In the previous article, we saw how taking a Proactive Approach to Cyber Security is key and how it relates to Cyber Insurance. In this article we will see how cyber insurance can incentivize better cyber security practices amongst policy holders. 

RUSI (Royal United Services Institute) for Defense and Security Studies published a paper titled “Cyber Insurance and the Cyber Security Challenge” in June 2021. This paper was supported by NCSC (National Cyber Security Center). The paper provides thirteen recommendations and below we have described recommendations relevant to cyber insurance providers:

Recommendation #1 – Establish a minimum expected security baseline – Insurers should collectively agree on a set of minimum security requirements as part of risk assessments for small and medium sized enterprises. For UK, it recommends using controls used for Cyber Essentials as a minimum requirement. Cyber Essentials specifies the requirements under five technical control themes as below:

  1. Firewalls
  2. Secure Configuration
  3. User Access Control
  4. Malware Protection
  5. Security Update Management

Recommendation #2 – Partnerships with Managed Security Service Provider (MSSP) – Cyber insurance carriers should explore partnerships with managed security service providers, cloud service providers and threat intelligence providers to gain access to additional sources of data (for example not be limited to external perimeter scans). In exchange, insurers can offer reduced premiums and other financial incentives to their customers.

Recommendation #3 – Data sharing – Insurance industry needs to take a more collegial approach to data sharing. 

Recommendation #12 – Obligatory disclosure of ransomware incident – Insurers should specify that any ransomware coverage must contain a requirement for policy holders to notify the NCA and the NCSC in the event of an attack and before a ransom is paid.

Recommendation #13 – Establish a set of minimum ransomware controls – Insurance industry should work with the NCSC and cyber security partners to create a set of minimum ransomware controls based on Threat Intelligence and insurers’ claim data. Insurance carriers should require these controls to be implemented as part of any ransomware coverage. These controls should include:

Cyber insurance providers need to persuade their policy holders to take a proactive approach to cyber security (rather than a reactive one).

ThreatWatch can help your organization proactively on the following fronts:

For more information on how ThreatWatch can help you proactively secure your organization write to us at

Leave a Reply

Your email address will not be published. Required fields are marked *