Karakor
CYBERSECURITY · INSURANCE

Cyber insurance premiums are now tightly indexed to documented controls. A firm that cannot produce written evidence of basic security hygiene is paying a premium that absorbs most of the budget that would have funded those controls in the first place.

An insurance application with twenty rows of questions, most rendered in dim warm grey. Three rows illuminated in brass — MFA, offline-recoverable backups, and EDR with active response. A premium gauge on the right tilts toward "documented" by the three levers. Warm grey and brass on near-black.
Shahed Daoud7 min read

Three years ago, cyber insurance was a checkbox. A firm filled out a short application, paid a premium that scaled with revenue and headcount, and renewed annually with minimal review. Underwriters were soft on documentation because the loss data was soft on documentation. Premiums covered roughly the right risk band even when the underwriter could not have explained the math.

That market is gone. Ransomware loss ratios from 2020 to 2023 reset the carrier economics. The carriers that stayed in the market — Beazley, Chubb, AXIS, a few others — rewrote their underwriting guidelines, tightened the application questions, and started indexing premium directly to documented controls. The firms that did not change with the market are now paying for a market that no longer exists.

This is what changed, and what to do about it.

The application is now diligence

The current cyber insurance application is fifteen to twenty pages of substantive questions. It is no longer a coverage application; it is a security audit conducted by an actuary. The questions are specific enough that an underwriter can price the risk based on the answers, and an underwriter who reads "we have MFA enforced" without supporting evidence will price the risk at the rate of the firm that does not have MFA enforced.

The questions that move premium the most, in our experience:

  • Is MFA enforced on all administrative accounts, including service accounts? Evidence requested.
  • What is the backup posture, and have the backups been tested in the last twelve months? Evidence requested.
  • What is the EDR coverage across endpoints, and what is the mean time to detection? Evidence requested.
  • What is the patching cadence for internet-facing systems? Evidence requested.
  • What is the written incident response procedure, and when was it last exercised? Evidence requested.

A firm that cannot answer those five questions in writing, with evidence the underwriter can verify, is currently paying a premium that absorbs most of the budget that would have funded the controls in the first place. We have seen this arithmetic break in real engagements: a mid-market firm paying $180k in annual premium for a posture that could be documented and remediated for less than half that, with the premium reduction in year two paying for the work.

What underwriters are reading

The underwriter is not reading the security posture document the way the buyer reads it. The underwriter is reading it the way a forensic accountant reads a financial statement — looking for the specific line items that map to claim patterns the carrier has paid out on.

Three controls have outsized weight in current underwriting models, because they correlate strongly with the loss patterns the carriers have priced:

The first is MFA on administrative accounts. The single most common path to a ransomware claim payout in the last three years has been an attacker obtaining administrative credentials through phishing or credential stuffing, then disabling defenses. MFA closes that path. Underwriters now ask for documented MFA enforcement and for the count of service accounts excluded.

The second is offline-recoverable backups. The loss pattern that drives the largest claim sizes is an attacker who finds the backup infrastructure and encrypts it before deploying ransomware to the production environment. Backups that are immutable, offline, or in a separately credentialed environment break that pattern. Underwriters ask about backup topology, retention, and the last successful restore.

The third is endpoint detection and response coverage. Loss patterns that involve an attacker dwelling in the environment for weeks before the ransomware deployment cost ten to fifty times what a same-day-detected incident costs. EDR with active response capability closes that window. Underwriters ask about coverage percentage and detection telemetry.

A firm that can document those three controls, with evidence, will see materially better quotes than a firm that cannot. Everything else in the application is signal noise compared to those three.

The ABA wrinkle for law firms

Law firms have a specific complication that other industries do not. The ABA Model Rule 1.6 obligation around competence with technology is now being read by some carriers as evidence of the firm's overall security maturity. State-bar opinions on technology competence — Florida, California, Illinois, several others in the last two years — give underwriters a frame for whether a firm is operating within its professional-responsibility envelope.

Practically, this means a firm that can demonstrate alignment with its state-bar's published technology-competence framework gets a better quote than a firm that cannot. It is now a security underwriting factor for firms, not just an ethics question.

What to do about it

The work is roughly the same work that compresses the enterprise security questionnaire. A written security posture, the three high-leverage controls documented and verified, and an incident response procedure that has been exercised in the last twelve months.

We have done this work for firms whose insurance premium reduction in the second year of the documented posture paid for the engagement that produced it. The arithmetic is not subtle: a firm paying $120k more in annual premium than it should be paying, sustained for three years, has spent more than the cost of a four-to-six-week posture engagement, and is still paying the higher rate.

The carriers will not tell you that you are overpaying. They are not in the business of repricing the risks they have already underwritten. The mechanism is at renewal. A firm that arrives at renewal with the documentation it did not have at the previous binding will see the rate adjustment. The work pays for itself.