From real-time threat intelligence and continuous risk assessments, to penetration testing and cyber awareness training, the range and sophistication of tools and services designed to help businesses strengthen their cyber resilience strategies today is impressive.
Yet many U.S. businesses — even those that are larger, with typically bigger security budgets — still do not fully use proactive cybersecurity services. The 2024 Cybernews Business Digital Index, for example, shows that 84% of analyzed Fortune 500 companies scored a D or worse for their cybersecurity efforts, while small businesses often lack the resources to implement robust cybersecurity measures themselves.
Looking more granularly, there are further gaps to uncover across businesses of all sizes. For example, GetApp research suggests that 72% of C-suite executives — who hold critical business data — are targeted by cyberattacks, yet 37% of companies provide no extra protection for them. Meanwhile, just one in five companies say they're "very well prepared" to defend against high-volume AI-powered bot attacks.
These gaps sit alongside the fact that cyber threats are increasing in frequency, complexity and severity, triggered by geopolitical instability, out-of-date encryption methods and, of course, advances in AI. The result has seen the 2024 global average cost of a data breach reach $4.9 million — the highest figure yet and a 10% increase from the previous year — while ransomware alone costs an average of $5.2 million, with thieves having stolen over 1 billion records.
While some businesses operating among these risks have recognized the importance of investing in strategies that anticipate and mitigate risks before they materialize, gaps still remain.
Recognizing this, the cyber insurance industry is stepping in with efforts to strengthen the cyber defenses of its policyholders.
A shift benefiting policyholders, brokers and insurers alike
Aside from rising cyberattacks necessitating change, cyber insurance providers are also aware that any efforts that encourage businesses to be more proactive in this field are beneficial to all parties involved.
- Brokers: By positioning themselves as a trusted adviser and key part of businesses' resilience strategies, brokers can offer clients more than just policies.
- Policyholders: By following integrating advanced security solutions as part of their insurance adoption, businesses can not only reduce their exposure to cyber risks but also strengthen their overall security posture. What's more, some insurers even offer enhanced coverage benefits for policyholders who fully implement these defenses, reinforcing the value of leveraging insurance as a tool for resilience even more.
- Cyber insurers: By positioning themselves as partners in resilience, rather than just claims support providers, insurers can help businesses strengthen their cybersecurity posture, ultimately leading to fewer claims and a more robust underwriting model. As policies are increasingly structured and priced based on real-time risk assessment and continuous security improvements, rather than just historical data, the shift will ultimately transform the future of underwriting and claims.
Cybersecurity services and tools on offer
With the above in mind, many insurers are now offering their policyholders a range of cyber services at no additional cost. Examples include:
- Micro penetration testing: Preliminary penetration tests that uncover hidden system weaknesses before adversaries can exploit them.
- Phishing simulation and cybersecurity training for new policyholders: Advanced phishing simulations that mimic real-world attack methods to train employees to spot and avoid social engineering tactics.
- Cyber risk insights and recommendations: Comprehensive scans and diagnostics to quickly identify potential vulnerabilities, coupled with recommendations on remediation.
- Continuous risk assessment: of networks, endpoints, and cloud environments—ensuring any anomalies or threats are flagged in real time.
- Integration with leading security and IT platforms: Quick and seamless integration, enabling real-time risk scoring and insights.
- On-demand surveillance: of actively exploited vulnerabilities that have the potential to affect policyholders during widespread cyber events.
Alongside these, some are also branching out into offering subscription-based cyber resiliency services. These aim to offer advanced capabilities that will significantly enhance policyholders' cybersecurity posture, without requiring costly in-house resources. Examples include Managed Detection and Response (MDR) Security Operations Center (SOC)-as-a-Service, Penetration Testing-as-a-Service (PTaaS), Cybersecurity Training-as-a-Service (CTaaS), and monitoring of user access to cloud services.
The new industry standard
As cyber risks continue to evolve, it's my view that this proactive model of cyber insurance — one that goes beyond financial protection to actively enhance security resilience — will become an industry standard. And in the long run, businesses that embrace this shift early will be better equipped to defend against cyber threats, while allowing insurers to benefit from stronger risk profiles and brokers to play an even greater role in safeguarding their clients' digital assets.
Cyber insurance is no longer just about recovering from cyberattacks — it's about preventing them in the first place.
