When a cyber submission arrives in an underwriter's inbox, it is rarely a single file. The application sits at the center, but the actual risk picture lives in a constellation of supporting documents that each tell a different part of the story. The job of the underwriter, and now of an AI underwriter, is to read every document and reconcile what they say to each other.
The risk is not in any one document. It is in the disagreements between them.
This article walks through the typical document set in a mid-market cyber submission, what each document tells an underwriter, and where the cross-references that matter most actually live.
1. The application
The application is the insured's self-reported summary of who they are, what they do, and how they secure it. Hugo extracts:
- Named insured, domicile, and revenue
- Employee count, industry NAICS code, and primary operations
- Limits and retentions requested
- Yes or no controls answers (MFA, EDR, backups, training)
- Prior loss history declarations
The application is the spine of the submission. Every other document is read against it.
2. Supplementals
Cyber-specific supplementals (ransomware, privacy, social engineering, business interruption) drill into specific exposures. They are also where inconsistencies tend to surface first. Hugo flags any answer in a supplemental that contradicts the main application, including subtle cases such as a supplemental that lists a third party processor not disclosed in the privacy section of the main form.
3. SOC 2 reports
A SOC 2 Type II describes the insured's control environment through an auditor's lens. Hugo reads:
- The scope of the report (which trust services criteria, which systems)
- The audit period and the issuing firm
- Listed exceptions and management responses
- Subservice organizations and the carve-out vs inclusive treatment
A controls answer of "yes" in the application becomes much more meaningful when the SOC 2 confirms the control is in place across the relevant systems for the relevant period. Hugo cites the SOC 2 page and section in the memo when this confirmation is found.
4. Penetration test results
External pen test reports, when included, give an underwriter a point-in-time view of the insured's exposed surface. The questions Hugo asks of a pen test report:
- Was the test scoped to production assets or a sample environment
- How recent is the test relative to the submission date
- What severity findings are open and what is the remediation status
- Has there been a retest, and what changed
A clean pen test alongside an application that claims strong controls is consistent. A pen test with open critical findings against the same application is a signal Hugo surfaces explicitly.
5. Prior policy wordings
When the insured has expiring coverage, the prior wording is one of the most information-dense documents in the submission. Hugo reads:
- Current limits, retentions, and sublimits
- Existing exclusions, including manuscript or carrier-specific endorsements
- Coverage triggers and definitions that may differ from the renewal proposal
- Conditions, including notice provisions and panel counsel requirements
The prior wording is where coverage drift hides. Hugo compares it against the renewal terms being considered and flags any differences that materially change the covered risk.
6. Loss runs and incident history
Loss runs are typically a multi-year ledger of paid and reserved amounts. Hugo extracts:
- Date of loss, date of report, and any gap between them
- Carrier handling the claim and adjuster firm
- Cause of loss category and a brief narrative if provided
- Paid, reserved, and total incurred figures
The most useful work Hugo does on a loss run is reconciliation against the application's prior loss declaration. A loss on the run that is not declared on the application is a material misrepresentation question that goes straight into the memo.
7. Financial statements
Audited or reviewed financials let Hugo size the risk against the insured's actual capacity to absorb a loss. Hugo extracts revenue, operating margin, cash position, and debt structure where available. These then ground the limits adequacy section of the memo.
8. Broker correspondence
The cover email and any thread context tell Hugo what the broker is actually asking for. Specific limit, retention, or coverage requests that differ from the application get pulled out and addressed individually in Hugo's reply. If the broker is asking about a competitor's quote, Hugo notes that without making assumptions about price.
How the cross-references actually work
The single most valuable thing Hugo does is read documents against each other. The most common cross-references that matter:
- Application controls answers vs SOC 2 control descriptions
- Application loss declarations vs loss run entries
- Supplemental third party listings vs main application disclosures
- Pen test findings vs application security posture claims
- Prior wording exclusions vs renewal coverage proposed
Every disagreement is recorded with a citation to both source pages. The memo presents them as findings, not conclusions. The underwriter decides.
Frequently asked
Questions readers ask
- How does Hugo handle a SOC 2 with carve-out subservice organizations?
- Hugo reads the carve-out language, identifies the subservice organizations called out, and notes in the memo that the report does not opine on those subservice controls. If the underwriter has separate evidence on the subservice provider, that gets cross-referenced.
- What if a document is missing?
- Hugo lists the missing document in the memo and proposes a supplemental request the broker can answer in the same email thread. It does not infer answers it cannot ground.
- How fresh does a pen test need to be for Hugo to give it weight?
- Hugo records the test date and the submission date and exposes the gap to the underwriter. It does not impose a single freshness rule, because each carrier has its own appetite-level guidance and Hugo defers to that.