Cyber insurance forces companies to rethink risk management

Name: Reporters' Notebook — Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security
Uploaded: 2026-05-27T15:55Z
Duration: 23 min 25 s
Description: In this latest installment of the Reporters' Notebook video series, we discuss how cyber insurance is forcing organizations to quantify risk, what's covered (and what's not), and why this could be the best thing to happen to cybersecurity.

Richard Livingston, Site Editor

Cyber insurance is a unique risk transfer product for enterprises. When a company purchases property insurance, the fire that might damage its offices isn't trying to figure out better ways to burn down the building.

Cybersecurity professionals know that digital threat actors are altogether different, always working on clever, sophisticated attacks to access systems and steal sensitive data. When attackers succeed, the damage to the business's operations, reputation and bottom line can be significant. Cyber insurance, with a swiftly growing market nearing $20 billion in premiums, offers enterprises a potential shield against the worst of the financial fallout resulting from a data breach.

The cyber insurance industry, however, is changing as insurers reevaluate which types of digital risk they will cover and the reasonable cybersecurity measures customers are expected to implement. Just as a property-casualty insurer would not cover an office that did not take prudent steps to prevent or mitigate fire damage -- smoke detectors, alarms and sprinkler systems, for instance -- cyber insurance carriers are forcing businesses to defend their digital ecosystems, too. Security experts understand it is impossible to eliminate all cyber-related risk. But a strong defensive posture with protocols such as endpoint detection and response, MFA and email security can reduce the risk of costly incidents, protecting enterprises and insurers alike.

In this Reporters' Notebook video, Fahmida Y. Rashid, managing editor at Dark Reading, David Jones, reporter at Cybersecurity Dive, and Richard Livingston, editor of TechTarget SearchSecurity, discussed the role cyber insurance is playing as enterprise leaders rethink cybersecurity risk.

Learn more about cyber insurance:

Richard Livingston is an editor with Informa TechTarget's SearchSecurity site, covering cybersecurity news, trends and analysis.

Editor's note: The following transcript has been lightly edited for length and clarity.

Dark Reading's Fahmida Y. Rashid: Hi and welcome to our latest edition of Reporters' Notebook. I'm Fahmida Rashid, managing editor of technology and features at Dark Reading, and I'm joined here with my counterparts from Cybersecurity Dive and TechTarget SearchSecurity. I'll have everyone introduce themselves. So, Richard, why don't you take it away?

TechTarget SearchSecurity's Richard Livingston: Hi, I'm Richard Livingston. I'm a writer and editor with TechTarget SearchSecurity.

Cybersecurity Dive's David Jones: I'm David Jones. I'm a reporter with Cybersecurity Dive.

Rashid: And for this month's Reporters' Notebook, we are going to be digging into cyber insurance. I feel like that is a term that everyone is talking about. All three of us have written a lot about the topic, and there's just so much that doesn't quite surface in people's consciousness. Richard, let's just start right off. What is cyber insurance? What is it? What is it covering? What is it for?

Livingston: Yeah, so I read a great quote the other day, and this is a unique thing, right? It's not like property insurance. I heard a great quote that said, for property insurance, fires are not trying to figure out better ways to burn you. And with cyber insurance, what we're trying to actually do is cover a risk that is trying to override your security protocols. And I think all of us know that this is getting worse, that hackers are getting more sophisticated.

They have more tools at their disposal. Really over the last 30 years or so now, cyber insurance has matured to the point where we now have a market for businesses that rely on data in the cloud, which is pretty much just about everybody. They are covering now remediation services, and that's the costs of responding to a breach, forensics, legal fees, PR, you name it.

Information security and privacy liability, the claims and damages from a breach. Regulatory defense and penalties, all the fees and the penalties and the legal costs that can come from a regulatory action if you find a damaging breach. The business interruption, the lost revenue that you're going to see there. Media liability, this could be a reputational problem, too. And then also the big one is cyber extortion. We have hackers asking for ransom and people are paying.

Rashid: A couple years ago, I was having a conversation with security expert Jeremiah Grossman and one of the things he said is the fact that we have cyber insurance is actually going to be a good thing for cybersecurity because we're finally attaching numbers, we're finally quantifying. Before it was like, we don't want to get breached, we don't know how much it costs or what the impact is. And now that the insurance companies are coming in and they're saying, no, we can't be loosey goosey here. We need to know what the impact is. We need to know what it's going to cost to get, you know, back up and running. What are your liabilities? And it's going to change how we talk about cybersecurity. Just now, when you were running through all the things insurance covered, that's exactly what was reminding me that I don't think five years ago we would have even talked about liability in the context of an attack.

Livingston: Yeah, well, you know -- what's insurance? Basically, claims and actuarial tables. And as long as there is a business model for them, they're going to keep putting out coverage there, as long as they can keep getting those premiums and they're making more money than they're paying out. There's your business model.

Rashid: Dave, we were talking a little bit about what IT insurance covered. You had some really interesting insights there on what is covered or not covered and what those big questions are.

Jones: I think what has evolved over the years is that companies are starting to really understand how cyber-risk impacts the bottom line of their businesses, where it's not just, you know, a corporate CISO or an IT manager that is dealing with the fallout of a cyberattack or business disruption related to cyber. I think that what you're seeing is that companies are now dealing with not just the potential loss of data, but they're dealing with the potential disruption of their business function. So, essentially, what you have is a company may have some kind of a breach or some type of a ransomware event or other type of disruption where they functionally cannot operate for a period of hours, days or weeks at a time. And in certain cases, they can't operate kinetically. They have to shut down their factories or their connections where they have an IoT connection with various partner companies. They may not be able to sell their product.

We ran into that with companies like JLR. There were other companies that had to deal with weeks-long disruptions of their operations, where they couldn't move their product. And one of things that cyber allows you to do is you can kind of price in the potential risk of what would happen if I basically could not move my product or operate my business for a series of weeks or days. And you have to be able to estimate, OK, let's say I'm out of business for a week. If you go back to Colonial Pipeline, for example, you basically can't move your fuel for almost a week. What kind of bottom-line impact is that going to have on my business? And how do I factor in the risk of being able to manage that?

The insurance companies, at the same time, what they do is they force you to take a really hard look at how am I prepared to be resilient? What am I doing to protect our business in the event of where I can't get into my data, my employees can't get on their computers? I can't move my product to and from a warehouse. And cyber insurance will basically force you to look at how do you back up your data? How do you access your data in the event of a shutdown? What type of protocols you put in place? Multifactor, hiding assets from the internet, using stronger passwords and they will force you to make some very tough decisions about, you know, do I have the resources set aside where I may be going back to a very low-tech version of my business for a couple of weeks.

Rashid: I think it was last Black Hat, there was a whole session kind of touching on what you were saying, like how do you prove to the insurance company that you've done what you're supposed to do? Like insurance companies, like, 'Hey, you have to make sure you have a certain baseline.' And, you know, before what you had to do an audit and now with questionnaires or some kind of way where they can look at your control. So, that conversation has also been evolving, where insurance companies want you to prove before a breach that you've done everything you need to do to make sure you can recover, that you're resilient. And that is also an area that seems still a little uncertain. No one seems to have that magical formula of this is how you prove it.

Livingston: Yeah, but it's interesting. Those are being put into the policies. There are requirements in there, and there have been situations where claims have been denied if people did not keep up a certain minimum level of security. A few years ago, the city of Hamilton, Ontario, was breached, and they were fully insured. But hackers got in because they did not maintain a minimum level of MFA. And when auditors looked at it, they said, nope, this is clearly spelled out in your contract. And the taxpayers of Hamilton, Ontario, got hit with that whole thing.

Rashid: Reading that fine print, that's always where you get tripped up in these kind of things.

Livingston: And that's why other parts of the organization, besides CISOs, need to be involved, right? You need your legal teams on there. You need your analysts. This is a question of more people in the organization. This is really not so much a technical issue. It is a risk issue. And that's the whole C-suite's business.

Rashid: And I know Cybersecurity Dive had done a lot of coverage on that changing language of risk. Dave, I think it's also worth talking about the awareness from the organization's perspective, what is covered, what is not covered and what did that language of risk mean?

Jones: It's evolved over the years. If you go back about a decade , there were some fairly high-profile incidents -- cases like NotPetya and WannaCry -- where various companies from different parts of the world were impacted by these propagating events. And you had a situation where these companies were on the hook for hundreds of millions of dollars, where they couldn't function for a certain amount of time. And there were events that were kinetic disputes involving Russia, involving Ukraine. And there were questions raised because one of the things that cyber insurance has historically limited is if you are impacted during what is considered an act of war and there were cases in the past where if the attackers had some state-linked connections, arm of an intelligence service or military service and you were attacked in that type of an environment you had to fight to get covered. [It's not] necessarily [where] you wouldn't get any coverage, but the insurance companies could put some major limitations on what they were going to pay out. What we're seeing now with the Iran war, for example, we're seeing this kind of thing pop up in other forms of insurance. You have ships that can't get oil and move into other parts of the world. You have cyberattacks that are being linked to state actors, and it's impacting the ability of companies to manufacture their products, to fulfill orders, to ship their products.

In some cases, customers hear about an attack and they automatically disconnect. We saw that with Striker, where hospitals and healthcare providers that when they became aware of what happened, they, just as a form of precaution, they basically disconnected their services. And so, you had situations and some of these cases where you can't perform surgeries, appointments are canceled, customers are just basically in the dark until they find out if it's safe to restart their operations. And so, we've had cases in recent years where years-long battles between insurance companies and claimants, policyholders, in terms of how much of this claim, because we're talking hundreds of millions of dollars in claims, and the insurance companies don't want to be on the hook for hundreds of millions of dollars, especially if they're not sure that the proper protocols were taken to protect core assets.

There have been discussions among policyholders, among insurance companies about whether the global insurance industry is prepared for some type of potentially catastrophic event. We saw concerns raised after the CrowdStrike outage from a couple of years back, whether the industry can sustain some type of systemic event where multiple companies are impacted by some type of propagating malware or global outage or supply chain event. And we're seeing more and more of these cases where third-party companies are impacted, and they can impact dozens or hundreds of companies at the same time.

Rashid: Supply chain is always one of those where we don't always think about the blast radius. I think insurance companies are having to start thinking about that blast radius. Like one company gets breached, and now you have 12 other customers filing claims because that one company got breached. And I don't think insurance insurers have really figured out how they're going to handle that yet. Like, it's 12 different claims, what are you going to do? You can't really say, 'You shouldn't have worked with these companies.' I think that's an area that we're going to keep hearing insurance companies evolve in their thinking. Richard, I know since we're running a little tight on time, I wanted to point back to this really cool insight you had on the downside of insurance.

Livingston: I sat in a really interesting session at RSAC and John Kindervag, the zero-trust guy, was there. He started off with this really compelling argument. He said, the rise in life insurance put a financial layer on a very ancient crime: murder.

It didn't increase murders, but all of sudden now people had a financial benefit there. So, let's look at ransomware the same way and what we're seeing. Here's a data point that he gave us: the companies that are insured for cybersecurity are 2.8 times more likely to go ahead and pay out their ransomware request. So, what we're seeing is that hackers, have at their disposal the dark web. They can find out who is insured and for how much. And in many cases, what they're doing is they are going to organizations. And when they lock up their systems, they're saying, you know what? We know that you are insured for $10 million. If you told me right now that you would pay us $10 million, we won't ask for a cent more. And that's the point that he made, is that they're a business like you're a business. And if it's a matter of paying out $10 million to save yourself $50 million worth of business losses that's a negotiation most companies are willing to have. And they are, they're paying.

Rashid: I think a lot of the time when we talk about it, this is a bit of a tangent, but when people talk about should we pay the ransom or not paying the ransom, you're right, insurance changes that calculus a little bit. Like, it's not coming out of my pocket. So, this is why we are buying insurance, right? We buy insurance for accidents and catastrophes. So, it definitely does add a second layer to that.

I think the other thing when we were talking about this topic, all three of us were discussing the fact that with insurance providers, overall rates, like how much it costs to get insurance, has been declining slightly for the past two years. And I know for me, I was just like, this is great. This means more companies are going to buy insurance. But I think there is also a downside to lower costs.

And, you know, Dave, I think you were expressing some of those concerns about, what does it mean if policies are cheaper? And Richard, I think you had some thoughts on that as well.

Jones: I think that there have been concerns raised by the industry that when you're in a market where risk seems to be exponentially increasing of larger scale events, and there's a concern about concentration risk where the global insurance market is very heavily weighted toward the U.S. Both in terms of the number of companies that are in the U.S. and the global industry, basically two thirds of the market is kind of based here in the U.S. Large companies, you get some kind of systemic event that affects multiple companies at the same time, and you have a situation where one event can tilt the balance.

And so, you run into a situation where insurance companies are trying to diversify their portfolios a bit. They'd like to get smaller and medium-sized companies into their portfolios. They'd like to get companies that are based outside of the U.S. because the penetration of the market in other parts of the world, there are a lot of companies out there that could probably benefit from insurance that aren't covered, or maybe they self-insure, or maybe they have policies that are property or casually or some other type of policies where there is a cyber component. But if there's a really catastrophic event, do they have the adequate amount of coverage? And one of the things that insurance does for the overall market is it forces a lot of these companies to take their own internal practices more seriously, because the insurance companies will force you to do it.

They're not just going to give you a free check based on you neglecting your hygiene or neglecting your training or neglecting your overall IT stack and then expecting that the insurance company is going to cover all your losses. What's happening is that you're starting to see a lot of these companies, they're taking a much closer look in terms of making sure that policyholders are taking the steps necessary to get everybody in the company involved in the process. For example, is the board of directors involved? Are the C-suite people involved? Does everybody know if there's a ransomware attack, who's going to be responding to that emergency and the role that each individual will play in responding to that? Depending on how companies manage that process, you're going to see some adjustments in terms of how those companies pay out those claims. And you're not going to just see insurance companies write a blank check for a company that's not taking care of its own responsibilities and expecting that they're going to be covered.

I think that if you look at what's happening now with things like AI implementation, a lot of companies are rolling out agentic AI without the proper guardrails set up where they understand the risks, where they have the proper governance set up with committees, with rules about whether an employee can experiment with AI or use AI in their day-to-day work environment. What happens if there is a company or an employee that's using an AI and an unsanctioned agent and there's a huge catastrophic leak of data or disruption of the business? Insurers are going to look at that and they have to now price another level of risk in terms of, are we going to pay for a situation where a company rolled out technology, did not have guardrails in place to prepare for some type of an emergency, and things are moving so quickly in that space? That has to be something that responsible financial governments and banks and investors are going to take a very hard look at.

Livingston: I think that's a good thing. If you're giving companies a safety net, but at the same time really making them examine their cybersecurity and putting better practices in place, that's good for everybody.

Rashid: So, we're going to call it time. Thank you so much for tuning in to Reporters' Notebook. I'm Fahmida Rashid, managing editor from Dark Reading, and thanks for joining us.

Livingston: I'm Richard Livingston from TechTarget SearchSecurity.

Jones: Thanks for listening, I'm Dave Jones at Cybersecurity Dive.

View All Videos