Erich Kron, Security Awareness Advocate, KnowBe4
April 25, 2025
4 Min Read
_Olekcii_Mach_Alamy.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale "How Organizations Can Leverage Cyber Insurance Effectively (2)")
Source: Olekcii Mach via Alamy Stock Photo
COMMENTARY
It is not news that cyberattacks are considered a top global concern. In 2024, theaveragefinancial cost of cyber incidents worldwide was $4.88 million. In the US, the average was even higher: $9.36 million. The ramifications of a cyberattack are more than just the obvious ones. Thedamage to infrastructure, lost revenue, attorney fees, incident response, and the resulting security enhancements make up the other half of that impact.
On the flip side are the lesser-known costs — the payment of the ransom;resulting regulatory finesor civil sanctions; loss of customers, profits, or employees;reputational damage; loss of intellectual property; and more. It is evident that a cyberattack can severely damage a company. The good news is that there are steps organizations can take to limit the impact of a cyberattack. This is where cyber insurance comes in.
Cyber Insurance for Large, Small, and Medium-Sized Enterprises
In 2024, it was found that while more than80%of large corporations havecyber insurance, only about 10% of small and medium-sized enterprises (SMEs) do. Cyberattacks against SMEs can be even more catastrophic than those against large enterprises, even though large enterprises may have to pay more. This is because SMEs tend not to have the foundations in place to handle the potential damage. As a result, cyber insurance is an essential component for risk management, especially in US organizations where financial impacts of cyberattacks are escalating rapidly. Indeed, insurance can help organizations bounce back faster than ever because of its built-in protections.
Related:Microsoft Claims Steady Progress Revamping Security Culture
Why are Small and Medium-Sized Organizations Less Likely to Have Cyber Insurance?
So, what is the holdup? The truth of the matter is that many insurance lines have in the past been shaped by major events. For example, Hurricane Andrew of 1992 changed the way property insurance was handled, while the banning of the use of asbestos in construction in the 1990s shaped the world of casualty insurance.
Save for a major cyber incident of this magnitude — such as a non-kinetic war with various geopolitical ramifications — threat actors will continue to improve at what they are doing, especially with the assistance of AI. Risk in this area will only increase. This will likely drive insurers to demand that organizations implement more robust cybersecurity controls in order to have better policies. After all, cyber insurers are less likely to assist organizations that are not proactively protecting themselves against this growing risk.
Related:Dogged by Trump, Chris Krebs Resigns From SentinelOne
For large enterprises, that is fine. Since they typically have that stronger cyber foundation and financial capability, they can bypass insurance exclusions and snag those low premiums. For smaller or medium-sized organizations, this can be a bit more of a struggle.
High Premiums and Exclusions Are a Roadblock, but This Will Not Always Be the Case
As a relatively new line of insurance,cyber insurance will continue to be volatileand driven by recent experience. Insurers are still collecting data including who is being attacked, how they are being attacked, and what could have prevented these attacks, and so it may take some time for them to reach an industry standard. The key for SMEs, at this stage, will be to implement effective risk controls and security measures in a gradual manner rather than a knee-jerk reactionary approach.
Cyber-insurance premiums and exclusions may continue to be a roadblock for certain organizations, especially if their cybersecurity measures are not considered up to par. However, there is no doubt that cyber insurance is and will continue to be an integral piece of the proactive cyber puzzle.
What Organizations Can Do
As with most difficult tasks, it is a matter of baby steps. Organizations do not need to solve every cyber concern at once, but they can take a targeted approach to implement a multifaceted strategy. This sort of approach will pair well with a cyber insurance policy. Considering that human factors continue to be the weakest link in cybersecurity, with 75% of breachesattributedto human risk, organizations should consider starting there. Diligence in this area can produce some of the highest rewards.
Related:Ping Identity Doubles Down on Partner Strategy with New Partner Program and Advisory Board
Other steps that also could be taken include:
Investing in measures like phishing-resistant multifactor authentication (MFA) to target that human risk element head on
Implementing regular software updates
Conducting vulnerability assessments and pen testing
Staying informed about what is going on in the world of cyber threats and preparing according to those threats
Developing incident response plans
Additionally, organizations could partner with cyber insurers who offer proactive risk management services for further protection. In 2025, there is no question that the ever-escalating threat of cyberattacks demands a proactive and collaborative approach between businesses, insurers, and cybersecurity experts. So, by focusing on prevention, education, and risk transfer through insurance, organizations — especially the more at-risk small and medium-sized enterprises — can take the necessary steps to protect themselves from the rapidly escalating threats of cyberattacks — all with the protection of cyber insurance.
