Cyber Insurance
Cyber insurance is a specialized insurance product that transfers a portion of an organization's cybersecurity risk to an insurer.
# Cyber Insurance
Definition
Cyber insurance is a specialized insurance product that transfers a portion of an organization's cybersecurity risk to an insurer. Policies cover financial losses arising from cybersecurity incidents: incident response costs, forensic investigation, legal fees, regulatory fines (where insurable), customer notification, credit monitoring, business interruption, data restoration, and in some policies, ransomware payments.
Cyber insurance is not a substitute for cybersecurity controls. It is a financial risk transfer mechanism that sits alongside operational controls in the RGA (Risk Governance and Assurance) domain of the Planetary Defense Model. An organization with strong security controls and cyber insurance is well-positioned. An organization with weak security controls and cyber insurance may find that the insurer denies the claim, reduces the payout, or declines to renew the policy.
The global cyber insurance market exceeded $14 billion in premiums in 2024 and is projected to grow to over $30 billion by 2030. The market has matured rapidly: five years ago, insurers issued policies with minimal security requirements. Today, insurers demand detailed evidence of security controls, conduct pre-binding assessments, and explicitly exclude coverage for organizations that do not meet minimum security standards.
How It Works
Policy Structure
Cyber insurance policies typically include two categories of coverage:
First-party coverage. Covers the policyholder's own losses from a cybersecurity incident. This includes:
Incident response costs: forensic investigation, legal counsel, crisis management, and breach coaching. Many policies provide access to a pre-approved incident response panel (law firms, forensic firms, notification vendors) that can be activated immediately.
Business interruption: revenue lost during the period when systems are offline due to a cyber event. Business interruption coverage has become critical as ransomware attacks routinely disable operations for days to weeks.
Data restoration: costs to restore data and systems from backups or rebuild from scratch.
Extortion/ransomware: payment of ransom demands and costs associated with ransom negotiation. Coverage for ransom payments is increasingly restricted, with some insurers excluding it entirely or capping the amount.
Notification costs: costs of notifying affected individuals as required by breach notification laws (which vary by state and jurisdiction).
Credit monitoring: costs of providing credit monitoring services to affected individuals.
Third-party coverage. Covers claims made against the policyholder by others affected by a cyber event. This includes:
Regulatory fines and penalties: coverage for fines imposed by regulators (GDPR, HIPAA, state attorneys general). Insurability of regulatory fines varies by jurisdiction.
Legal defense costs: costs of defending against lawsuits arising from a breach (class actions, individual claims, shareholder derivative actions).
Privacy liability: claims arising from the failure to protect personal information.
Media liability: claims arising from defamation, copyright infringement, or other media-related torts committed through digital channels.
The Underwriting Process
Modern cyber insurance underwriting evaluates the applicant's security posture before binding the policy. The underwriting process has evolved from a simple questionnaire to a detailed security assessment:
Application questionnaire. Detailed questions about the organization's security controls: MFA deployment (and which methods), EDR coverage, backup architecture (and whether backups are immutable), incident response planning (and whether the plan has been tested), network segmentation, privileged access management, employee training, and patch management cadence.
External scanning. Many insurers conduct external attack surface scans of the applicant's internet-facing infrastructure before binding. Exposed RDP, unpatched critical vulnerabilities, and misconfigured email authentication (missing DMARC) can result in higher premiums, exclusions, or denial of coverage.
Security score reference. Some insurers reference third-party security rating services (BitSight, SecurityScorecard) as part of their underwriting assessment. These scores provide an outside-in view of the organization's security posture that complements the self-reported questionnaire.
Tiered pricing. Organizations with stronger security postures receive lower premiums. Organizations with weaker postures receive higher premiums, additional exclusions, or sub-limits on specific coverage areas. The pricing directly incentivizes security investment: every control improvement can translate to premium reduction.
Coverage Exclusions and Limitations
Cyber insurance policies contain exclusions that policyholders must understand:
Acts of war / nation-state exclusion. Many policies exclude losses caused by acts of war or state-sponsored attacks. This exclusion became contentious after the NotPetya attack (2017), when Zurich Insurance initially denied Mondelez's $100 million claim under the war exclusion, arguing that NotPetya was an act of Russian state warfare. The case was settled, but it highlighted the ambiguity of applying traditional war exclusions to cyber events.
Lloyd's of London issued guidance in 2023 requiring all cyber policies to include state-backed cyber attack exclusions, but the definition of what constitutes a "state-backed" attack is contested. Organizations should review their war/nation-state exclusion language carefully and understand that attacks attributed to Russian, Chinese, Iranian, or North Korean state actors may not be covered.
Failure to maintain controls. If the organization represented during underwriting that specific controls were in place (MFA, EDR, backups) and those controls were not actually implemented or were disabled at the time of the incident, the insurer may deny the claim. Misrepresentation on the application is grounds for claim denial in virtually every policy.
Prior knowledge. If the organization knew of a vulnerability or ongoing compromise before the policy was bound and did not disclose it, losses arising from that known issue are excluded.
Sub-limits. Many policies impose sub-limits on specific coverage areas. A policy with a $5 million aggregate limit may have a $1 million sub-limit on ransomware payments and a $500,000 sub-limit on regulatory fines. The aggregate limit is not the per-event limit for every coverage type.
Waiting periods. Business interruption coverage typically includes a waiting period (8 to 24 hours) before coverage begins. Losses during the waiting period are not covered. An 8-hour waiting period means the first 8 hours of business interruption are the organization's cost.
Premiums and Market Dynamics
Cyber insurance premiums increased dramatically from 2020 to 2023, driven by the ransomware epidemic. Average premium increases of 50% to 100% per year were common during this period. The market stabilized in 2024 as insurer underwriting became more sophisticated and organizations improved their security postures in response to underwriting requirements.
Current premiums vary significantly by organization size, industry, revenue, security posture, and claims history. Small businesses ($10 million to $50 million revenue) typically pay $5,000 to $25,000 annually for $1 million to $5 million in coverage. Mid-market ($50 million to $500 million) pays $25,000 to $150,000 for $5 million to $15 million. Enterprise ($500 million+) pays $150,000 to $1 million+ for $15 million to $50 million+.
High-risk industries (healthcare, financial services, technology) pay higher premiums than lower-risk industries. Organizations with prior claims pay higher premiums. Organizations that cannot demonstrate basic controls (MFA, EDR, backups) may be unable to obtain coverage at any price.
Why It Matters
Financial Resilience
A significant cybersecurity incident can cost millions of dollars. The average cost of a data breach in 2024 was $4.88 million (IBM Cost of a Data Breach Report). Ransomware incidents routinely cost $1 million to $10 million in total expenses (ransom payment, business interruption, incident response, legal, regulatory). For mid-market organizations, these costs can be existential without insurance coverage.
Cyber insurance converts an unpredictable, potentially catastrophic loss into a predictable, budgetable premium. The risk does not disappear. The financial impact is transferred to a party (the insurer) with the capital reserves to absorb it.
Incident Response Access
Most cyber insurance policies provide access to a pre-approved incident response panel: forensic firms, breach counsel, notification vendors, and crisis communications consultants. For organizations without an internal IR capability or pre-existing IR retainer, the insurance panel provides immediate access to expertise that would take days to procure independently. The difference between activating a panel at hour one versus engaging a firm at hour 48 is significant in incident outcomes.
Market and Contractual Requirements
Enterprise customers, partners, and supply chain participants increasingly require cyber insurance as a contractual condition. MSA language that mandates minimum cyber insurance coverage ($5 million to $10 million is common) is standard in B2B contracts. Government contracts may require specific cyber insurance provisions. Some regulatory frameworks reference cyber insurance as a risk management component.
Security Incentive
The underwriting process creates a direct financial incentive to improve security controls. Implementing MFA, deploying EDR, building immutable backup architecture, and establishing an incident response plan are requirements for obtaining coverage at reasonable premiums. Organizations that implement these controls to satisfy insurance requirements also reduce their actual risk, creating a virtuous cycle where the insurance market drives security improvement.
CDA Perspective
Cyber insurance sits in the RGA (Risk Governance and Assurance) domain of the Planetary Defense Model. RGA is the strategic envelope: the governance layer that ensures the organization has the structures, resources, and risk management to sustain all five inner domains. Insurance is one of four risk treatment options (alongside mitigation, acceptance, and avoidance) that the risk management framework applies to identified risks.
CDA's Perpetual Compliance Assurance (PCA) methodology addresses the continuous maintenance of the security controls that insurance underwriting requires. "Compliance is not an event. It is a state." The organization that deploys MFA to satisfy the insurance application and then allows MFA coverage to erode (new accounts provisioned without MFA, exceptions granted and not tracked) risks claim denial if a breach occurs through an unprotected account. PCA ensures that the controls represented to the insurer remain operational continuously, not just at the time of application.
One TOP mission connects directly to cyber insurance:
- RGA-R03 (Insurance Coverage Review): Review the organization's current cyber insurance coverage against its risk profile. Identify coverage gaps, exclusions that may apply to the organization's specific threat landscape (including nation-state exclusions for organizations in sectors targeted by state actors), sub-limits that may be insufficient, and opportunities to reduce premiums through demonstrated security improvements. 8 estimated hours.
The interaction with adjacent domains: every security control that the insurer requires maps to a PDM domain. MFA (IAT). EDR (SPH). Backups (DPS). Incident response plan (TID). Vulnerability management (VSD). The insurance questionnaire is, in effect, a cross-domain security assessment. Organizations that have implemented CDA's TOP missions across all six domains are well-positioned for insurance underwriting because the controls are not just documented. They are operational, measured, and continuously maintained.
CDA advises clients on cyber insurance with one caution: insurance is risk transfer, not risk reduction. A $10 million policy does not make the organization $10 million more secure. It makes the organization $10 million more financially resilient to an incident. The controls that prevent the incident (DPS through TID) and the governance that sustains those controls (RGA) are the security investment. Insurance is the financial backstop for the residual risk that controls cannot eliminate.
Key Takeaways
- Cyber insurance transfers financial risk from cybersecurity incidents to an insurer. It covers incident response costs, business interruption, legal fees, regulatory fines (where insurable), and sometimes ransomware payments.
- Modern underwriting requires evidence of security controls (MFA, EDR, backups, IR plan, patching). Organizations without basic controls face higher premiums, exclusions, or denial of coverage.
- War/nation-state exclusions may deny coverage for losses caused by state-sponsored attacks. Organizations targeted by Russia, China, Iran, or DPRK should review exclusion language carefully.
- Premiums vary by size, industry, posture, and claims history. The market directly incentivizes security investment through lower premiums for stronger controls.
- Insurance is risk transfer, not risk reduction. It does not replace security controls. It provides financial resilience for the residual risk that controls cannot eliminate.
Related Articles
- Risk Governance and Assurance (RGA): Outer Space
- Ransomware
- Incident Response Lifecycle
- Multi-Factor Authentication (MFA)
- Backup and Recovery Architecture
- State-Sponsored Cyber Threats: A Global Overview
Sources
- IBM Security. "Cost of a Data Breach Report 2024." IBM/Ponemon Institute, 2024.
- Marsh McLennan. "Global Cyber Risk Analytics: Cyber Insurance Market Report 2024." Marsh, 2024.
- Lloyd's of London. "State-Backed Cyber Attack Exclusion Clauses: Market Bulletin Y5381." Lloyd's, August 2023.
- Zurich Insurance Group / Mondelez International. "NotPetya Cyber Insurance Dispute, 2018-2022." (Settlement details from court filings, Cook County Circuit Court, Illinois.)
- National Association of Insurance Commissioners (NAIC). "Report on the Cybersecurity Insurance Market." NAIC, 2024.
Word count: 1,943
Related CDA Missions
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.