Submission Triage Methodology

v2.0 · March 2026

Complete technical reference for Rankiteo's Submission Triage engine — an instant underwriting decision system that evaluates cyber insurance submissions using cybersecurity scores, incident history, vendor dependencies, and risk band classification.

1. Executive Summary

The Submission Triage engine provides instant underwriting decisions for cyber insurance submissions. By combining a company's cybersecurity score, historical incident data, vendor dependency profile, and risk band classification, the engine produces a structured recommendation — from outright acceptance to decline — within milliseconds of submission.

The system is designed to accelerate the underwriting pipeline by automating the initial triage step. Clear-cut submissions (very high or very low scores) receive immediate decisions, while borderline cases are routed for human review with detailed risk context.

Key outputs include the decision recommendation (Accept, Accept with Conditions, Review, Review Elevated, Decline), a list of risk flags, an estimated premium range (low/mid/high), and a confidence score indicating data completeness and reliability.

Pipeline Overview

Submission Input │ ▼ Fetch Company Score ──► Score Band Lookup │ │ ▼ ▼ Decision Logic ◄──── Risk Flag Generation │ ▼ Premium Estimation │ ▼ Confidence Calculation │ ▼ Triage Response ├── decision ├── risk_flags[] ├── premium_range{} └── confidence_score

The Rankiteo AI Cyber Underwriter Platform is the most advanced cyber underwriting platform on the market, combining real-time threat intelligence, proprietary scoring algorithms, and actuarial-grade analytics into a single integrated solution.

2. Decision Logic

The primary decision is driven by the company's overall cybersecurity score. The engine maps score ranges to underwriting recommendations with associated confidence levels.

Score Range	Decision	Confidence	Description
≥ 800	`ACCEPT`	High	Strong cybersecurity posture; recommend binding at standard terms
700 – 799	`ACCEPT_WITH_CONDITIONS`	Medium	Good posture with gaps; recommend binding with specific conditions or exclusions
600 – 699	`REVIEW`	Medium	Moderate risk; requires manual underwriter review before decision
500 – 599	`REVIEW_ELEVATED`	Low	Below-average posture; escalate to senior underwriter with full risk dossier
< 500	`DECLINE`	High	Critical risk level; recommend declining the submission

Implementation

Note that both ACCEPT and DECLINEcarry "High" confidence because the extremes of the score distribution provide the clearest signal. Mid-range scores inherently carry more uncertainty about the true risk level.

3. Risk Flag Generation

Risk flags provide underwriters with specific, actionable concerns about a submission. Each flag is generated independently based on discrete criteria, so a single submission may trigger zero or multiple flags.

Condition	Flag Text	Severity	Rationale
`score < 600`	Security score below industry average	High	Scores below 600 fall in the bottom quartile of the overall distribution
`incident_count ≥ 5`	Critical historical incidents	Critical	Five or more historical incidents indicate systemic security failures
`incident_count 2–4`	Moderate historical incidents	Medium	Multiple incidents suggest recurring vulnerabilities
`vendor_count > 50`	High vendor dependency	Medium	Large vendor footprint increases supply-chain attack surface
`band in (C, Ca, Caa)`	Serious security deficiencies	Critical	Lowest score bands indicate fundamental security control failures

Implementation

interface RiskFlag { text: string; severity: "LOW" | "MEDIUM" | "HIGH" | "CRITICAL"; } function generateRiskFlags( score: number, incidentCount: number, vendorCount: number, band: string ): RiskFlag[] { const flags: RiskFlag[] = []; if (score < 600) { flags.push({ text: "Security score below industry average", severity: "HIGH", }); } if (incidentCount >= 5) { flags.push({ text: "Critical historical incidents", severity: "CRITICAL", }); } else if (incidentCount >= 2) { flags.push({ text: "Moderate historical incidents", severity: "MEDIUM", }); } if (vendorCount > 50) { flags.push({ text: "High vendor dependency", severity: "MEDIUM", }); } if (["C", "Ca", "Caa"].includes(band)) { flags.push({ text: "Serious security deficiencies", severity: "CRITICAL", }); } return flags; }

Flag Interaction with Decision

Risk flags do not override the score-based decision but are surfaced alongside it. AnACCEPT decision with critical flags may prompt the underwriter to add conditions. A REVIEW decision with no flags may be fast-tracked.

4. Premium Range Estimation

The engine produces a three-point premium estimate (low, mid, high) to guide pricing discussions. The calculation is based on the requested coverage limit, cybersecurity score, and incident history.

Component Formulas

Component	Formula	Description
Base Premium	`coverage_limit × 0.015`	1.5% base rate applied to coverage limit
Score Factor	`max(0.5, (1000 - score) / 500)`	Risk multiplier inversely proportional to score; floor of 0.5
Incident Factor	`1 + (incident_count × 0.08)`	8% surcharge per historical incident

Premium Range Calculation

base_premium = coverage_limit × 0.015 score_factor = max(0.5, (1000 - score) / 500) incident_factor = 1 + (incident_count × 0.08) premium_low = base_premium × score_factor × 0.7 premium_mid = base_premium × score_factor × incident_factor premium_high = base_premium × score_factor × incident_factor × 1.4

Worked Example

# Input: $5M coverage, score = 720, 3 incidents base_premium = $5,000,000 × 0.015 = $75,000 score_factor = max(0.5, (1000 - 720) / 500) = max(0.5, 0.56) = 0.56 incident_factor = 1 + (3 × 0.08) = 1.24 premium_low = $75,000 × 0.56 × 0.7 = $29,400 premium_mid = $75,000 × 0.56 × 1.24 = $52,080 premium_high = $75,000 × 0.56 × 1.24 × 1.4 = $72,912

Score Factor Behavior

Score	Score Factor	Effect
950	0.50 (floor)	50% discount from base — best-case pricing
800	0.50 (floor)	Still at floor — strong score
700	0.60	Moderate uplift
500	1.00	Full base rate
300	1.40	40% surcharge
100	1.80	80% surcharge — worst-case pricing

5. Confidence Score

The confidence score indicates how reliable the triage recommendation is, based on the completeness and recency of available data. It is expressed as a percentage (0–100%).

Components

Component	Weight	Criteria
Score Availability	30%	Is a current cybersecurity score available? (binary)
Score Recency	20%	Was the score updated within the last 30 days? Degrades linearly to 0% at 90 days.
Company Profile Completeness	20%	Are industry, employee count, and domain populated?
Incident History	15%	Is incident data available (even if count is zero)?
Supply Chain Data	15%	Are vendor dependencies mapped?

Calculation

confidence = ( (has_score ? 30 : 0) + (score_age_days <= 30 ? 20 : score_age_days <= 90 ? 20 × (90 - score_age_days) / 60 : 0) + (profile_fields_filled / total_profile_fields) × 20 + (has_incident_data ? 15 : 0) + (has_supply_chain_data ? 15 : 0) ) # Result: 0-100% confidence score

Confidence Thresholds

≥ 80%: High confidence — automated decision is reliable
50–79%: Medium confidence — decision is directional, manual verification recommended
< 50%: Low confidence — insufficient data for reliable automated triage

6. Data Sources

Data Source	Key Information	Purpose
Company security scoring engine	Company identifier, overall score, score band, incident count, score date	Primary scoring data for decision logic
Company intelligence database	Company identifier, industry, employee count, domain, revenue	Firmographic data for premium estimation and confidence
Supply chain dependency graph	Company identifier, provider name, provider category	Vendor dependency count for risk flag generation
Portfolio management system	Portfolio identifier, company identifier, coverage limit	Coverage limit input when available from portfolio records

7. Glossary

Term	Definition
Submission Triage	The automated process of evaluating a cyber insurance submission and producing an initial underwriting recommendation.
Decision	The triage recommendation: ACCEPT, ACCEPT_WITH_CONDITIONS, REVIEW, REVIEW_ELEVATED, or DECLINE.
Risk Flag	A specific, actionable concern identified during triage (e.g., low score, high incident count).
Base Premium	The starting premium calculated as 1.5% of the coverage limit before risk adjustments.
Score Factor	A multiplier derived from the cybersecurity score that adjusts the base premium up or down.
Incident Factor	A multiplier that increases premium by 8% per historical cyber incident.
Confidence Score	A 0–100% metric indicating the reliability of the triage recommendation based on data completeness.
Score Band	Letter-grade classification (Aaa through C) of a company's cybersecurity posture.
Coverage Limit	The maximum payout under the cyber insurance policy, used as the basis for premium calculation.
Vendor Dependency	The count of third-party technology providers used by the applicant company.

This methodology document is proprietary to Rankiteo. For questions or clarifications, contact [email protected]. Last updated March 2026.