What’s the Best Approach to Lower Your Cyber Insurance Premiums?

Phil Muncaster finds out why CISOs need to go beyond tick-box controls if they want to improve security posture and reduce insurance premiums

It has become a truism of modern cybersecurity discourse that too few organisations get the basics right. But what exactly are the basic”? And at a time when security budgets are coming under increasing board-level scrutiny, how can CISOs prioritise the ones that really matter?

One way is to make sure the controls they put in place help to lower insurance costs. There’s a double benefit of doing so. It shows the CISO supports wider corporate cost reduction efforts at a time of growing economic uncertainty. And it means resources are focused on areas specifically selected by insurers as effective at reducing breaches. After all, their business depends on accurately pricing premiums according to such risks.

Yet controls alone do not make an organisation secure. So, what can the insurance industry teach CISOs about where to focus their strategy?

Why it matters

There are two broad items at the top of a long list of challenges facing today’s corporate cybersecurity bosses. The first relates to budget concerns. The UK remains in an economic slump, perpetuated by persistently high inflation and borrowing costs. Combined with new rules on national insurance and a hike in the minimum wage, it means less money to spend all around. Cyber may be critical to business success, but it’s by no means immune to corporate cost-cutting – especially as CISOs often struggle to win their case with senior management. Boardroom alignment with UK CISOs declined from 84% in 2024 to 57% this year, according to Proofpoint.

The second challenge is related: how to manage risk cost-effectively against the backdrop of an increasingly volatile threat landscape. This requires CISOs to build resilience so that, even in the event of a breach, key assets are protected and any damage can be minimised and contained. That’s becoming harder to do thanks to an infostealer epidemic flooding the dark web with corporate credentials. And an AI arms race that has democratised the means to launch convincing social engineering attacks, carry out target reconnaissance, exploit vulnerabilities and more.

The controls that matter

The latest data (from the US) shows the total value of admitted direct written premiums decreasing for the first time in the US cyber insurance sector last year (falling 2.3% to $7.1 billion). The same trend has been observed in the UK, according to the Assured broking team. Cheaper premiums aren’t necessarily the only reason for this.  The tightening of eligibility criteria for new policyholders has also been acknowledged by some, including stricter security requirements and a more data-driven approach to pricing risk.

“Sometimes the only way to even get a quote is to demonstrate compliance to an industry-recognised framework” Gareth Lindahl-Wise

“Our underwriters review the full range of security controls that an organisation has implemented to assess its overall security posture and adjust premiums accordingly,” explains Coalition senior security researcher, Daniel Woods.

With that in mind, what are insurers actually looking for? Most of the experts Assured Intelligence spoke to cite endpoint detection and response (EDR), immutable backups and multifactor authentication (MFA) as key. MFA is particularly important given the proliferation of credential-harvesting infostealers today. They are thought to have been behind the mass breach of Snowflake clients last year, which was made possible thanks to a lack of MFA. It led to hundreds of millions of compromised downstream customers.

Managed detection and response (MDR), training and awareness, and patching programmes are also frequently cited by experts. However, a myopic focus on controls may not be the best way to approach security strategy, argues Assured CISO, Nick Harris.

“It’s a picture of the whole estate of cybersecurity controls and the people behind the effort that makes the real difference,” he tells Assured Intelligence.

“A focus on specific controls will ignore weaknesses that an attacker will aim to exploit. Frameworks like CIS18, COBIT, ISO, and NIST can be useful handrails to ensure that the spread of controls is being addressed. However, they need actively testing in earnest – red teams, restoration tests and more will tell you if you really are as resilient as the framework tells you.”

Gareth Lindahl-Wise, CISO at Ontinue, agrees that best practice standards and frameworks are helpful, but warns that they’re certainly not a quick win.

“One of the most effective ways to reduce cyber insurance premiums, and sometimes the only way to even get a quote, is to demonstrate compliance or alignment to an industry recognised framework such as ISO27001, NIST or SOC2,” he tells Assured Intelligence. “From a pure business perspective, it is often useful to start talking early to brokers or insurance companies to understand their key risk factors and how well you do or don’t fit with those.”

Beyond deployment

Another consideration for CISOs is to ensure that any controls specified by insurers are deployed correctly. This is “a critical issue in loss experience”, argues Cowbell VP of underwriting and insurance, Emma Werth.

“Policyholders may have implemented some MFA, but not everywhere, and not for the crucial software, which may be the most effective in preventing loss,” she tells Assured Intelligence. “Another issue is that patching is done within a strong cadence, but that doesn’t prevent CVEs from penetrating a network outside of that patching cadence and causing damage.”

“A control’s value is realised through comprehensive deployment, proper tuning and configuration” Tom Huckle

BlueVoyant’s global head of enterprise security operations, Tom Huckle, urges CISOs to move away from a “deploy-and-forget” mindset and towards a lifecycle management approach to avoid a false sense of security.

“Before purchasing a tool, conduct a thorough review to understand the specific risk it addresses, how it will be deployed across the organisation, who will be accountable for it, and how it will be operated day-to-day,” he advises.

“A control’s value is realised through comprehensive deployment, proper tuning and configuration, and ensuring that staff are trained and resourced to use it effectively. Partial rollouts, poorly configured systems, or undertrained teams significantly reduce the return on investment (ROI) and leave gaps in protection.”

Coalition’s Woods broadly agrees, arguing that security posture should be viewed as a dynamic process, with “controls and configurations continuously being adjusted and improved” as the threat landscape changes.

“Organisations should apply this mindset broadly,” he tells Assured Intelligence. “Rather than adopting the control that requires the least effort, they should continuously adapt and configure controls in response to evolving threats and attack methods.”

Assured’s Harris explains that this is what the audit community describes as “design effectiveness” and “operating effectiveness.” He adds, “The quality of the implementation is what moves a company forward with stronger controls, both in efficacy and efficiency. Aim to be secure, and compliance will take care of itself. It’s not possible the other way around.”

Reaping some secondary benefits

Another key security best practice that could help CISOs improve posture and lower premiums is incident response planning. “Running tabletop exercises forces the business to form a plan that can be exercised in the event of a cyber attack, including internal and external communication strategies, and the importance of creating offline communication channels in preparation for an incident,” explains Caspar Rogers, senior broker at Assured. “A tabletop exercise will encourage executives to consider things they may not have thought of, like their stance on paying a ransom in the event of compromise, or deliberation about what systems they’ll prioritise restoring.”

BlueVoyant’s Huckle believes it could also surface some secondary benefits beyond streamlining post-breach processes, such as “driving investment in other controls uncovered as weak during these exercises.”

Coalition’s Woods adds that planning can help stakeholders better understand the potential consequences of cybersecurity incidents, making them more likely to invest in strong preventative controls. “Preparing for an incident can also support psychological well-being, as research shows that breaches can cause significant stress for leaders and employees of victim organisations,” he argues.

A CISO’s work is never done

Investing in the right controls and compliance programmes is not the end of the CISO’s work here. “Ensure an accurate value of residual risk to make sure you’re buying the right amount of insurance,” Assured’s Harris advises. “Also, get value from [your policy], even when it doesn’t need calling upon. An insurance policy shouldn’t just be a bit of paper; it should include proactive support to make the business more prepared and resilient.”

“Be secure and compliance will take care of itself. It’s not possible the other way around” Nick Harris 

Cowbell’s Werth adds that CISOs should be collaborating with every team in the organisation. “Cybersecurity impacts every employee, so ensuring everyone is properly following all protocols and every department has controls in place is critical,” she says.

While insurance requirements may be helpful, they aren’t a panacea for CISOs. Where carriers can also add value, however, is in enabling corporate security leaders to secure board funding for projects.

“CISOs should look for an insurer that acts as an active partner in helping insureds reduce their cyber risk throughout the policy term,” concludes Coalition’s Woods. “CISOs might find the insurer to be a useful ally in justifying investments in cybersecurity.”