It’s that time of the year again– time to renew the corporate cyber insurance policy, and as the most senior cyber security professional in the company you are asked to fill out the annual cyber security questionnaire. From the CIO or CISO’s chair it can seem like the different underwriting questions asked by each carrier have little to do with your reality of managing security risk at the company. Based on the regularity of the questions asked, you could be led to believe that MFA or PAM defined your cyber security posture, but you know your primary risk is not in having MFA enabled– it’s all in the implementation.
Having spent over two decades as CIO and CISO at some of the largest brokers and carriers in the world, I’ve seen where the disconnects between technical security and insurance coverage repeatedly occur—and more importantly, how to bridge them.
The Growing Divide Between Security and Coverage
The cyber insurance market has fundamentally shifted. Today’s underwriting questions aren’t arbitrary—they’re based on decades of claims data and loss patterns. The questions that security leaders often dismiss as disconnected from reality are precise indicators of what drives claims payments.
Understanding the Carrier Mindset
Insurance Carriers and security leaders often speak different languages when it comes to risk. While CISOs focus on comprehensive risk management and security best practices, carriers are laser-focused on empirical loss reduction—what prevents claims based on historical data. A security control might align perfectly with frameworks like NIST or ISO 27001, but if it hasn’t demonstrated measurable loss reduction in claims data, carriers won’t value it in their underwriting decisions.
This reality was starkly illustrated in the 2022 Travelers Insurance lawsuit against International Control Services (ICS). After suffering a devastating ransomware attack that encrypted their entire network, ICS filed a claim under their cyber policy. During the claims investigation, Travelers discovered that while ICS had indicated they used Multi-Factor Authentication (MFA) across their environment, it wasn’t actually implemented on several critical remote access points—a detail that emerged only after the breach. This led to Travelers attempting to rescind the entire policy, leaving ICS exposed to millions in recovery costs.
The Broker’s-Eye View of Coverage Gaps
This pattern continues to play out across the industry. Take the Sinclair Broadcast Group incident in 2021—this wasn’t just another ransomware attack. The incident encrypted critical broadcast systems and plunged the company into weeks of disruption, affecting everything from advertising systems to local news production. While Sinclair had cyber insurance, they faced significant hurdles with their $70 million claim, particularly around network business interruption coverage. The complexity arose because their policy wasn’t well aligned with their actual operational dependencies.
The recent Change Healthcare attack in February 2024 further reinforces these lessons. This wasn’t just a system outage—it was a cascading failure that disrupted healthcare claims processing nationwide. The incident showcased how technical dependencies and business interruption can extend far beyond an organization’s direct operations, demonstrating why technical leaders must understand not just their security controls, but how those controls translate into coverage requirements.
Strategic Integration: Lessons from Both Worlds
Here are the critical steps that work:
- Understand the Underwriting Logic
- Remember that underwriting questions reflect real claims data
- Accurately Document your control environment in insurance-relevant terms
- Align security implementations with specific controls that insurance carriers require to procure coverage.
- Bridge the Technical-Insurance Gap
- Map your security controls directly to policy requirements
- Maintain continuous alignment between implementations and coverage
- Document security changes that could impact coverage
- Manage Your Policy Actively
- Review coverage triggers with both security and insurance lenses
- Understand exclusions from both technical and policy language perspectives
- Regularly assess coverage adequacy against current threat landscape
- Include Insurance Partners in Incident Response Planning
- Integrate your broker into tabletop exercises to identify coverage gaps
- Pre-identify and validate carrier-approved incident response vendors
- Document notification requirements and claims procedures before an incident occurs
Moving Forward: A Unified Approach
Effective cyber risk management requires understanding both the technical and insurance perspectives. The most successful organizations treat their insurance partners as extensions of their security team, not just transactional policy providers.
The cyber insurance market has matured significantly in recent years. Today’s policies are more sophisticated, but also more demanding. Success requires understanding both the carrier’s perspective on risk and the technical realities of security implementation. Remember: your cyber insurance isn’t just a policy—it’s a critical security control that needs to be managed as diligently as any technical measure.
Among all the arrows in your risk management quiver—from security controls to incident response plans—cyber insurance stands alone as the only one guaranteed to reduce financial losses when an incident occurs. But this guarantee only holds if you’ve actively managed your coverage. Don’t just fill out the questionnaire and file away the policy. Be an active stakeholder in the insurance purchase process, understand your coverage thoroughly, and ensure your security implementations align with policy requirements. In today’s threat landscape, you can’t afford to treat it as anything less.
Further Reading
“Travelers, Policyholder Agree to Void Current Cyber Policy” – Insurance Journal, August 30, 2022
“Lessons From the Change Healthcare Ransomware Attack” – JAMA Health Forum, March 2024
“Ransomware attack knocks some Sinclair television stations off the air” – Washington Post, October 18, 2021
About the Author
Mathew Kulangara serves as Partner, Chief Information Officer and Chief Information Security Officer at Woodruff Sawyer, one of the largest independent insurance brokerages in the United States. With over two decades of experience spanning both Fortune 100 insurance carriers and major brokerages, he brings unique insight to the intersection of technology, security, and insurance.
During his tenure at Harvard, Kulangara contributed to pioneering work in cyber insurance pricing models, helping establish early frameworks for quantifying digital risk. His experience as a senior technology executive at Chubb informed his deep understanding of carrier operations and claims analytics.
Today, he advises technology startups on innovation within regulated industries and is a frequent speaker on artificial intelligence, cybersecurity, project management, and digital transformation in insurance.
Connect with him on Linkedin or follow his insights on X @matt_cio.
Source link
