Cyber insurance has gone from a niche product to a board-level checkbox in less than a decade. Premiums roughly tripled between 2018 and 2023, and most mid-sized companies now carry some form of policy. The pitch is straightforward: a breach is inevitable, so transfer the risk. But the experience of companies that actually file claims tells a more complicated story. Insurance pays bills. It doesn’t fix the underlying problem, and treating it as the cybersecurity strategy is how organizations end up writing very large checks twice.
What cyber insurance actually covers
A typical cyber policy reimburses some combination of incident response costs, legal fees, regulatory fines (where insurable), notification expenses, credit monitoring for affected customers, business interruption losses, and ransomware payments โ though many insurers have pulled back on that last category. What it does not do is restore stolen data, undo a privacy violation, recover reputational damage, or prevent the next attack. The check arrives, eventually, after a long forensic and legal process during which the actual operational pain has already been absorbed.
The hidden underwriting tightening
The early cyber insurance market was loose. Underwriters didn’t fully understand the risk and priced accordingly. After the ransomware surge of 2020โ2022, that ended fast. Today, getting a meaningful policy requires demonstrating multifactor authentication on all critical systems, endpoint detection and response coverage, regular backups tested for recoverability, employee phishing training, and a documented incident response plan. Companies that can’t show these controls get either declined, sublimited to coverage that wouldn’t cover a small incident, or quoted premiums that make self-insuring more attractive. The insurance market is now effectively forcing baseline security hygiene.
Where claims experience disappoints buyers
Three patterns recur in claim disputes. First, exclusions: many policies exclude breaches caused by unpatched known vulnerabilities, social engineering of executives (“CEO fraud”), or war-related cyber events โ and “war” has been interpreted broadly after the NotPetya rulings. Second, sublimits: a $5 million policy may have a $250,000 sublimit on ransomware or regulatory fines. Third, timing: claims processes routinely take 6โ18 months, while operational damage is realized in weeks. Companies expecting insurance to be a fast safety net often discover it’s a slow reimbursement.
What insurance pairs well with
Cyber insurance works best as the last layer of a defense-in-depth strategy, not the first. The controls that get you a good policy โ MFA, EDR, tested backups, trained employees โ are the same controls that materially reduce the probability and severity of a breach. Done right, the insurance ends up being a tail-risk hedge for the rare incident that gets through good defenses. Done wrong, it’s a budget line item that gives executives false confidence and forensic accountants something to argue about for a year.
The takeaway
Cyber insurance is a useful financial instrument and a terrible cybersecurity strategy. Buy a policy, but treat it as one piece of a larger plan whose real load-bearing components are detection, prevention, recovery, and people. The breach you don’t have is always cheaper than the one your insurance partially reimburses.
Leave a Reply