Brokers Poised to Guide Digital Defenses

Cyber professionals usually move seamlessly from coffee meetings to seminars to happy hours, all while discussing risk, innovation, and the future of digital threats. 

But this year felt different.

I attended RSAC to discuss digital supply chain security and the national security implications of so many organizations falling below the cyber poverty line—the point at which an entity has the financial resources and expertise to secure its systems. Yet nearly everyone I met wanted to talk about cyber insurance.

They asked similar questions: what role do cyber insurers and brokers play in today’s cybersecurity ecosystem? Are they helping clients evaluate security products? Can insurers, brokers, and vendors work together to demonstrate cybersecurity ROI?

I have long believed cyber insurance would become the crossing guard of the cybersecurity market, helping direct the pace and priority of businesses’ investments to better align with their digital risk. Could these questions point the way toward a pivotal shift for our industry?

Businesses of all sizes are targets for hacktivists, cybercriminals, and nation-state actors. However, smaller organizations in particular struggle to understand, quantify, and mitigate their risk. This difficulty stems partly from the need for vast amounts of empirical data: real-time understanding of threat actor behavior, which vulnerabilities are actively being exploited, the traits of resilient organizations, and insight into the relative quality of security products. Few businesses have the knowledge, perspective, or incentive to invest the millions of dollars necessary to gather and analyze this data—except cyber insurers.

Businesses both want and need this information as digital risk grows. The United States is now the leading target for ransomware worldwide, accounting for 47% of global victim organizations from April 2023 through March 2024—a higher share than in previous years. Dark web advertisements selling information on security weaknesses that can be used to breach U.S. companies are more numerous than those for any other country, with education, retail, and professional services among the most advertised. Despite the media focus on ransomware, more than half of cyber insurance claims stem from business email compromise and fraudulent fund transfers—incidents that can be just as devastating and nearly as costly.

While Fortune 500 companies may recover from a digital disruption, a single incident can force a small business to close its doors for good. It is therefore no surprise that more organizations are turning to cyber insurance to transfer the financial pain from these risks, making it the fastest-growing insurance segment. Experts project the market will double in size every three years.

The anticipated scale of our industry is leading more non-insurance professionals to ask whether cyber insurance could address more than just the financial impact of risk. Can it also help businesses become more resilient so they suffer fewer disruptions in the first place? Research from the Institute for Security and Technology (IST), released on the first day of RSAC, suggests it can. The study concludes that more cyber insurers should be encouraged to bundle pre-breach cybersecurity tools and services with their policies.

Burgeoning Bundling

Cyber insurance has evolved from relying on outdated and often inaccurate self-assessment questionnaires to using technology to assess policyholders’ risks by evaluating them as a digital criminal would—by searching for unsecured digital windows and doors. Today’s leading insurers now go beyond accurate underwriting to offer security services as part of standard policies, including customized monitoring, alerts, and on-demand technical support to help policyholders remediate vulnerabilities throughout the life of the policy and before they lead to breaches. These integrated services have had a significant and measurable impact for policyholders at my organization, resulting in 73% fewer claims than the market average.

Still, we can do more. This is where bundling comes in.

Bundling in this context describes a cyber insurer presenting a potential policyholder with one or more optional non-insurance security products or services they can purchase at additional cost with their policy. That combination will typically result in a reduced policy premium that reflects the anticipated risk reduction from implementing the products or services—whether they are purchased through a third party or insurer affiliate.

Bundling insurance with cybersecurity tools like managed detection and response (MDR), endpoint security, or employee security awareness training has logical appeal. However, uptake lags in practice due to regulatory gray areas and regulators’ concerns about competitiveness and discriminatory practices. Competition concerns have previously surfaced in life insurance, with regulators concerned that insurers or brokers bundling services unrelated to the policy could obscure actual pricing and impair insurer understanding of the market. Regulators also worried that insurers and brokers might offer discounts unevenly, opening the door to arbitrary or discriminatory practices.

The IST study assesses these risks and rewards in detail, and I couldn’t do justice to its work in this short piece. But its recommendations include encouraging insurers to offer bundled, vetted cybersecurity products alongside coverage to bridge the costly gap between mere risk transfer and genuine risk reduction.

Brokers stand poised to shape this transformation. Equipped with empirical insights from insurers, brokers can help clients, especially small and midsize businesses, navigate complex markets and select controls that truly reduce their risk.

Too often, companies underestimate their cyber risk or invest in advanced tools that don’t align with their risk posture. For example, I know of more than one business that purchased a sophisticated endpoint detection and response (EDR) product but still suffered a breach because no one monitored its alerts nights or weekends. With expert advice from a broker, insurer, or other security professional, those firms likely would have chosen an MDR service instead. MDR pairs EDR technology with human oversight, providing around-the-clock monitoring and a much more effective defense suitable for their operations.

The Regulatory Landscape

Insurance regulation has not kept pace with the fast-moving landscape of cyber threats and security solutions. Many regulatory approaches governing personal or commercial lines are applied by default to cyber risk. Yet, cyber risk is fundamentally different from traditional perils like fire or theft: it is dynamic and can be mitigated in near real-time. A homeowner can’t move their home out of the path of a hurricane, but cyber insurers do the digital equivalent of this for policyholders every day. That’s just one of many reasons why regulators should approach cyber as a distinct peril and product, and bundling is a good opportunity to do so.

Recent amendments to relevant model laws adopted by the National Association of Insurance Commissioners have sent a positive signal regarding the value of bundling. Many anti-rebating laws prohibited insurers from offering products or services not explicitly stated in the policy. However, in recent years, regulators have amended a model law to allow that option, recognizing the potential benefits of certain non-insurance offerings. But model laws are not always adopted uniformly, or even at all. While some states permit bundling, inconsistent legislation and the history of anti-bundling provisions may chill firms’ willingness to move into this area quickly absent a stronger signal. Public statements from state Departments of Insurance encouraging insurers to explore opportunities to offer policyholders more comprehensive protection by bundling cyber insurance with complementary service products or services would go a long way.

Rapid growth and massive insurer investments to better understand digital risk have created an unprecedented opportunity for insurers and brokers to serve as both a safety net and strategic advisor, especially for organizations struggling to keep pace with today’s threats. Together, insurers and brokers can guide the market away from fragmented, reactive solutions and toward scalable, data-driven resilience.