The Hard Truth: Why Cyber Insurance Companies Should Demand Valid & Tested Cybersecurity Plans

January 19, 2024

In today's digital age, the importance of cybersecurity cannot be overstated. 

The ever-evolving landscape of cyber threats poses a significant risk to businesses of all sizes. Many companies turn to cyber insurance as a protective measure to mitigate these risks. 

However, recent cases and data points reveal a critical flaw in the system: cyber insurance companies should refuse to insure businesses that lack a valid and tested cybersecurity plan or cannot independently verify the security of their infrastructure.

Trends across G2

Here are three trends we’re observing at G2 across the cybersecurity landscape that validate this mandate:

  • Escalating cyber threat landscape: Recent data breaches and cyberattacks underscore the urgent need for robust cybersecurity measures. 

High-profile incidents involving companies like SolarWinds, Colonial Pipeline, and JBS have exposed vulnerabilities in even the most seemingly secure organizations. These breaches have had significant financial and operational repercussions.

  • Soaring financial impact of cyberattacks: Cyberattacks are not just inconveniences; they come with substantial financial repercussions.

Recent data indicates that the average cost of a data breach has risen to $4.24 million. In fact, since 2014, data breach costs have increased by 10%, making it even more crucial for businesses to invest in cybersecurity.

  • The rising cost of cyber insurance premiums: Cyber insurance premiums have sharply increased as data breaches become more prominent and expensive.

Data from the Cyber Insurance Ransomware Report 2021 revealed that the average ransomware claim increased by 171% from 2019 to 2020. This substantial surge in claims has driven insurers to raise premiums for cyber insurance policies.

Nine foundational security solutions for cyber insurance 

Companies must consider some of the following security solution categories as they build their technology stacks for the purposes of cyber insurance:

1. Attack surface management software 

This software is used to continuously monitor networks, assets, cloud services, and other artifacts to identify, address, and remediate vulnerabilities. 

These tools automate numerous tasks and aid in prioritizing impactful threats and vulnerabilities to minimize risk. Attack surface management software also expands on the functionality of code-focused vulnerability management tools to address infrastructural and other internet-facing assets.

2. Exposure management platform

An exposure management platform contains software solutions that allow an organization to understand its attack surface and then enable them to address it to prevent and mitigate security risks continuously. 

The purpose of this suite of software solutions is not only to prevent likely attacks but also to accurately report cyber risks to ensure there is no business interruption.

3. Risk-based vulnerability management software 

This is used to identify and prioritize vulnerabilities based on customizable risk factors. 

Risk-based vulnerability management software is more advanced than traditional vulnerability management solutions, as it assists in the prioritization of issues and execution of remedies based on the results of machine learning algorithms.

4. Endpoint protection software 

Endpoint protection software provides security solutions to oversee and manage devices that have access to a company’s or person’s private network. 

These software tools protect against a number of security threats and attempt to normalize security measures across multiple devices.

5. Intelligent email protection

Sometimes called human-layer security, this is a class of software solutions designed to prevent a company’s employees from sophisticated email-focused cyberattacks.

These tools use machine learning to analyze historical records of email content, user behavior, and email-based threats, identifying risks and developing a baseline for user behavior.

Intelligent email protection products filter incoming emails to detect and block potential phishing attacks, attachments containing malware, and links to potentially dangerous websites. They also filter outbound emails to detect accidental data leakage, data exfiltration, and the misuse of privileged data.

6. Data-centric security software 

Data-centric security software secures data itself rather than the infrastructure or application used to store or access that data. This approach differs from a traditional network (or perimeter-centric) security approach, which focuses instead on protecting where data is accessed or stored, such as on servers, networks, applications, and devices. 

The software can be used to achieve a zero trust security model and secure data in complex IT environments, including cloud environments. Businesses use data-centric security solutions to protect data that moves between locations, such as on-premises to cloud storage, between multiple applications, or to third parties.

7. Identity management software

This software is an essential component of business security. These tools help IT administration and managers control who has access to applications, databases, and other IT assets. 

Some identity management software solutions can be used to control who can access internal systems, while others help control customer access to public content.

8. Zero trust networking software 

Zero trust networking software is a type of network security and identity management solution used to implement the zero trust security model. 

Unlike traditional network security systems, which provide a castle-and-moat system for granting access to a network, the zero trust model assumes every individual, both internal and external, is a potential threat until they are verified.

9. Microsegmentation software 

This software is a network security solution designed to divide workloads and control them individually using policy-driven, application-level security. These tools isolate components of data centers and cloud workloads using network virtualization to deploy and protect them independently. 

Microsegmentation software helps companies better visualize their assets and workloads to improve visibility, detection, and remediation time all while eliminating an attacker’s ability to move laterally throughout the network.

While the software solutions mentioned above are not an all-inclusive list, they are foundational to good security practices and are accepted by insurance providers as “necessary” in most evaluations. Having those offerings or a combination of them will help a business not only buy a more valid policy but also will help them meet the minimum requirements for a cyber insurance policy.

Cyber insurance companies need a stricter approach

In conclusion, the recent surge in cyber threats and the financial impact of data breaches highlight the need for a stricter approach by cyber insurance companies. They must refuse coverage to businesses that do not have a valid and tested cybersecurity plan or need help to verify their infrastructure's security independently. 

Cyber insurers should consider the following when they are offering services and coverage to a company, no matter the size or vertical:

Increasing importance of a valid and tested cybersecurity plan

A proactive approach to cybersecurity is crucial.

Businesses must develop comprehensive cybersecurity plans addressing potential threats, vulnerabilities, and incident response strategies. Recent cases have shown that companies without such plans are left scrambling when a cyberattack occurs, resulting in increased damage and financial loss.

Ensuring independent verification of security

Cyber insurance companies should insist on independently verifying a business's security measures. Self-assessment and self-reporting of security measures can be misleading.

Some organizations may overstate their cybersecurity preparedness, only for their weaknesses to be exposed when it's too late.

The need for independent verification is supported by data: a study by the Ponemon Institute found that organizations with internal audits were 46% less likely to suffer a data breach. Insisting on third-party validation of security measures can reduce the risk for insurers and the insured.

Addressing moral hazard

Cyber insurance companies inadvertently create moral hazard by insuring businesses with inadequate cybersecurity measures.

When companies believe they are fully protected, they may feel a different urgency to invest in robust cybersecurity measures. This can lead to a false sense of security and increase the overall risk in the digital ecosystem.

Encouraging cybersecurity investments

Only providing coverage to businesses with valid cybersecurity plans or independent verification can catalyze better security practices. When faced with the prospect of being uninsurable, companies will be more inclined to invest in their cybersecurity infrastructure, ultimately reducing the overall risk landscape.

This approach can mitigate financial risks, encourage better security practices, and promote a more secure digital environment. As data breach costs and insurance premiums continue to rise, the importance of proactive cybersecurity measures and responsible insurance practices becomes even more apparent.

Watch our February episode of “Security Snippets”—a new series from G2’s Market Research team.


Edited by Sinchana Mistry

Zero Trust Networking Software Access with trust

Zero trust networking assumes all users are potential threats, enforcing adaptive access controls. Adopt zero trust to strengthen network security.

The Hard Truth: Why Cyber Insurance Companies Should Demand Valid & Tested Cybersecurity Plans According to G2 VP of Security Research, Dr. Chase Cunningham, cyber insurance companies should refuse to insure businesses that lack a valid and tested cybersecurity plan or cannot independently verify the security of their infrastructure. In this article, he outlines seven trends that validate this mandate.
Dr. Chase Cunningham Chase Cunningham is VP of Security Market Research at G2. With over two decades of experience in Cyber Forensic and Analytic Operations, he has held senior security and analyst roles at NSA, CIA, FBI, and other government agencies, as well as with industry leaders Accenture and Forrester. A retired U.S. Navy Chief, Chase most recently was Chief Strategy Officer at Ericom Software. Chase also hosts the DrZeroTrust podcast.