Staying safe with robust cyber-insurance coverage

Cyber-insurance has evolved from a financial safety net into a practical test of operational resilience, with insurers increasingly using underwriting to drive stronger security practices rather than simply pricing risk. According to Marsh, cyber-insurance rates stabilised and in many cases declined through 2024, as improved security controls reduced both loss frequency and severity.

As the market eases, organisations have an opportunity to improve coverage. However, insurers expect clear evidence of effective controls and recovery planning, a point reinforced by the UK National Cyber Security Centre (NCSC) in its guidance on cyber-insurance.

Insurers increasingly assume that cyber-incidents will occur and focus instead on how quickly organisations can contain disruption and restore operations, particularly in ransomware scenarios.

Systemic cyber-risk remains a key concern for underwriters, especially risks linked to cloud concentration and the exploitation of widely used software.

 

Evolving pricing models and underwriting criteria

 

Pricing decisions are now more closely aligned with proven security maturity than with sector-wide averages. Insurers assess the effectiveness of controls, previous claims experience and exposure to third-party risk.

Howden’s latest cyber-report shows that organisations investing in measures such as multi-factor authentication, endpoint protection and regularly tested backups have benefited from more favourable pricing.

Marsh has also reported that many organisations were able to increase coverage limits and secure improved terms at renewal when they could demonstrate measurable improvements in resilience.

Underwriting questionnaires have become more focused on specific controls, with particular attention on identity security, immutable backups, incident response planning and recovery testing.

Reuters notes that insurers now directly link controls such as multi-factor authentication to both claims outcomes and pricing decisions.

Coverage changes and resilience expectations

 

Policy wording has tightened in response to state-backed cyber-attacks and large-scale incidents, reflecting insurer concern about correlated losses across multiple policyholders. Lloyd’s has encouraged clearer treatment of state-linked cyber-activity to reduce uncertainty over how policies respond during major incidents.

Insurers are also placing greater emphasis on business continuity and recovery capability, recognising that supplier disruption or cloud outages can drive significant losses even when perimeter defences remain intact.

 

Narrowing the insurance gap across the supply chain

 

A growing share of serious cyber-incidents now originate from third-party compromise rather than direct attacks on the primary organisation. This creates a protection gap where well-insured organisations remain exposed because critical suppliers lack sufficient security controls or insurance coverage.

Rather than requiring suppliers to purchase costly cyber insurance, many organisations are focusing on raising baseline cyber-hygiene across the supply chain. The NCSC recommends proportionate security requirements, clear contractual expectations and ongoing assurance rather than one-off compliance exercises.

Targeted requirements in identity security, backup and recovery, and vulnerability management can significantly reduce downstream risk without placing excessive financial burden on suppliers. For UK suppliers, the NCSC’s Cyber Essentials remain a practical benchmark for baseline security where full audits are not feasible.

 

What CISOs should prioritise before renewal

 

CISOs should treat underwriting as an extension of security assurance, aligning responses with verifiable evidence rather than policy statements alone. 

 

Where market conditions allow, renewal discussions should focus on clear exclusions, access to incident response services and realistic sub-limits for ransomware and business interruption.

Strengthening supplier resilience remains critical, as systemic and third-party risk continues to dominate insurer concerns.