Beyond the Breach: How Cyber Insurance Can Drive Proactive Cybersecurity

Cyber threats loom large over organizations of all sizes, posing risks from costly disruptions and reputational damage to significant financial losses. Small and medium-sized enterprises (SMEs) and state, local, tribal, and territorial (SLTT) governments often face particular challenges, potentially lacking awareness of their full cyber risk exposure, having limited resources for protection, or being unprepared to defend against or respond to attacks. While cyber insurance has become a vital tool for managing the consequences after an incident, experts are exploring its strategic potential to incentivize businesses to improve their security posture before a breach even happens.

A Shifting Relationship Between Security and Insurance

The connection between cybersecurity and insurance has evolved significantly since the first cyber insurance policy emerged around 1995. In the early days, insurers grappled with a lack of data on cyber risk. To manage this uncertainty and encourage better security, they often conducted detailed, time-consuming security assessments of potential policyholders. Some even offered premium reductions for using specific security software or getting security audits.

This "experimental cyber" period saw varying levels of coverage and relatively few policies issued. The market began to grow in the mid-2000s, largely driven by new data breach notification laws that highlighted the potential costs of technical investigations, lawsuits, regulatory penalties, and negative media attention. By 2011, the U.S. market was worth an estimated $500 million.

Following a number of high-profile hacks, the market tripled to an estimated $1.5 billion by 2015, leading to a soft market where insurers competed for customers and drove premiums down. With relatively low loss ratios at the time, insurers seemed to move away from time-intensive assessments, opting for lighter-touch security questionnaires that focused more on the amount and type of data a company handled rather than its security maturity or technical infrastructure. This left companies like one small business featured in a Senate subcommittee hearing unable to demonstrate their improved security posture based on frameworks like the NIST Cybersecurity Framework (CSF) and still facing premium increases based solely on increased revenue.

The landscape shifted again with the rise of ransomware in the late 2010s. Ransomware and extortion attacks introduced new risks beyond just data exposure, including data deletion/distortion, ransom demands, and even physical damage. These attacks affected organizations of all sizes and led to significant losses for insurers, driving the market to harden by the late 2019s and early 2020s. In this harder market, customer demand increased, and insurers were able to reintroduce stricter measures to assess risk, including longer, more granular questionnaires focused on technical controls and, for larger businesses, even site visits and hardware examinations – reminiscent of the early days. New technologies like security scans and partnerships with cloud providers and security scoring services also emerged to help assess risk and streamline underwriting, though these also have limitations.

Despite these changes, the market is still often focused on managing the fallout after an incident. Experts argue that cyber insurance has yet to become a robust tool to consistently help insureds implement preventative measures or enhance their resilience before an incident occurs.

A CISO’s Guide: Leveraging Cyber Insurance for Enhanced Resilience Across the Enterprise

Cyber threats are a persistent challenge for organizations of all sizes and risk profiles. Small- and medium-sized enterprises (SMEs) and state, local, tribal, and territorial (SLTT) governments face unique hurdles, often lacking full understanding of their exposure, access to resources, or preparedness to defend and respond to attacks. While large

Security Careers HelpSecurity Careers

The Strategic Potential of Cyber Insurers

However, cyber insurers possess unique strategic potential to help organizations improve their cybersecurity posture.

1. A Common Goal: In the long term, both insurers and policyholders share the objective of preventing cyber incidents to avoid costs and losses. While short-term incentives might sometimes diverge, ultimately, investments in pre-breach security benefit both parties by reducing incident frequency and recovery costs.
2. Addressing Cyber Risk with Applicable Controls: Policyholders, especially SMEs, often find the cybersecurity landscape overwhelming and struggle to understand their specific risks and the most effective controls. Insurers are in a rare position within the ecosystem to have access to data that empirically links security controls to security outcomes through claims data. This unique insight could allow them to recommend security practices grounded in evidence, not just expert opinion.
3. Deeper Risk Insights: By potentially integrating real-time data from security providers, insurers could move towards continual compliance assessments, gaining deeper insights into the implementation of security policies, not just their existence. This could enable more accurate risk pricing and even allow insurers to alert policyholders to deviations from their security baseline, potentially pre-empting a breach.

While insurers have this potential, it is not yet the standard operating reality of the market.

Motivating Security: Sticks vs. Carrots

To move towards a future where cyber insurance actively helps businesses adopt better security from the outset, two main approaches are possible:

1. "Sticks" (Requirements): Insurers could require businesses to meet certain security baselines by declining coverage, reducing coverage, or denying claims for non-compliance. However, declining coverage is unpopular, especially in a competitive market. Reducing coverage requires explicit, technically-consistent contractual language that can be difficult to enforce. Denying claims, while a basic tool to avoid moral hazard, seems uncommon in practice based on available data, potentially leading to costly legal disputes. Fundamentally, these requirements are often tied to underwriting or renewal, providing less incentive for ongoing security improvements during the policy term. This approach can also create conflict between insurers and insureds rather than aligning them towards the shared goal of resilience.
2. "Carrots" (Incentives): Insurers could incentivize businesses through premium reductions, rebates, or value-added services. Up-front premium reductions at underwriting based on demonstrated security controls (like adherence to frameworks) have been a feature of the market since its early days. However, like requirements, these don't necessarily incentivize security updates over the course of the policy.

Bundling: A Potential Pathway for Incentives

One promising incentive structure explored in the sources is bundling. Bundling, for the purpose of this discussion, refers to the combination of an insurance product with an optional, non-insurance, value-added product or service offered at an additional cost. The key benefit for the policyholder comes from receiving a reduced rate on the security service itself or a rebate on the policy premium that reflects the anticipated risk reduction from using the service.

Unlike co-marketing partnerships, which typically offer reduced premiums only at underwriting or renewal based on using a specific product, bundling has the potential to apply discounts or rebates over the course of the policy, rewarding ongoing best practices or adoption of new security systems. This allows the insured to realize benefits beyond the initial policy purchase.

Bundling differs from embedded policy features, which are value-added services provided at no additional cost as a standard benefit (e.g., complimentary vulnerability monitoring or a consultation).

Digital Forensics and Incident Response (DFIR) services provide a useful comparison. DFIR is a post-breach mitigation service widely offered by insurers, where they incorporate access to a "panel" of pre-negotiated incident response firms into the policy from the outset. Insureds contact a hotline and choose from this panel, often at rates pre-negotiated by the insurer (typically at a reduced rate compared to market value). While valuable for managing losses after an incident, DFIR paneling is not bundling because it is included in the policy cost and is a reactive service, not a pre-breach incentive.

Bundling, on the other hand, offers optional, additional services focused on risk management and mitigation before an incident. Examples could include combining insurance with vulnerability scanning, attack surface monitoring, threat intelligence reports, or even products like intrusion detection systems or security management platforms. For example, some insurers partner with security providers like SentinelOne or offer discounted rates on MDR solutions when bundled with their policies. Others leverage in-house capabilities like external scanning engines (Coalition Control) or internal security firms (Beazley Security) that integrate with the policy and provide ongoing risk management.

Bundling could be particularly beneficial for SMEs, who often lack resources and expertise. A bundled package could be tailored to their specific needs and risk profile, offering security products or services at a more affordable price. This could help them implement essential security controls, potentially making them eligible for more robust insurance coverage in the future.

Barriers and Concerns Around Bundling

Despite the potential benefits, bundling is not currently a prominent feature of the cyber insurance market. This is due to underlying market dynamics, traditional insurance practices, and regulatory challenges.

Historically, anti-rebating and anti-bundling laws emerged in the late 19th century to prevent market distortion and protect consumers, driven by concerns around insurer insolvency, inaccurate risk assessment, discriminatory practices, and conflicts of interest. While prudential regulations have evolved to better address insolvency risks today, other concerns persist in the context of cyber insurance bundling:

• Risk Assessment and Pricing: While bundling with services like MDR could potentially give insurers better real-time insights for more accurate risk pricing, traditional security scans used in underwriting still have limitations. The market needs deeper visibility into internal controls, and bundling could help facilitate this, but the structure (in-house vs. third-party provider) could impact market transparency.
• Discriminatory Practices: Insurers offering bundled services should make them available based on objective criteria. Concerns exist about insurers potentially partnering with one security firm over another on arbitrary bases. Given the underdeveloped cybersecurity services marketplace, lacking strong product certifications and standards, careful consideration is needed.
• Conflicts of Interest (B2B Relationships): Insurers may gain market share and sales opportunities by partnering with external vendors or promoting their own affiliates. This could create a conflict where insurers prioritize partnerships that offer the most profit or market penetration rather than necessarily those with the strongest cybersecurity offerings. This also raises concerns about vertical integration and potential market capture, where a few major players dominate both insurance and security services across the supply chain, leading to unfair practices or policyholder lock-in.

Navigating these concerns requires careful oversight and regulation, including potentially requiring disclosure of B2B terms or mandating that insurers identify and offer discounts for multiple top-tier security providers to ensure competition.

State regulatory hurdles, whether real or perceived, remain a significant barrier. Although the NAIC amended its model law in 2020 to allow value-added services at no or reduced cost under specific conditions (e.g., related to insurance coverage, primarily for loss mitigation/control, reasonable cost relative to premium), only about half of U.S. states have lifted some form of prohibition on bundling as of January 2025. The perceived legal ambiguity and varied state approaches may deter insurers from adopting widespread bundling practices.

Conclusion: Unlocking Bundling's Potential

Bundling security services with cyber insurance presents a unique opportunity to align the long-term incentives of insurers and insureds, ultimately bolstering cybersecurity and cyber hygiene. It could also provide valuable data on which security controls are most effective, allowing insurers to guide policyholders towards better practices.

While concerns around insolvency, risk pricing, discrimination, and conflicts of interest must be carefully addressed through appropriate regulation (like prudential regulations and disclosure requirements), bundling remains a potentially powerful tool. Further research is needed to deeply understand existing bundling practices, assess their outcomes (especially for SMEs), and compare results between states with differing regulatory stances.

Policymakers and regulators should consider encouraging cyber insurers to integrate more proactive pre-breach risk mitigation tools and strategies, including exploring the potential of bundling. By clarifying regulations and promoting transparency, the cyber insurance market could move closer to the vision of becoming a key driver of cyber resilience across the ecosystem.

https://cyberinsurancecalc.com/