Is a high cyber insurance premium about your risk, or your insurer’s?

Is a high cyber insurance premium about your risk, or your insurer’s?

A sky-high premium may not always reflect your company’s security posture

Black Hat USA 2025: Is a high cyber insurance premium about your risk, or your insurer’s?

When a cyber risk insurance quote lands on your desk and the premium is sky high, it’s natural to assume that the insurer is judging your environment to be high risk. So, when the next quote lands and is more acceptable, does it mean they viewed your risk differently?

According to one of the many cyber insurance presentations at Black Hat USA 2025, the reason may not be so obvious: it may be that the insurer is limiting its risk exposure to a product or service you use, rather than finding a risk within your environment.

To be more specific, an insurer may wish to limit its exposure to a certain vendor in your supply chain. For example, imagine they decide that acceptable risk is for only 60% of their policyholders to use product X. If your business were to push them over this limit, they may just price themselves out of your business with a high quote, rather than declining you.

The risk, therefore, is not with your environment – it’s with the supplier. In fact, there may not even be a specific risk with them. It could just be that a risk limit set by the insurer has been reached.

As consumers, we can see this in practice. When I use a car insurance comparison site, the premium amounts vary by as much as 200%. Yet my risk is the same to all insurers, and it’s likely that some insurers are capping their risk exposure to certain car manufacturers by pricing themselves out of the market.

As the cyber insurance and cybersecurity industries become further entwined, the data-based insights from insurers’ claims can – and should – improve cybersecurity posture for everyone involved, not just the insured. As a cybersecurity professional, I assume that multi-factor-authentication is default ‘ON’ for any company providing their employees remote access via an SSL VPN.

My assumption, though, is far from correct. A statistic shared during a presentation revealed that in the first six months of 2025, 45% of new cyber claims were a result of an SSL VPN lacking MFA. This is shocking for two reasons: firstly, why do insurers provide policies to companies that have no MFA given the risk of a claim, and secondly, why would any company not secure their SSL VPN with MFA?

What claims data reveals

According to data presented by Coalition, 55% of all ransomware attacks are initiated through a perimeter security device. And in claims where the method used is known, there is a clear winner: credential theft.

While ransomware dominates the discussion, there was good news presented. Coalition’s efforts to claw back funds from fraudulent transfers do have some success. In 2024, they managed to recover $31 million, using various methods that include alerting government contacts, obtaining injunctions to freeze funds and engaging specialized crisis response experts. This claw-back averages at $278,000 per event, with 24% of all events gaining some claw-back and 12% of events getting the whole amount back.

The cyber insurance industry continues its efforts to reduce its exposure to claims, and the presentations from various insurers demonstrate that they are going to new lengths to achieve this. Depending on their policy, the insured can now benefit from various services provided by the insurer, including customized cyber threat intelligence based on the insured’s specific environment. This is complemented by monitoring and alerting their clients when a new vulnerability is posted to the CVE database; specifically, the insurer will alert the insured where they know the software or hardware is in use and provide guidance on the expected patching timeline.

This proactive approach to reduce risk even extends on to the dark web, where insurers may purchase compromised credentials or, in some instances, acquire zero-day vulnerabilities to protect their insured clients and, even more importantly, reduce the insurer’s financial risk.

As the insurance and cybersecurity industries continue to overlap, the question for me is: just how far will the overlap go?


Source link