Pain Browser No. 2: The 9,000-School Breach That Lit Up the Synthetic Identity Insurance Gap

In the early afternoon of Thursday, May 7, students and faculty at thousands of universities and K-12 districts across the United States logged into Canvas to find their final exams replaced with a ransom note. The cybercrime group ShinyHunters had defaced the login portal of Instructure, the parent company behind Canvas, the learning management platform used by roughly 9,000 educational institutions and 275 million students and faculty. The note told the affected schools to negotiate their own settlements separately from Instructure, and gave them five days to act before the data leaked.

The breach was not the first. In published analysis after the May 7 event, Cloudskope CEO Dipan Mann laid out a three-act timeline. The September 2025 University of Pennsylvania incident, in which ShinyHunters released hundreds of megabytes of donor records and internal memos after Penn refused to pay a one million dollar ransom, was carried out in part through Canvas-mediated access. Mann calls that the proof of concept. The May 1, 2026 incident was the production run. The May 7 recompromise was ShinyHunters demonstrating publicly that Instructure's claimed containment had not happened.

That is the trigger event for this week's Pain Point. The shape of the harm is the question carriers cannot answer.

When a vendor used by 9,000 distinct insureds is compromised, every cyber underwriter writing those institutions is now sitting on systemic identity exposure they did not price. Each named victim is a separate event in their actuarial model. The reality is one event, distributed. The synthetic identity supply chain that the Federal Reserve has been warning about since its 2018 initiative just got fed at scale, and the insurance market that should have priced it in advance has no portfolio-level model that can.

Synthetic identity fraud is the fastest-growing financial crime in the United States by McKinsey's count, and has been since long before this week. FiVerity put aggregate losses above $35 billion in 2023. TransUnion's H1 2025 data pegs US lender exposure to synthetic identities at $3.3 billion at the end of 2024, with auto lenders absorbing $2 billion of that in the first half of the year alone. New account fraud, the loss category most directly fed by synthetic identities, hit $7 billion in 2025, up 13% year over year, with 5.4 million victims. Sumsub documented a 311% surge in synthetic identity document fraud between Q1 2024 and Q1 2025. Deloitte projects the loss category will reach $23 billion annually by 2030, which is below FiVerity's current estimate. The variance itself is the story. Seven years and three white papers after the Fed convened its first focus group, there is still no agreed measurement of the loss class.

Those are the loss numbers, and they are not the same as the market opportunity. Global cyber insurance premium reached roughly $15 billion in 2025 and is projected toward $30 billion by 2030. Synthetic identity exposure is one of the loss categories inside that universe carriers refuse to write coverage against. The addressable revenue for the rating layer that fixes this sits between BitSight's current scale (approximately $200 million in ARR underwriting cyber, $2.4 billion Moody's valuation) and Verisk's $40 billion-plus franchise built on insurance standardization. Closer to BitSight for the first 36 months. Verisk over a decade if the standard locks.

That measurement gap is what makes the loss class uninsurable at the carrier level. Cyber insurance underwriters need three things to write coverage at scale: a standardized definition of the harm, a measurable exposure metric at the portfolio level, and a loss frequency and severity baseline credible enough to support an actuarial premium. Synthetic identity has none of those. Each carrier writing fintech, lender, marketplace, or now education-vendor cyber coverage is doing so blind to the loss class that drives the largest share of identity-related losses on their book.

The Canvas event is what happens when the supply chain feeding that loss class gets industrialized. Detection products exist (Socure, SentiLink, Equifax, Plaid Beacon, Prove Identity). They identify synthetic identities at the transaction level. None of them produces a portfolio-level exposure score a carrier can rate-base against. Without that, the carriers cannot model, cannot price, and cannot underwrite. The category sits in the same place cyber insurance sat fifteen years ago: real losses, no standard, no market.

The Canvas breach demonstrated, in the exact week this issue is going to press, that vendor-mediated identity supply at scale is the new dominant pattern. ShinyHunters' broader playbook hit ADT for 5.5 million customers through a Salesforce single sign-on compromise, plus public attacks against Medtronic, Rockstar Games, McGraw Hill, 7-Eleven, and Carnival. Same architectural shape across verticals. Cyber underwriters cannot keep treating these as independent events when the breach surface is one upstream vendor and the named victims are thousands of insureds. Charles Carmakal, CTO of Mandiant Consulting, told KrebsOnSecurity there are multiple concurrent ShinyHunters campaigns running right now. The pattern is not slowing down.

The underwriting half of the answer just shipped. In August 2025, Moody's RMS and BitSight launched the Cyber Industry Steering Group with Munich Re and Gallagher Re as founding members, explicitly to address what the announcement called the lack of standardization across cyber insurance functions. In January 2026, Moody's RMS Cyber Solutions Version 9 deepened the BitSight integration and shipped cloud concentration risk dashboards that let carriers model exposure to AWS, Azure, and Google Cloud Platform failures across portfolios. The architecture that finally got cyber insurance to scalable underwriting is visible. The synthetic identity equivalent does not exist yet.

The carriers are not waiting. Coalition launched a global deepfake response endorsement on May 7. Michael Phillips, head of their global cyber portfolio underwriting, framed it as filling what he called a growing gap in conventional cyber insurance. Carriers will write impersonation-related coverage when the measurement problem is tractable. Synthetic identity is the harder measurement problem they have not cracked. Detection vendors have raised hundreds of millions trying. Socure has raised $744 million across rounds, SentiLink has raised $99 million, Persona reached a $2 billion valuation in April 2025. None has built the underwriting product carriers can rate-base against.

The market splits cleanly into three buyer pools. The product looks different for each one.

The carrier-side product is a portfolio-level synthetic identity exposure rating, sold to commercial cyber and financial lines underwriters at major carriers. Buyers are Coalition, AIG, Beazley, At-Bay, Resilience, the cyber program managers at the major brokers, and the run-off books at carriers exiting the market. The product captures both lender-side exposure (the TransUnion $3.3 billion shape) and vendor-concentration risk (the Canvas/Instructure shape). Highest value per customer, smallest customer pool. Most directly analogous to BitSight, which Moody's invested $250 million in at a $2.4 billion valuation in 2021 specifically to underwrite cyber.

The insured-side product is a preparedness certification. Banks, lenders, marketplaces, payment processors, education platforms, and BNPL providers will pay to qualify for better cyber rates. SaaS pricing, recurring revenue, larger customer pool, lower ACV. Comparable: SecurityScorecard's customer certifications, the NIST Cybersecurity Framework alignment attestations insureds present to underwriters during cyber renewals. This is the layer buyers in those verticals have been quietly waiting for since the Fed's voluntary definition failed to take.

The reinsurance-side product is aggregated synthetic identity loss data, sold to Munich Re, Swiss Re, Hannover Re, and the Lloyd's syndicates writing cyber treaties. Smallest customer pool, highest margin, longest sales cycle. Reinsurers are already participating in cyber standardization through the Steering Group. They will buy the synthetic identity equivalent when it is credible.

The pricing intuition lives in the cyber rating comp set, not in identity verification. Moody's invested $250 million in BitSight at a $2.4 billion valuation in 2021, with the explicit thesis of underwriting cyber. SecurityScorecard reached approximately $1 billion valuation in 2021. Verisk Analytics built a $40 billion-plus business out of property and casualty risk analytics through standardization. The synthetic identity equivalent has no public acquisition comp yet, which is itself a signal: the acquirers have not picked their winner.

The broader cyber insurance market is projected at roughly $15 billion in 2026 growing toward $30 billion by 2030. Synthetic identity exposure within that universe is a smaller but faster-growing slice.

Detection is a feature. The standard is a company. That distinction is what determines who gets funded in this category over the next 18 months.

The standard becomes the moat, the way ISO 27001 became for security, the way the FAIR framework became for cyber risk quantification, the way BitSight ratings became for cyber underwriting. Once carriers adopt a definition, the cost of switching out of it exceeds the value of any technical improvement a competitor can offer.

Imagine a chief underwriting officer at a mid-sized cyber carrier. They are writing identity-heavy policies for fintechs, lenders, marketplaces, and now education-vendor platforms. Their reinsurance treaty renewals are six months out. Their reinsurers are asking what their book's synthetic identity exposure looks like. They have no answer that survives an actuarial review. They will buy a portfolio-level rating from a credible third party the moment one exists. They will not build it internally because they do not have the data, the cross-portfolio visibility, or the regulatory-acceptable definition.

That is the wedge buyer. The first product is the carrier rating. Sold to commercial cyber underwriters at the top fifteen carriers. Priced as a platform fee plus per-assessed-customer usage. Integrated with the carrier's underwriting workflow and reinsurance treaty documentation.

The first reference customer is a Coalition-class carrier with a fintech or lender vertical concentration and a recent ShinyHunters-adjacent loss event on their book. Sales cycle: 120 to 180 days. The first product can be built by a team of four (an actuary, a fraud-domain operator, a data engineer, and a regulatory counsel) in 9-12 months.

Platform fee plus per-assessed-portfolio-record usage. Not pure SaaS, not pure data licensing. The platform fee covers integration with the carrier's underwriting system, audit logging, data refresh, and ongoing standard updates. The usage fee captures the value moment, which is the carrier deciding to write coverage based on the rating.

ACV $200K to $2M depending on carrier portfolio size. Gross margins 80-90% at scale, dragging to 65-75% in year one because of integration work and customer-side data ingestion.

Reinsurance-side data licenses run higher (treaty-grade data, 12-18 month sales cycle) and carry 90%+ margins.

The alternative model worth considering is data syndication, the credit bureau model. License the underlying data to multiple carriers in a non-exclusive arrangement. Higher revenue ceiling per syndication round, lower defensibility per customer, and a real risk of bureau adjacency challenge from TransUnion, Experian, or Equifax. For most teams, platform-plus-usage with named carrier reference customers is the cleaner wedge.

Bureau adjacency is the largest risk. TransUnion, Experian, and Equifax already have the underlying data and could build the carrier product internally. They have not in seven years, but they could in twelve months if a category leader emerges and the bureaus decide to compete rather than license. A founder's defense is to make the rating regulatory-acceptable, carrier-integrated, and reinsurance-blessed before the bureaus move.

Federal Reserve mandate is the second risk. The Fed's voluntary synthetic identity definition has not taken on its own, but a payments-system rule could elevate it to required overnight. A third-party standard becomes redundant the moment the regulator publishes the official one. The mitigation is to be the de facto definition the Fed adopts.

Detection vendor pivot is the third risk. Socure or SentiLink could pivot upmarket and become the carrier standard themselves, using their existing fraud data as the actuarial baseline. Their challenge is they sit on the detection side of the buying motion, not the actuarial side. Their salesforce, regulatory posture, and product architecture are calibrated for fraud teams at lenders, not underwriting teams at carriers.

Carrier consolidation is the fourth risk. The cyber market is consolidating into fewer, larger underwriters, and the buyer pool could shrink before the standard is locked in. The mitigation is to lock in the top five carrier reference customers before consolidation closes.

The right mental model for this category is not "build a better synthetic identity detector." It is "build the measurement standard that makes synthetic identity insurable." The product is not the model. The product is the carrier integration that makes the model load-bearing for an underwriting decision.

The diligence question for builders is whether the product survives the existence of detection vendors. If Socure improves their accuracy by 5% next year, does that make your company more valuable or less? If less, you are selling detection, and the detection vendors will absorb you the moment one of them climbs into the underwriting layer. If more, you are selling the rating that consumes detection as an input. Only the second is a defensible company in 2026.

Founders pitching this category make one consistent mistake. They describe their product as a model when the product is the integration. The model is a prerequisite. The product is the workflow that puts the model in front of a chief underwriting officer at the moment they are deciding whether to write or not write a policy. Without the workflow, the best detection accuracy in the world is a dataset waiting for someone to do something useful with it.

Price for the carrier's reinsurance treaty, not for the underlying model cost. The chief actuary's defensibility to their reinsurer is the value the carrier is buying. The platform fee covers that. The per-record usage covers the actual writing of policies, where the carrier's growth depends on your throughput.

Founders. Pick one of the three layers and ship a measurement product, not a detection product. Anchor the first customer in one buyer category and resist the temptation to be the platform from day one. The first reference customer is worth more than the next ten leads.

Investors. The thesis is regulatory acceptability, not model performance. A team that has documented working relationships with NAIC working groups, state insurance commissioners, the Federal Reserve's payments security team, or named carrier chief underwriting officers has more moat than one with a better detection model. Diligence question: how many of those relationships have produced something quotable in a carrier sales meeting? Zero means the team is still building a feature. One means they are still early. Three with at least one in writing means the thesis is real.

Operators in lending and EdTech. Get a synthetic identity exposure baseline for your portfolio this quarter. The breach pipeline that fed the May 7 events is feeding your customer base too. You cannot defend, mitigate, or insure what you cannot measure. If your team needs the methodology template, reply to this email.

Acquirers. The acquisition trigger in this category is a public partnership announcement between a synthetic identity rating startup and either a cyber risk rating incumbent (BitSight, SecurityScorecard, Black Kite) or a cyber insurance carrier (Coalition, Resilience, At-Bay). That partnership is the signal the category is collapsing into the cyber stack rather than standing alone. The first startup to sign two such partnerships within a single quarter is the target.

Reinsurers. The next industry steering group convening on identity-class risk needs a founding seat. The synthetic identity equivalent of the Cyber Industry Steering Group does not exist. The first three reinsurers to fund one will get to define the standard.

• Canvas/Instructure was breached by ShinyHunters with public extortion and platform defacement on May 7, 2026, hitting roughly 9,000 educational institutions and 275 million students and faculty. Instructure is owned by KKR, having been taken private in 2024. Cloudskope CEO Dipan Mann's published analysis ties the September 2025 University of Pennsylvania breach to the same access path. Charles Carmakal, CTO of Mandiant Consulting, confirmed multiple concurrent ShinyHunters campaigns are active.
• Coalition launched a global deepfake response endorsement on May 7, 2026. Michael Phillips, head of global cyber portfolio underwriting, framed it as filling a growing gap in conventional cyber insurance for impersonation events. Synthetic media coverage is now an underwritable line. Synthetic identity coverage at the portfolio level is not.
• Moody's RMS Cyber Solutions Version 9 shipped in January 2026, with deeper BitSight integration and cloud concentration risk dashboards across AWS, Azure, and Google Cloud Platform. The Cyber Industry Steering Group, launched August 2025 with Munich Re, Gallagher Re, and BitSight as founding members, is the standardization vehicle for cyber underwriting that synthetic identity has no equivalent of.
• TransUnion's H1 2025 State of Omnichannel Fraud Report pegs US lender synthetic identity exposure at $3.3 billion at the end of 2024, with auto lenders absorbing $2 billion in H1 2024 alone. Deloitte's Center for Financial Services projects $23 billion in annual synthetic identity losses by 2030. New account fraud, the loss category most directly fed by synthetic identities, reached $7 billion in 2025 with 5.4 million victims.
• Sumsub's H1 2025 report documented a 311% surge in synthetic document fraud between Q1 2024 and Q1 2025. The FBI's 2025 IC3 report logged total identity-related losses of $20.9 billion, a 26% increase year over year, with AI-related losses accounting for approximately $900 million across 22,000 complaints.
• ShinyHunters' April 2026 breach of ADT exposed 5.5 million customer records through a Salesforce single sign-on compromise reached via voice phishing. The same playbook has hit Medtronic, Rockstar Games, McGraw Hill, 7-Eleven, and Carnival. Vendor-mediated identity supply is no longer a niche concern.