← All insights
Strategy

Cyber insurance — friend or foe?

Just ask yourself: “is saving the cost of the ounce of prevention worth the pounds of cures you’ll need when a cyberattack comes?

With increasing costs, inconsistently applied assessments, and failure to deliver, we’re seeing organizations drop cyber insurance. Despite a promise to mitigate the financial risk associated with cyber incidents, cybersecurity insurance is plagued with significant issues that can reduce its effectiveness and may even create risks of its own.

Cyber insurance is meant to be a risk transference mechanism. The potential financial cost of a cyber incident is covered by an insurer who, in return for your premiums, agrees to pay out in the event of an incident, subject to conditions. But because cyber insurance is built on more traditional products such as life insurance, it can’t comprehend or handle the rapidly changing risk cyber presents. The measurement of impact is dubious too, and fixates on fines and alerting costs.

To be more specific we can identify the following ongoing problems with cyber insurance:

1. Ambiguity in Coverage

A big problem with cybersecurity insurance is the lack of standardization in coverage. Policies vary widely in what they protect, and many carry numerous exclusions. Some cover data breaches but exclude phishing scams. Others cover ransomware but refuse to pay for attacks that exploit unpatched software. This ambiguity makes it hard for companies to understand what they are buying, and leaves them exposed to uncovered losses.

The language itself is often vague and open to interpretation, which breeds disputes the moment a company tries to file a claim.

A survey done by Sophos found that the cybersecurity insurance policies their respondents have aren’t adequate for the job. For example, only 64% have insurance that covers ransomware, one of the best reasons to have coverage in the first place.

2. High Premiums and Rising Costs

The rising frequency and severity of cyberattacks have pushed premiums up, which hits smaller organizations hardest. Insurers respond to the growing risk by raising premiums, cutting coverage limits, and tightening underwriting requirements. Many companies get priced out of the market, or accept policies that offer minimal protection.

For organizations that cannot afford premium policies, the level of protection may be so limited that it renders the insurance only marginally helpful in the event of a significant cyber incident.

3. Moral Hazard and Reduced Incentives for Cybersecurity

Cybersecurity insurance creates a “moral hazard”: companies invest less in security because they believe insurance has them covered. Lean too hard on the policy instead of improving your defenses and you stay just as vulnerable, which drives up incidents and claims alike.

This complacency can undermine cybersecurity overall, making networks more susceptible to breaches and leading to more significant losses in the long run.
Its also a terrible strategy – a reliance on an insurance plan that isn’t actually going to cover your losses. So really is it actually risk transference or just a head in the sand gamble?

4. Underestimation of Systemic Risk

Systemic risk is where the model really strains. An attack on a single vulnerable system can cascade across companies and whole industries. The NotPetya attack in 2017 did exactly that, causing extensive losses across sectors. Because modern technology is so interconnected, one widespread cyber event can trigger massive claims that insurers aren’t prepared to handle.

Insurers can’t predict or price these risks accurately, which leaves them exposed to catastrophic losses that threaten their own stability. The result is higher premiums, or less coverage available to policyholders.

5. Difficulty in Quantifying Cyber Risks

Unlike physical risks, cyber risks are inherently more difficult to quantify due to their unpredictable and evolving nature. Insurers typically assess risk based on historical data, but cyber threats change rapidly, and past data may not accurately predict future incidents.

They also tend to rely on methods which grossly oversimplify risk, for example the various security scoring platforms out there. These provide a simple answer to a complex problem, which is fine if you think the law of averages applies, unless of course your average is way off.

Pricing the product accurately becomes near impossible. Policies end up either underpriced and financially unsustainable, or overpriced and off-putting. And with limited data, insurers reach for restrictive conditions and exclusions, which erodes the value proposition even more.

Read about the reason premiums are not paid out – here

If not cyber insurance, what?

We’re not telling you to not have cyber insurance, in many cases its a must have (doesn’t mean its actually useful, lets not talk about security theater). However if you choose to go without, or want to try and lower your costs the best insurance is what you can do for yourself- close the proverbial doors and windows of your estate and reduce the risk of a breach significantly. It is less costly in terms of money and time to ‘prevent the breach’. A ‘prevention is better than cure mindset’ is key.

We’re not telling you to not have cyber insurance, in many cases its a must have (doesn’t mean its actually useful, lets not talk about security theater)

Conclusion

Cybersecurity insurance can provide financial relief after an incident, but the sector is stacked with problems. Ambiguous coverage, high costs, stringent underwriting, moral hazard, systemic risk, the sheer difficulty of quantifying cyber risk: together they explain why the field is getting more complex and less used. Until insurers fix these issues, insurance stays an imperfect tool. Keep investing in real security measures and treat the policy as one part of a wider risk management strategy, not the whole of it.

The best cyber insurance is a consistent and comprehensive approach to identifying and fixing vulnerabilities across the technology estate, driven by a knowledge of your own attack surface, threats, vulnerabilities and exploits.

Our Incenter platform and security assessment services firmly place an organization in a proactive place, so regardless of your thoughts on cyber insurance, we can help you minimize your risk.

More in Strategy
Nobody Gives a S##t About Cybersecurity: A Postcard from the Edge of the IndustryMar 23, 2026 · 11 minThe Day Zero Trust DiedMar 9, 2026 · 8 minThe $10M Distraction: Why 50,000 CVEs Don't Matter (But 3 Attack Paths Do)Feb 16, 2026 · 3 min
Talk to an expert