Main Logo Expert commentary on tech and security

Cyber insurance is no silver bullet for cybersecurity

Rodney Adriko / Jason R.C. Nurse 10 February 2025
Share On:
Regulators and businesses hope cyber insurance will drive stronger security practices. In reality, a narrow focus on mitigating financial loss makes it an unreliable solution
Main Top Image
Image created using Leonardo.ai

Cybercrime is projected to cost $10.5 trillion globally every year by 2025. Ransomware, advanced persistent threats, and data breaches push organisations to reduce their cyber risk. Cyber insurance is presented as a powerful tool to recover from incidents and a mechanism to incentivise better cybersecurity practices. The global cyber insurance market is expected to surpass $23 billion by 2026. 

As reliance on cyber insurance grows, questions about its value and effectiveness in strengthening cybersecurity practices have come to the fore. Despite hopes in government and policy circles, the actual impact of cyber insurance on cybersecurity practices has not lived up to expectations.

The hope of cyber insurance

Cyber insurance is designed to minimise organisations’ financial losses from cyber incidents by covering costs like breach notification, data restoration, legal fees, and even ransomware payments. Insurers evaluate an organisation’s security posture by assessing the implementation of specific security controls. For instance, does the business mandate multi-factor authentication? The presence of such security measures translates into lower risks, making the applicant a favourable or ‘good risk’ for them to insure. This benefits the applicant in terms of securing insurance and typically at a lower premium.

This idealised ‘win-win’ scenario has been central to the argument that cyber insurance fosters better cybersecurity practices. There is a nuance to this argument, though. The cybersecurity controls that insurers require would need to be comprehensive, appropriate, and effective. For instance, aligned to cybersecurity standards, such as ISO 27001 or the NIST Cybersecurity Framework. This, however, is not the case.

Far from a silver bullet

Despite its potential, research reveals that cyber insurance falls short in improving security practices. A report by the Royal United Services Institute (RUSI) think tank points out that cyber insurance policies often lack standardisation and fail to incentivise organisations to adopt security practices aligned with frameworks like ISO 27001 or NIST CSF. Another study emphasises that insurance requirements may be motivated by various other factors (eg, controls that reduce very specific risks, length of policy period, liable risks) rather than improving overall organisational security in a meaningful way. 

Not only does this gap weaken the argument for cyber insurance improving security, it also poses a risk for businesses. Organisations meeting insurance requirements (which may be minimal in terms of security) may mistakenly believe they are well-protected, only to find themselves vulnerable to attacks that exploit overlooked weaknesses. Furthermore, insurers themselves face mounting challenges as the increasing frequency and sophistication of cyberattacks result in unsustainable claim payouts.

A recent study of insurers in the US, UK, and Australia that reviewed 68 cyber insurance application forms reaches a similar, quite damning conclusion. Although international standards like ISO 27001 and the NIST Cybersecurity Framework emphasise governance and incident management as core components of security, insurance applications often, instead, emphasise technical measures like encryption, firewalls, and antivirus software. These are undoubtedly essential components of any cybersecurity strategy, but they are insufficient on their own. 

Measures such as information security policies, risk assessments, employee training, management accountability, and secure configurations are often overlooked in application forms. Ignoring these issues leaves organisations exposed. In 2017, one of the largest US consumer credit reporting agencies, Equifax, was breached – exposing 147 million individuals’ data –  because Equifax had failed to patch a known vulnerability. This lapse highlighted the critical role of governance and operational controls in preventing catastrophic risks alongside technical measures.

Surprisingly, the study also revealed that many insurers place minimal emphasis up front on incident response and recovery capabilities, even though these are crucial for mitigating cyber incidents like ransomware. This may well be because insurers offer these services post-incident anyway. While this approach eases the burden on organisations, it risks fostering overreliance on external support and could leave them less prepared internally against cyberattacks. 

The study focused only on the application forms themselves, but insurers may also use interviews, site visits, automated tools, or audits to further assess applicants. The reality, however, is that these methods are resource-intensive, so most insurers rely on application forms and their streamlined questions to reduce costs and effort. This is especially likely for small-to-medium-sized enterprises (SMEs). Given this context, a crucial noteworthy point is that SMEs make up a majority of most countries’ economies – in the UK, as of 2024, over 99% of the business population.

The shortfall lies in the intent

Cyber insurance, at its core, is designed to mitigate financial risk rather than directly enforce or promote robust cybersecurity measures. Insurers prioritise specific controls for practical reasons, like risk quantification and market demands, instead of aiming to align with comprehensive security best practices. As such, their primary goal of managing financial risk can diverge from the broader objective of enhancing security. While this may be logical from an insurance perspective, it undermines the assumption that insurance inherently promotes better, and more holistic, security practices. 

Implications for policy and practitioner communities

For policymakers

Cyber insurance alone cannot drive significant improvements in day-to-day security practices. Insurance is valuable for post-incident recovery, but its potential to incentivise stronger cybersecurity currently appears limited by its focus on a limited range of security controls. Regulators could aim to collaborate with insurers to explore the incorporation of robust governance and operational controls into application forms, aligning them with recognised frameworks like ISO 27001 and the NIST CSF.

For practitioners

Organisations must view cyber insurance as a complement to, not a substitute for, proactive security measures and recognise that meeting insurance requirements alone does not ensure comprehensive protection. Businesses must independently prioritise governance, incident response planning, and secure configurations to address vulnerabilities that insurance policies may overlook.

For insurers, aligning their policies with established cybersecurity frameworks can create long-term value because encouraging stronger controls among policyholders could reduce claims and foster greater trust in the insurance market. By addressing such risks, insurers can contribute to better security outcomes for all stakeholders.

Toward a balanced perspective

Cyber insurance, while valuable, is not the silver bullet to cybersecurity challenges that many hoped it would be. Its primary strengths currently lie in financial risk mitigation and post-incident support, not in driving proactive security measures. To unlock its full potential, stakeholders must address these limitations and integrate cyber insurance into a broader cybersecurity framework. Through collaboration between policymakers, insurers, and businesses, cyber insurance can evolve into a key component of a resilient cybersecurity strategy.

avatar
Rodney Adriko
avatar
Jason R.C. Nurse

Related

Featured image
Hooked On Trends
Fighting fake war imagery
Kye Allen 14 December 2023
Read more arrow
Featured image
Hooked On Trends
Cybersecurity in 2023 and the challenges ahead
Ollie Whitehouse 7 November 2023
Read more arrow
Featured image
Hooked On Trends
How African states challenge cyber superpowers
Nate Allen 24 September 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.