HATS Attested Risk Addendum

Cyber insurance underwriting has operated on the same fundamental assumption for two decades: the insured party self-reports their security posture, the insurer assesses that self-report against actuarial models, and the policy is priced accordingly. The problem with this model is not that insureds lie. The problem is that self-reported security posture is a snapshot of intent, not a continuous measurement of reality. The gap between what an organization believes about its own controls and what those controls actually do at any given moment is where the majority of claim surprises originate.

HATS (H33 Attestation and Trust Standard) introduces a structurally different approach. HATS is a publicly available technical conformance standard for continuous AI trustworthiness; certification under HATS provides independently verifiable evidence that a system satisfies the standard's defined controls. This document explains how HATS attestation modifies cyber insurance risk assessment and what it means for underwriting, claims, and premium calculations.

The Problem with Self-Reported Controls

Traditional cyber insurance applications ask questions such as: Do you use multi-factor authentication? Do you encrypt data at rest? Do you have an incident response plan? The answers to these questions are checkboxes. A "yes" to MFA might mean that MFA is required for VPN access but not for cloud console access. A "yes" to encryption at rest might mean that the primary database is encrypted but the analytics replica is not. A "yes" to an incident response plan might mean that a document was written two years ago and has never been exercised.

These are not deceptions. They are the natural consequence of asking binary questions about complex, continuously evolving systems. The insurer has no mechanism to verify the answers at the time of application, and no mechanism to detect when the answers become stale during the policy period. A company might have had MFA everywhere on the day they filled out the application and then disabled it for a critical system three weeks later due to an integration issue that was never resolved.

The result is a structural information asymmetry that damages both parties. Insurers overprice policies for well-run organizations because they cannot distinguish them from poorly-run ones. Insurers underprice policies for organizations whose controls have degraded since application. Claims disputes arise because the insurer discovers post-breach that the actual control state did not match the application representations.

How HATS Attestation Differs

HATS replaces self-reported control status with cryptographically attested, continuously verified control evidence. The distinction is structural, not incremental.

A HATS attestation is a post-quantum signed record that a specific control was verified at a specific time on a specific system. Each attestation is signed with three independent signature schemes (ML-DSA, FALCON, SLH-DSA), producing an artifact that is verifiable by any party with access to the HATS verification endpoint. The attestation cannot be backdated, cannot be modified after creation, and cannot be forged without simultaneously breaking three independent mathematical hardness assumptions.

HATS defines 20 verification checks across 8 node types. Each check produces an attestation when it passes. The continuous monitoring system runs these checks at configurable intervals, producing a time series of attestation events that constitutes a cryptographic proof of control state over time. This is not a log that an administrator could edit. It is a chain of signed attestations where each entry references the hash of the previous entry, making any modification to the historical record detectable.

For insurance purposes, this transforms the underwriting data model from "the insured says they have MFA" to "there exist 4,320 consecutive attestation records proving that MFA was verified every 10 minutes for the past 30 days, each signed with post-quantum signatures and anchored to a public ledger."

Premium Implications

Attested controls reduce underwriting uncertainty. When uncertainty decreases, premiums should decrease proportionally, because the risk premium that compensates for information asymmetry is no longer justified.

Consider the three components of a cyber insurance premium: the expected loss (actuarial base rate), the risk load (compensation for uncertainty in the loss estimate), and the expense load (acquisition and administration costs). HATS attestation primarily reduces the risk load.

The actuarial base rate reflects the probability and severity of a loss event. HATS does not change the threat landscape or the inherent risk of a business operation. However, HATS does provide data that allows more precise estimation of where a particular insured falls within the actuarial distribution. An insured with 30 days of continuous control attestation data is a fundamentally different risk profile than an insured with a checkbox on an application form.

The risk load compensates for model uncertainty, parameter uncertainty, and adverse selection. HATS attestation addresses all three. Model uncertainty decreases because the insurer has time-series data on control state rather than a point-in-time self-report. Parameter uncertainty decreases because the data is cryptographically verified rather than self-reported. Adverse selection decreases because organizations that invest in continuous attestation are self-selecting as higher-quality risks.

We estimate that HATS attestation data, properly integrated into underwriting models, supports a risk load reduction of 15-30% for organizations that maintain continuous attestation across all 20 verification checks. This estimate is based on the reduction in information asymmetry and the adverse selection benefits, not on any claim that HATS prevents breaches.

Insurer Verification Workflow

HATS is designed to be independently verifiable by any party. The insurer verification workflow operates as follows.

Step 1: Attestation Export. The insured exports their HATS attestation history for the underwriting period. This export is a structured data file containing the attestation chain: each attestation record with its timestamp, check identifier, node identifier, result, and the three PQ signatures. The export itself is signed with a HATS attestation, creating a verifiable proof that the export is authentic and complete.

Step 2: Chain Verification. The insurer (or the insurer's designated verification service) validates the attestation chain. This involves verifying each signature against the known public keys for the attesting node, verifying the hash chain integrity (each attestation references the hash of its predecessor), and verifying that the chain has no gaps exceeding the declared monitoring interval. Chain verification is computationally inexpensive and can be performed on commodity hardware.

Step 3: Coverage Mapping. The insurer maps the verified attestation data to their underwriting model. HATS defines standard check identifiers that map to common security controls. The insurer's model translates continuous attestation data for each control into a risk factor adjustment. Controls with unbroken attestation histories receive the maximum adjustment. Controls with gaps receive proportionally smaller adjustments.

Step 4: Continuous Monitoring (Optional). For insurers who wish to offer continuously-priced policies, HATS supports real-time attestation streaming. The insurer's verification service receives attestation events as they are produced, enabling continuous risk assessment and potentially continuous premium adjustment. This is operationally complex but technically supported by the HATS protocol.

Claims Impact

HATS attestation data transforms the claims process in two important ways.

First, it eliminates disputes about control state at the time of a loss event. If the insured has a continuous attestation chain showing that a specific control was verified and passing at the time of the breach, the insurer cannot deny the claim on the basis that the control was not in place. Conversely, if the attestation chain shows a gap in a specific control during the period when the breach occurred, both parties have a clear, cryptographically verified record of the control state.

Second, it enables more precise subrogation and root cause analysis. The attestation chain provides a timestamped, tamper-evident record of every control check. When a breach occurs, the chain can be analyzed to identify exactly when specific controls failed or degraded, which may inform subrogation actions against third-party vendors or service providers whose failures contributed to the control gap.

Integration with Existing Frameworks

HATS is designed to complement, not replace, existing compliance frameworks. An organization that maintains SOC 2 Type II, ISO 27001, or other certifications can use HATS to provide continuous evidence between annual audits. The HATS attestation chain fills the gap between periodic assessments, giving insurers visibility into control state during the 364 days of the year when the annual audit is not happening.

For insurers who currently require SOC 2 or ISO 27001 as a condition of coverage, HATS can serve as a supplementary evidence source that increases confidence in the ongoing validity of those certifications. The combination of periodic framework assessment and continuous HATS attestation provides stronger underwriting evidence than either alone.

Scope and Limitations

This addendum applies to policies where the insured maintains HATS attestation for at least 80% of the 20 defined verification checks over at least 90% of the policy period. Partial attestation coverage provides proportionally reduced underwriting benefit.

HATS attestation proves that controls were checked and passing at specific times. It does not guarantee that a breach cannot occur. Controls can be passing and a breach can still happen through attack vectors outside the scope of the attested controls, or through zero-day vulnerabilities that no control would have detected. The premium adjustment reflects reduced uncertainty about control state, not elimination of risk.

For the full HATS technical specification including all 20 verification checks, 8 node types, and conformance levels, see the HATS Standard. For independent verification tools and documentation, see the Verification page.