Cybersecurity and Cyber Insurance Plans Belong in the Same Basket

February 16, 2023

Between perennially hiking premiums, unprecedented ransomware claims and new exceptions for state-sponsored attacks, the cyber insurance industry may be experiencing some growing pains. In addition, some insurance giants, including Lloyd’s of London, are now requiring global insurers to exclude state-backed cyber-attacks from their policies.


Forced to curb their own losses, cyber underwriters are discerning as ever in their coverage decisions, apt to outright decline policies for companies falling behind on modernization initiatives — including cybersecurity maturity. The effort to curb risk is massive and complicated.


However, good news comes to those who mitigate cyber risk proactively. With the right controls in place, organizations can not only secure cyber coverage, but ultimately see their premium rates go down. Ahead, we’ll cover the essential cybersecurity capabilities that today’s insurance carriers seek.



Top Cyber Controls for Insurability

Amid record ransomware claims, it’s harder to find coverage today than any time in the 26 years since the first cyber liability policy was signed. This new reality, owing to a now-unpredictable threat landscape, reinforces that overarching business-security initiatives and cyber insurance plans should go hand in hand. The stronger its cybersecurity controls, the more likely a company will be able to obtain and maintain coverage while finding some possible relief from ever-rising premiums.


Fundamentally, multi-factor authentication (MFA) is considered mandatory for any organization to achieve baseline cybersecurity maturity because its use prevents between 80% and 90% of potential cyberattacks. The same holds true for web security, such as firewalls, as well as email filters that help prevent exposure to malicious files in the first place.


And while data backups are longstanding prerequisites for enterprises, simply having them in place is no longer adequate for security or business continuity purposes, let alone favorable underwriter decisions. A higher sophistication of cyber threats requires that backups now be secured, encrypted and tested continually. Moreover, evolved recovery solutions must not only secure an organization’s most crucial data, but its business-critical processes as well. Such upgrades, when paired with a customized and practiced cyber incident response plan, minimize the impact (and likely the claim amount) associated with attacks.


Building on core security controls, insurers also tend to favor companies with established privileged access management (PAM) and third-party risk management programs. While the former uses the concept of least privilege to govern access to data and systems, the latter ensures that vendor and supply chain vulnerabilities are mitigated, a notable safeguard considering that 17% of organizations in 2022 suffered a breach due to a compromised business partner. Both these controls, however, effectively contribute to lower cyber risk — and higher chances of getting coverage.


Other increasingly important controls for the post-COVID digital world, such as effective endpoint detection and response (EDR) programs, account for the widespread adoption of work-from-home and bring-your-own-device (BYOD) policies. The relatively new era of remote work also highlights a heightened need for network logging and monitoring via security information and event management (SIEM), which correlates data from several different tools in a given environment.


And finally, because 82% of breaches involve a human element, it’s imperative to require a cybersecurity awareness program for employees. This should include extensive training to contend with phishing attempts, which continue to be the attack vector of choice for financially motivated cybercriminals.


In closing, it’s best to be proactive with implementing the relevant, future-facing cybersecurity controls as cyber insurance finds its new footing. Reducing organizational risk will not only preempt evolving threats, but also help secure the ideal coverage when it’s needed most.

Dara Gibson
Senior Manager, Cyber Insurability Services | Optiv
Dara Gibson has developed and managed cybersecurity services for 5 years. By blending cutting-edge technologies, unique skill sets, and proven cyber strategies, she can create lasting partnerships with clients to protect shareholder value and corporate reputations. As a nationally recognized information security leader, Mrs. Gibson is responsible for designing cybersecurity awareness programs to foster expertise in relationship management with industry leading cyber insurance and legal providers for proactive and reactive cybersecurity capabilities.
James Savard
Product Marketing Manager | Optiv
James Savard is an experienced Product Marketing Manager skilled in go-to-market strategy, content creation, product launches and enabling frontline teams to effectively consult clients about Optiv’s CDAS portfolio of services and solutions. He has spent his entire career working in technology and thrives in bringing new ideas to life as well as creating strong relationships with clients and partners. He currently resides in Denver and enjoys all the things Colorado has to offer.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit