| Company | Value | Change | %Change |
|---|
This is largely because insurance providers hedge their risk through numerous exclusions in policies, avoiding coverage for predictable losses. The evolving nature of cyber threats and the lack of historical data make risk assessment challenging, rendering cyber insurance an unpredictable landscape compared to traditional forms of coverage. Consequently, the onus is on organisations to secure their assets, from cloud to operational technology, from threat actors.
Effectively preventing cyberattacks directly impacts an organisation’s ability to transfer risk through insurance. Strong and effective cybersecurity controls reduce cyber risks, thereby lowering cyber insurance premiums. With the rise in data breaches, 42% of insurance providers now require evidence of robust security measures before granting a policy. This shift has driven 97% of organisations that purchased a cyber insurance policy in 2023 to invest in improving their defences to optimise their insurance position.
Why cyber insurance requires preventive security?
A preventive approach to security allows organisations to demonstrate their resilience proactively rather than relying solely on reactive breach responses.
Preventive measures also simplify the insurance purchasing process by introducing predictable pricing structures. Standardised reports, dashboards, and risk scores offer underwriters high-fidelity data they can trust, expediting renewals and fostering a mutual understanding of cybersecurity standards. The benefits for organisations are significant — faster renewals, lower premiums, and alignment with industry best practices.
By aligning insurance policies with preventive security measures, organisations reduce their overall risk, creating a win-win scenario that benefits both themselves and insurance providers.
How can organisations adopt preventive security strategies?
The first step is identifying and assessing risks across all assets. This involves gaining visibility into not only servers and workstations but also web applications, cloud infrastructure, code repositories, containers, public-facing assets, credentials, and operational technology devices. In today’s interconnected environment, any of these assets could be exploited to launch an attack, and leaving them unsecured creates significant blind spots. Without a comprehensive view of all assets, organisations cannot make informed decisions to mitigate risks effectively.
Once full visibility is achieved, the next step is prioritising risks. While CVSS scores are commonly used as a qualitative measure, they often fall short of reflecting real-world exploitability or the attention threat actors place on certain vulnerabilities. Organisations need unified solutions that identify misconfigurations, code flaws, and other exposures while evaluating the technical risk relationships between assets. Effective prioritisation requires leveraging threat intelligence, exploitability context, and business impact to focus on the vulnerabilities that matter most. This is where exposure management becomes critical.
After identifying and prioritising risks, remediation becomes more actionable. However, addressing vulnerabilities is not just about applying patches. It involves a combination of measures such as policy updates, system configuration hardening, code fixes, and workflow adjustments. These actions must align with the organisation’s cost, process, and feasibility constraints to ensure exposures are mitigated effectively and efficiently.
How can organisations obtain the right cyber insurance?
The process of securing cyber insurance has become more rigorous, requiring organisations to start the buying process at least six months in advance. Insurers now demand extensive information from IT, security, finance, legal, and other departments, with lengthy questionnaires that must be backed by evidence and data. To navigate this, collaboration between finance, compliance, IT, and security teams is crucial to ensure visibility into policy coverage and alignment with organisational needs.
Striking the right balance in data sharing is equally important. While insurers request substantial information, organisations must safeguard sensitive data. Personally identifiable information (PII) or business-critical data that could violate data privacy regulations need not be shared. Teams must work together to determine how much data is necessary to provide without compromising privacy or security.
The rise of ransomware has intensified these demands. Threat actors only need to succeed once to cause significant damage, pushing insurance providers to cover only those organisations with validated cybersecurity plans or independent verification. For businesses, the prospect of being uninsurable drives greater investment in preventive cybersecurity measures.
Balancing preventive security with cost-effective cyber insurance mitigates financial risks, promotes stronger security practices, and reduces overall exposure. This alignment benefits both organisations and insurers, encouraging proactive risk management in an increasingly complex threat landscape.
—The author, Rajnish Gupta, is Managing Director & Country Manager, Tenable India. The views are personal.
