A CISO's Guide: Leveraging Cyber Insurance for Enhanced Resilience Across the Enterprise

Cyber threats are a persistent challenge for organizations of all sizes and risk profiles. Small- and medium-sized enterprises (SMEs) and state, local, tribal, and territorial (SLTT) governments face unique hurdles, often lacking full understanding of their exposure, access to resources, or preparedness to defend and respond to attacks. While large corporations increasingly hold cyber insurance, many SMEs and SLTTs do not. As a CISO, navigating the cyber insurance market effectively means understanding its potential as a tool for proactive risk management, not just post-breach recovery, and recognizing how approaches vary across company types and within the market itself.

The Evolution of Insurer Risk Assessment

The cyber insurance market has evolved significantly since its inception around 1995. Early cyber insurance involved time-consuming, detailed security assessments of potential insureds to manage a lack of data on risk. Insurers even offered premium reductions for things like using certified security audits or specific security devices.

However, following the rise of data breach notification laws in the mid-2000s and a shift to a "soft market" where insurers competed heavily, insurers became less hands-on, often relying more on light-touch security questionnaires that focused primarily on the amount and type of data a company handled, rather than its security maturity or technical controls. This trend was frustrating for companies that invested heavily in security, as premium pricing often prioritized revenue over implemented controls.

The ransomware era changed the market again. Due to increased losses and fluctuating loss ratios, the market hardened, leading insurers to deploy stricter assessment measures. For larger businesses, this meant longer, more granular questionnaires and a focus on technical security controls. Assessments for large corporations could even involve site visits and hardware examinations, reminiscent of the market's early days.

For SMEs, however, the assessment levels haven't always mirrored those of large companies, sometimes involving forms with as few as four questions to secure coverage. While this lowers the bar to entry, it means insurers may not fully understand the SME's cyber risk level.

Beyond the Breach: How Cyber Insurance Can Drive Proactive Cybersecurity

Cyber threats loom large over organizations of all sizes, posing risks from costly disruptions and reputational damage to significant financial losses. Small and medium-sized enterprises (SMEs) and state, local, tribal, and territorial (SLTT) governments often face particular challenges, potentially lacking awareness of their full cyber risk exposure, having limited resources

Breached CompanyBreached Company

Leveraging Technology in Underwriting

Today, technology is increasingly integrated into risk assessment. Insurers use security scans (in-house or third-party) and third-party security scores (e.g., SecurityScorecard, Bitsight) as data points. Cloud providers like AWS and Google Cloud have programs enabling customers to share their security posture data with partner insurers to streamline quotes and potentially unlock better terms or reduced costs.

However, CISOs should be aware of the limitations of these technical assessments. Scans often focus only on external attack surfaces. They may not capture the risk introduced by third- and fourth-party vendors. They can also produce unreliable assessments (false positives/negatives) without sufficient context about internal configurations, decoy systems (honeypots), or outsourced assets. A CISO should be prepared to provide this context and potentially challenge automated assessment results if they don't accurately reflect the organization's security posture.

The Strategic Potential of Cyber Insurers

Despite the historical fluctuations in assessment rigor, cyber insurers possess strategic potential to enhance cybersecurity. They ultimately share a long-term goal with policyholders: reducing the frequency and impact of cyber incidents. Insurers have unique access to breach data that can link specific security controls to security outcomes (claims). This positions them to potentially offer recommendations based on empirical data rather than just expert opinion. Furthermore, integrating real-time data from security providers could enable insurers to move towards continual compliance monitoring, offering deeper insights and the ability to flag deviations from a security baseline.

Moving Towards Proactive Security: Beyond Underwriting Discounts

Historically, insurance incentives for security primarily involved premium reductions or higher policy limits offered at the time of underwriting or renewal, often tied to adherence to frameworks or use of specific products (co-marketing). While helpful, these up-front incentives don't necessarily motivate continual security improvements throughout the policy term. Threat actors evolve, and cybersecurity needs are constantly changing.

This is where approaches focused on security as a benefit throughout the policy term become relevant.

• Embedded Policy Features: Some insurers include non-insurance risk reduction services as a standard, no-additional-cost feature of the policy. Examples include complimentary vulnerability monitoring, security training content, or consultation hotlines. These are distinct from bundling as they are mandatory and included at no extra premium.
• Bundling: This refers to an insurer presenting optional non-insurance security products or services at an additional cost with the cyber insurance policy. The benefit for the policyholder comes as a reduced rate on the security service or a rebate on the policy premium. Bundling has the potential to reduce costs or provide rebates over the course of the policy, not just at underwriting/renewal.

Bundling could offer several advantages for policyholders:

• Incentivize Proactive Measures: It directly rewards adopting and maintaining security practices.
• Tailored Solutions: It can be uniquely tailored to a company's specific needs and risk profile.
• Access to Vetted Services: Insurers could vet security providers, potentially guiding insureds towards effective solutions.
• Improved Risk Mitigation: Services like MDR combined with insurance can provide real-time insights and help address issues before a breach.
• Accessibility for SMEs/SLTTs: Bundling could make security products and services more affordable and accessible for under-resourced entities, helping them bolster defenses and qualify for more robust insurance.

Examples of insurers partnering with or offering security services include Chubb with SentinelOne, At-Bay with Microsoft, Coalition's internal scanning engine Coalition Control and partnerships for premium credits, Beazley Security's in-house offerings, Cowbell's MDR SOC-as-a-Service, and AXA XL with Darkweb IQ. These can involve access to endpoint protection, MDR, vulnerability monitoring, and more.

It's useful to compare bundling to Digital Forensics and Incident Response (DFIR) paneling. Most insurers offer DFIR services post-breach as a standard, additive service at no additional cost, not typically considered bundling. Insurers vet and pre-negotiate rates with DFIR firms, providing a panel for insureds to choose from. This model demonstrates insurers' capacity to curate and manage vendor relationships, which could be extended to pre-breach bundled services.

Challenges and Concerns for CISOs

Despite the potential, bundling is not currently a prominent feature in the cyber insurance market. Several factors contribute to this:

• Regulatory Uncertainty: The primary barrier is a patchwork of state legislation and varying interpretations of anti-rebating and anti-bundling laws, creating an opaque regulatory regime and a "chilling effect" that discourages insurers from widely adopting bundling practices. While a revised NAIC model law in 2020 permits value-added services under certain conditions, its adoption and interpretation vary by state. Uncertainty exists, for instance, regarding the requirement that the cost of the service be reasonable relative to the premium, as some high-value security services exceed annual premium costs.
• Market Dynamics: Cyber insurance is still a relatively underdeveloped market, and large traditional carriers with market share in other lines may be less inclined to pursue innovative models like bundling compared to newer "insurtech" firms. The market cycle also matters; in a hard market, insurers have less need to offer incentives to attract customers.
• Concerns Raised by Bundling: From a CISO's perspective, several inherent concerns with bundling warrant careful consideration:
  • Conflicts of Interest: An insurer partnering with a security vendor (especially an affiliate) could prioritize the business relationship or market penetration over recommending the best security solution for the policyholder. This raises questions about whether the bundled service is genuinely chosen for its security effectiveness or for the sales opportunities it creates.
  • Vendor Lock-in and Vertical Integration: Bundling could push policyholders towards specific vendors, potentially leading to a de facto lock-in and concerns about unfair pricing or market capture if one major player dominates both insurance and security services.
  • Risk Concentration: If insurers heavily bundle with a limited number of security providers, a compromise affecting one of those providers could expose a large pool of insureds simultaneously, potentially threatening insurer solvency.
  • Discrimination in Vendor Selection: Given the lack of common standards or certifications in the cybersecurity market, insurers might arbitrarily favor one security firm over another when creating bundles.
  • Transparency in Risk Pricing: While bundled services could provide insurers with deeper insights for better pricing, the transparency of this process, especially when using in-house services, is crucial.

Tailoring the Approach for Different Company Types

The approach to cyber insurance, including considering bundled services, should be tailored to the company's size and resources:

• For SMEs and SLTTs: Recognize that these entities are often under-resourced and may lack expertise in navigating the complex cybersecurity landscape. Cyber insurance adoption is lower in this segment. Bundling holds significant potential value here. CISOs (or IT leaders in lieu of a dedicated CISO) should look for insurers that offer bundled services tailored to SME needs, potentially making essential security controls more accessible and affordable. Evaluate bundled offerings based on how well they address common threats faced by SMEs (e.g., phishing, ransomware) and whether they provide actionable guidance. Be wary of insurers who offer minimal pre-breach services.
• For Large Corporations: These companies are more likely to have cyber insurance and face more stringent, granular assessments. CISOs should leverage their organization's robust security posture during underwriting to negotiate better terms. When considering bundled services, evaluate them critically for their security effectiveness and potential for vendor lock-in or conflicts of interest. Given larger resources, an organization might prefer using its own established security vendors rather than being steered towards an insurer's partner or affiliate, unless the bundled offering provides clear, quantifiable benefits (e.g., significant cost savings, unique real-time data sharing capabilities, enhanced coverage triggered by service use). Engage with insurers about how their access to real-time security data from bundled services translates into improved risk insights and potentially better policy terms over time.

Conclusion

Cyber insurance has evolved, offering more than just financial recovery after an incident. Insurers have the strategic potential to drive proactive cybersecurity through better risk assessment and targeted incentives. While traditional underwriting discounts and embedded services are present, bundling cyber insurance with security products and services offers a promising path to directly incentivize and facilitate enhanced cyber resilience throughout the policy lifecycle, particularly for under-resourced SMEs and SLTTs.

However, CISOs must navigate the current market carefully. The widespread adoption of bundling is hampered by complex state-level regulatory uncertainty and legitimate concerns about conflicts of interest, market concentration, and transparency. When evaluating cyber insurance policies, look beyond the coverage limits and premiums. Assess the insurer's approach to pre-breach security – do they offer embedded services, co-marketing discounts, or true bundling opportunities? If bundling is offered, scrutinize the relationship between the insurer and the security provider, seeking transparency and ensuring the bundled service genuinely meets your organization's security needs, independent of potential business-to-business incentives.

Ultimately, realizing the full potential of cyber insurance as a driver for ecosystem-wide cyber resilience will require both regulatory clarity to encourage innovation and careful due diligence from organizations to select policies and services that truly enhance their security posture.

https://cyberinsurancecalc.com/