Estimated reading time: 5 minutes
Diligent launched Cyber Risk Management this month. The pitch sounds familiar. AI-powered cyber risk quantification connects technical data to business impact, then hands boards a clean dashboard instead of a spreadsheet. But Scott Bridgen, General Manager of Risk & Audit at Diligent, said something more interesting when we pushed him on it.
The Paper Trail Problem
Give a board a clear, quantified view of its cyber exposure. If directors see a risk and decide not to fund the fix, that decision now sits in the record. The choice is documented in a way that scattered spreadsheets never managed.
Bridgen didn’t shy from it. “Boards already face growing accountability for cyber oversight,” he told CINI. He pointed to NIS2 and DORA as drivers, along with investor pressure to prove active oversight. Regulators and shareholders now expect boards to demonstrate that oversight, not just assert it.
Better reporting does support that oversight role. It also means the record of what a board knew, and when, gets sharper. NIS2’s Article 20 and DORA both put personal accountability on management bodies for exactly this kind of oversight. A tool that makes cyber risk easier to understand also makes it harder to claim ignorance of it later. That’s not a flaw in the product. It’s a consequence of doing the job well.
Risk Scores Stay in the Boardroom
The bigger surprise came when we asked whether these business-impact scores mean anything outside the company. Would an underwriter recognize a Diligent risk score when pricing a policy?
“Risk scoring is primarily an internal decision-support tool,” Bridgen said. Diligent isn’t claiming otherwise. The scores are built for management and the board. They aren’t built to replace an insurer’s own underwriting model, and Bridgen was direct about that limit.
This matters because the cyber insurance market has spent two years chasing the opposite outcome. Programs like Project QuiltWorks exist specifically to make financial risk modeling travel from the security team to the underwriter. So does Resilience’s Arc platform, which ties portfolio-level quantification directly to insurance decisioning. Diligent is building something adjacent: a tool aimed at the internal conversation rather than the underwriting one, at least for now.
Bridgen still sees a bridge forming. “CISOs are increasingly expected to explain cyber risk not just to boards, but also to regulators and insurers,” he said, and called tougher underwriting questions a live buying trigger. He closed on this: “That can support conversations about transfer and pricing, even if the insurer still applies its own methodology.”
The dashboard won’t move an underwriter’s number on its own. It may still strengthen the broker’s hand in the conversation that sets that number.
Smaller Organizations Feel This Gap Too
Diligent’s launch quote came from Dave Schultz, Risk Manager at the City of Lethbridge, a municipality without a large security team. “Municipal security teams don’t have the luxury of piecing together risk from scattered scans and spreadsheets,” he said.
That’s not a boardroom problem. It’s a resourcing problem, and it’s the same one showing up across board communication research, where a quarter of CISOs report board briefings that barely clear 30 minutes. Willis’s 2025 director survey found similar strain, with monthly board briefings rising from 18% to 28% year over year, still short of continuous oversight. Automated scoring won’t fix short meetings. It might make better use of the time available.
What This Means for the Cyber Insurance Market
Diligent’s launch isn’t an underwriting story yet. It’s a governance story with underwriting implications. Boards using tools like this will walk into renewal conversations with a cleaner internal narrative about what they’re exposed to and why. That’s useful leverage for a broker, even if the insurer’s own model does the actual pricing.
The literacy gap that makes this necessary hasn’t closed. Kroll’s 2026 resiliency data found 43% of organizations point to limited cyber literacy at the executive level as a driver of misalignment between security and business priorities. A dashboard addresses the symptom. Whether it changes the underlying comprehension gap Bridgen described at the start is the thing to watch a year from now.
FAQ – Cyber Risk Quantification
No. Diligent’s General Manager of Risk & Audit told CINI the scoring is an internal decision-support tool, not a substitute for an insurer’s underwriting model.
They can sharpen the record. A documented, quantified view of risk creates a clearer account of what a board knew and when, which carries weight under NIS2 and DORA accountability provisions.
It translates technical security data into business-impact terms for boards and executives, aiming at a comprehension gap more than a pure tooling gap.
Diligent says the product will be available in summer 2026.
Related Cyber Insurance Posts
- The Cyber Coverage Gap Is Growing. Can a Micro-Captive Close It? – PODCAST
- A Good Cyber Report Card Can Earn Companies Insurance Discounts: SecurityScorecard & Measured Analytics(Opens in a new browser tab)
- SecurityScorecard and Willis Partnership: A New Move in Cyber Risk Strategy(Opens in a new browser tab)
- Lockton Re To Use CyberCube’s XM to Enhance Cyber Portfolio Risk Oversight(Opens in a new browser tab)
- Cyber Risk Quantification Reshapes Cyber Insurance Talks(Opens in a new browser tab)