its underwriting rating engine had quietly depended on a vulnerable XML parser for over two years, a library nobody on the actuarial team had ever heard of, buried four layers deep inside a third-party risk-scoring package. The flaw let attackers trigger remote code execution on the server that priced thousands of commercial property policies. This is the exact blind spot driving demand for SBOM underwriting software: insurers now realize the statistical rigor they apply to catastrophe models and mortality tables has to extend to the code running those models. A software bill of materials, a machine-readable inventory of every library and dependency inside an application, turns opaque underwriting logic into something that can be audited, patched, and trusted. For an industry built on quantifying risk, unquantified software risk is an expensive blind spot.

What Is SBOM Underwriting Software, and Why Does It Matter Now?

SBOM underwriting software is any tooling that generates, ingests, or continuously monitors the software bill of materials behind the applications insurers use to price, bind, and administer policies, from rating engines to policy administration systems to the actuarial models that feed them. It matters now because the underwriting stack has quietly become one of the most dependency-heavy pieces of software in the enterprise. A typical actuarial pricing module or rules engine is stitched together from dozens of open-source statistical libraries (think NumPy, pandas, or R packages), commercial rating APIs, and internal microservices, and industry benchmarks like the Synopsys Open Source Security and Risk Analysis report consistently find that 70 to 90 percent of the code in commercial applications originates from open source. Insurers cannot manually track that. An SBOM turns "we think we know what's in our rating engine" into a queryable, version-pinned inventory that security and actuarial teams can both act on.

How Exposed Is Actuarial Software Security to Open-Source Vulnerabilities?

Actuarial software security is more exposed than most insurers assume, because the same handful of widely reused libraries that make actuarial development fast also make it a concentrated target. When the Log4Shell vulnerability (CVE-2021-44228) was disclosed on December 9, 2021, it affected an estimated hundreds of millions of devices and applications worldwide because Apache Log4j was embedded in so much enterprise Java software, including policy administration systems, claims platforms, and the application servers running actuarial modeling tools. Security teams at insurers spent weeks in early 2022 trying to answer a simple question they couldn't answer quickly: "does our rating engine use Log4j, and if so, which version?" Without an existing SBOM, that question required manually decompiling JAR files or waiting on vendor disclosures. Insurers with SBOMs in place for their actuarial toolchains were able to query the answer in minutes instead of weeks, and that gap in response time is precisely what SBOM underwriting software is built to close.

What Happens When Underwriting Platform Vulnerabilities Go Unpatched?

Underwriting platform vulnerabilities that go unpatched create both a security incident and a data-integrity incident, because a compromised rating engine can leak or silently manipulate the pricing logic and applicant data it holds. The 2023 MOVEit Transfer breach is a useful illustration of scale even though MOVEit itself is a file-transfer tool rather than a rating engine: a single unpatched SQL injection flaw (CVE-2023-34362) in one vendor's product was exploited by the Clop ransomware group to compromise more than 2,600 organizations, several of them insurers and their third-party administrators, exposing policyholder and claims data that had simply been sitting in a system nobody thought to audit for that specific vulnerability. Underwriting platforms carry an even more sensitive payload than a file-transfer tool: applicant financials, health data for life and disability lines, property valuations, and the pricing algorithms themselves. A single unpatched dependency in a rating engine is not just a downtime risk, it is a data breach and a potential market-conduct and pricing-fairness problem rolled into one.

Why Does the Insurance Risk Modeling Software Supply Chain Need Its Own Playbook?

The insurance risk modeling software supply chain needs its own playbook because catastrophe models, mortality tables, and rating algorithms are built by a small, specialized vendor ecosystem where the same modeling libraries and data feeds get reused across dozens of insurers simultaneously. When a vulnerability surfaces in a widely used catastrophe modeling library or in a statistical package like a specific R or Python distribution used across the reinsurance sector, the blast radius is not one company, it is potentially the pricing infrastructure of an entire line of business. This is structurally different from generic enterprise IT, where a vulnerable HR system affects one company's employees. A vulnerable dependency in a widely licensed actuarial model can quietly distort risk pricing across the market before anyone notices, because the flaw doesn't always announce itself as a crash, it can announce itself as a subtly wrong loss ratio six months later. That is why supply chain visibility in this sector has to include not just security patch status but version drift: is the production pricing model actually running the dependency version the actuaries validated?

Are Regulators Starting to Require SBOMs in Insurance Technology?

Yes, regulatory pressure for SBOMs in insurance technology is accelerating, and it is arriving from two directions at once. On the U.S. side, Executive Order 14028, signed in May 2021, required software vendors selling to federal agencies to provide SBOMs, and the NAIC Insurance Data Security Model Law, already adopted in more than 20 states, obligates insurers to maintain a comprehensive information security program that increasingly gets interpreted by examiners to include third-party and open-source component risk. New York's amended DFS Cybersecurity Regulation (23 NYCRR 500), which added stricter third-party service provider oversight requirements effective in 2023 and 2024, pushes in the same direction. On the international side, the EU Cyber Resilience Act, which entered into force in December 2024 with core obligations phasing in through 2027, requires manufacturers of software with digital elements to maintain and be able to produce an SBOM on request. Gartner had already predicted in 2022 that 60 percent of organizations doing business with government entities would require SBOMs from their software suppliers by 2025. Insurers selling into public-sector lines, or simply trying to get ahead of examiners, are feeling that pressure now, not in some hypothetical future audit cycle.

How Safeguard Helps

Safeguard gives insurers, MGAs, and actuarial software vendors a continuous, automated way to generate and monitor SBOMs across the entire underwriting stack, from rating engines and policy administration systems to the third-party statistical libraries embedded in pricing models. Instead of a one-time SBOM snapshot generated for a compliance checklist, Safeguard tracks dependency changes as code ships, flags newly disclosed CVEs against the exact library versions running in production, and maps each vulnerability to the specific underwriting application it touches, so a security team can tell an actuarial lead within minutes whether a new CVE affects the commercial property rating engine, the life pricing model, or neither. That mapping matters more in this sector than almost any other, because the cost of a false alarm (pulling a validated actuarial model out of production for a vulnerability that doesn't actually apply) is measured in delayed underwriting decisions, not just engineering time.

Safeguard also helps insurers respond to the regulatory reality described above without building a parallel compliance program from scratch. Its SBOM output is generated in the industry-standard CycloneDX and SPDX formats, so the same artifact that satisfies an EU Cyber Resilience Act request or an NAIC examiner's third-party risk questionnaire is the artifact security teams already use day to day for vulnerability triage. For insurers evaluating a new actuarial platform vendor, or building underwriting software in-house, that means supply chain due diligence stops being a manual, spreadsheet-driven exercise and becomes a continuous, queryable part of the software development lifecycle, exactly the kind of quantifiable risk control an industry built on quantifying risk should expect from itself.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.