“If all of these cyber controls are required, why should we buy cyber insurance?”

How cyber insurance buying is changing

If you’ve been through a cyber insurance renewal lately, you’ve probably noticed how different the process feels compared with other classes of insurance.

What used to be a quick proposal form now looks more like a security audit.

Insurers want proof of Multi-Factor Authentication (MFA), Endpoint Detection and Response (EDR), strong backups and other controls they deem fundamental. This leads to an increasingly common objection we often hear phrased as a question:

Insurers aren’t raising requirements to make life difficult

Why insurers are demanding more

Insurers are simply responding to the very nature of this type of insurance, which can be a catastrophic loss impacting both balance sheets and reputations. They’re also responding to historical paid claims and tightening their underwriting to match reality.

That’s why cyber insurance proposal forms require genuine evidence of security controls. At the time of loss, insurers review control representations to ensure they were accurate, in place, and operating as disclosed on the proposal form.

Ironically, strong security doesn’t make cyber insurance redundant; it’s what gets you the cover in the first place.

Why risk still exists

You can’t eliminate human error

Your biggest cyber risk isn’t technology. It’s your people.

Human error is still a major factor in breaches. No matter how excellent your controls are or whether you rely on professional outsourcing, even with solid security, people will still click things.

Attackers are also getting smarter: zero-day vulnerabilities (where exploitation happens before the software vendor has a chance to fix the flaw), supply chain or email compromises, and social engineering don’t wait for you to be “fully ready”.

In fact, AI is helping fraudsters quickly pinpoint those organisations that are not fully ready and ripe for targeting.

Winners and losers

Organisations with robust controls often experience premium savings at renewal, while those without them face more exclusions, lower sub-limits, or outright declines.

While it is true that insurers are asking for more control verification upfront, that doesn’t make cyber insurance any less valuable. It simply reflects a market that expects organisations to meet a basic standard before transferring any risk.

In other words, cyber insurance was never intended or designed to completely offload responsibility. It’s one mitigation tool among many, sitting alongside your controls, processes, and your biggest risk - your people.

What happens in a crisis

Compounding, systemic impacts beyond the initial incident

Cyber risk isn’t linear or fully predictable, and cyber insurance helps manage multi-pronged and compounding risks.

A cyber-attack today rarely stops at data theft. It can cascade into:

• operational disruption
• reputational damage
• regulatory exposure
• contractual breach
• litigation
• revenue loss
• crossover claims against directors and officers

The real value

While some insurance purchasers tend to focus on the limit of indemnity, the real value of a cyber policy is the expertise you gain access to as a policyholder.

Cyber insurance isn’t just the payout of indemnity. It’s the expertise you have access to on speed dial.

In chaotic and catastrophic loss claims, being an “insurable risk” gives you priority access to experts you otherwise might not obtain or might not be able to afford.

Even with strong controls in place, breaches can happen. That’s where cyber insurance steps in to offer benefits like:

• forensic specialists and triage experts
• legal and regulatory help
• data restoration
• business interruption support
• crisis communication experts

Cyber insurance is designed to give you access to specialists you don’t want to be sourcing at 2am while systems are locked and customers are calling.

This is a safety net one hopes they never need, but cannot appreciate enough when they do.

Expanding relevance

More than a risk transfer tool – a resilience builder

Running alongside this evolution of cyber insurance is a more fundamental shift. It is quietly becoming a performance metric, not just a risk transfer tool.

Boards are now using the insurance application itself as a proxy health check. If an organisation can’t qualify for broad cyber cover, that’s increasingly viewed as a governance failing, similar to failing a financial audit. This turns cyber insurance into a third‑party validation mechanism, not just a policy.

Insurance as part of operations

Cyber insurance is evolving to cover not just the technical aftermath, but the second and third-order consequences that no security control can fully contain.

Cover is increasingly part of a broader “cyber resilience stack,” rather than a separate and disconnected insurance product.

Leading organisations now view cyber risk in the same way as business continuity and operational resilience - as something embedded within core operations, not bolted on. And the future is moving toward continuous oversight. Insurers are shifting toward ongoing verification, APIs, secure scans, or attestations, instead of once‑a‑year questionnaires.

This will likely push organisations toward continuous cyber hygiene, not periodic “compliance sprints”. The organisations that lean into this will be far better positioned when the unexpected happens because cyber risk isn’t going away, and neither is the need for a safety net that actually works to protect the balance sheet and reputations from insurable loss.

Future predictions

A move to mandatory insurance?

In many ways, underwriters are already moving faster than regulators - requiring the controls they know reduce catastrophic loss as a condition of cover.

Underwriters have a myriad of actuarial and claims data points to inform their decision-making. In practice, cyber insurance has become one of the fastest and most effective drivers of uplift in organisational security maturity, possibly as effective as legislation.

We’re also seeing a clear shift in the commercial landscape. Major tenders and high‑value projects increasingly spell out the requirement for cyber insurance, moving well beyond the old language of “insurances deemed appropriate”. It’s becoming an explicit and no longer an implied requirement.

This naturally raises the question of whether, as regulators strengthen their frameworks, cyber insurance might eventually shift toward becoming a compulsory class of insurance.

Cyber remains a non‑prescribed class today. This means there is no mandated minimum level of cover or standardised policy wording that every insurer must provide or that every organisation must purchase. For it to become compulsory, regulators would need to introduce baseline protections or minimum insurance standards, effectively clarifying what “good” or “best‑practice” cyber cover looks like across the market.

If that happened, it could pave the way for insurers to integrate fully‑formed cyber cover into existing insurance suites such as Management Liability. For context, some Management Liability products already offer limited cyber extensions (such as social engineering or breach‑related legal costs), but these are generally narrower than proper cyber insurance.

For now, this remains speculative. But the direction driven by underwriters, regulators, supply chains and insurance buyers who are in search of best practice insurance programs seems to be moving that way.

Navigate your 2026 renewal with confidence

Each cyber policy has its own terms and conditions, and coverage can hinge on the inclusion or exclusion of a single word or phrase. If you want to explore the differences between the cyber insurance products available on the market or discuss how this insurance can protect your balance sheet and business reputation, let’s talk.