Cyber insurance is not a security strategy
A policy is the last throw of the dice, not the first. Treating insurance as your cyber strategy quietly outsources your risk appetite to an underwriter who will happily decline the claim.
Every renewal season, more boards reach for the same comfort blanket: complete the insurer’s questionnaire, pay the premium, tick the box, move on. Cyber insurance starts to look like a cyber strategy. It isn’t — and the gap between the two is where organisations get hurt.
The goal was never to be insured
Obtaining a payout was never the objective. Not having the incident was. Insurance is the last throw of the dice — and even when it pays, it doesn’t pay for the things that actually destroy value: your reputation, your intellectual property, the client and supplier relationships built over years, and the quiet erosion of the company’s worth while you spend three weeks rebuilding from backups.
A cheque doesn’t un-ring the bell. By the time the policy is doing its job, the damage that matters most has already been done.
”Ticking the box” backfires twice
Insurers have spent the last few years raising the bar: multi-factor authentication everywhere, endpoint detection, tested backups, a real patching regime. Do the absolute minimum to get over the line and you’ve achieved exactly one thing — a renewal. Not security. The controls exist on the form, not in the environment.
It backfires a second time at claim stage. If what you declared doesn’t match what you actually had in place when the incident happened, the claim can be reduced or refused outright. Plenty of organisations have discovered, at the worst possible moment, that their “cover” was conditional on controls they never genuinely implemented.
The questions a board should be asking
You don’t need to read a threat report to govern this well. Three questions get you most of the way:
- What would a serious incident actually cost us — beyond the policy limit? Downtime, lost orders, regulatory exposure, the management time consumed, the deals that quietly go elsewhere.
- Are our controls real and evidenced, or simply declared? Could we prove, today, that MFA, backups and patching are where we say they are?
- When did we last test recovery? A “backup completed” email is not a restore test. If you haven’t rehearsed it, you don’t have it.
Where insurance does belong
None of this means don’t buy cover. It means put it in the right place: a backstop for the residual risk that remains after you’ve done the work — not a substitute for doing it. Get the fundamentals real and evidenced, and the premium becomes cheaper, the claim becomes defensible, and the day you actually need it becomes survivable.
Treat the policy as the strategy, and you’ve handed your risk appetite to an underwriter whose business model depends on saying no.
Written by James Calderwood
James Calderwood is the principal at NorthCTO — board-level technology and cybersecurity leadership for UK organisations, drawn from 25+ years building, securing and running the systems most advisers only ever talk about.