Jake Olcott, vice president of strategic partnerships for security ratings firm BitSight, points to three main use cases for security ratings in cyber insurance. The first, as previously mentioned, is understanding clients' security posture: collecting quantitative measurements, analyzing performance over time, and using that data to create and price policies. Ratings firms collect data after a breach, and what they find can help clients lessen the risk of future attacks through portfolio management.