This article is by Michael Vallas, Global Technical Principal, Goldilock Secure
Cyber insurance has been treated as a safety net for many years. Boards would transfer some risk, tick the compliance box, and reassure executives and customers that if the worst happened, there was a financial backstop.
That period is fast coming to an end.
Premiums and excess levels are rising sharply, as insurers grow ever more cautious in the light of recent events. Cyber insurance premiums have risen by some 14% this year, with the largest surges in the finance and retail sectors. Exclusions are also widening, with many policies only carving out specific types of attacks or technologies. Underwriters are asking far tougher questions and demanding hard evidence that organisations can actually defend and recover from an attack before issuing policies.
Therefore, if you can’t prove control over your cybersecurity posture, you’ll pay more for less cover.
From form-filling to forensic scrutiny
Renewing cyber cover often meant working through a simple checklist. Do you have endpoint protection, backups, multifactor authentication, a written incident response plan? In the past, most organisations could answer “yes” to enough of those to get a policy signed off.
Now the process is far more forensic. Underwriters are looking for evidence of demonstrable control over live system security before cover is provided. During a claim, those assertions will be scrutinised and verified before any payout is considered.
Organisations must now prove how quickly they can detect and contain an incident, prevent lateral movement, and ensure backups and recovery environments are uncompromised. Insurers are rethinking their own exposure, and any failure to limit the blast radius of an attack can turn a single compromise into a multi-million-pound loss. The recent Jaguar Land Rover incident is a clear example of this: production was forced to stop, with the shutdown estimated to cost at least £50 million per week in lost output, totalling over £2 billion. The true financial damage came from halted operations, creating what is probably the most expensive cyber incident in British history – exactly the kind of prolonged disruption underwriters now fear.
Cybersecurity is now a financial control
This shift pulls cybersecurity firmly into the C-suite’s and board’s hands. Insurers are pushing more responsibility back onto policyholders, expecting organisations to invest in resilience as a condition of cover. The JLR incident showed how quickly losses mount once production lines stop. Most organisations and their supply chains will not have the option of a government-backed loan if a prolonged outage chokes revenue for weeks.
In short, cyber defences are now a financial control as much as a security one – the ability to keep critical operations running, or to disconnect and isolate parts of the estate to prevent a total shutdown, can be the difference between a painful incident and a full-blown liquidity crisis.
A new pre-renewal conversation
Business and finance leaders should be asking for much more than a slide deck filled with the names of security tools. They should be demanding clear, auditable answers to three questions: whether the company can demonstrably protect its most critical systems, whether incident response has been tested end to end, and whether recovery is both rapid and assured to be clean.
It is not enough to claim key platforms and datasets are secure; organisations must show they can physically limit their exposure. Underwriters also expect evidence that response plans will work under pressure and that restored systems and backups were isolated from the attack in the first place.
For CFOs, this goes straight to the cost of downtime and business interruption: the ability to disconnect, recover and reconnect safely, with an auditable trail, directly reduces both the impact of an incident and the likelihood of disputes over claims.
The core issue: exposure you cannot quickly contain
Behind all of this lies the simple problem of organisations being overconnected. Research shows attackers can reach high-value targets in as little as 31 minutes in sectors with heavy interconnectivity – underscoring how over-connected systems dramatically amplify risk. The same research shows that controls which limit lateral movement, such as microsegmentation, deliver clear ROI by shrinking breach costs and blast radius.
Always-on connectivity is convenient for business, but ideal for attackers.
Software-based controls remain essential, but they operate in the same domain as the threat. If an attacker can compromise the tools that are meant to defend you, they can disable monitoring, tamper with logs or silently corrupt backups. Even when organisations are breached, their security and firewalls were in place – they were simply bypassed. For insurers, the key risk is not the breach, but whether you can rapidly contain it and stop the attacker moving deeper.
Disconnect to protect, on demand
One of the most effective ways to shrink your attack surface, reduce loss severity and prove control over your security posture is to ensure your most sensitive systems are not permanently connected. They should come online only when needed, or be temporarily withdrawn from access if threat levels exceed an acceptable threshold. Hardware-enforced controls make connectivity an on-demand privilege that can be revoked instantly when risk rises.
When the ability to connect or disconnect sits outside the systems and networks being protected, attackers cannot easily see or tamper with it. High-value systems and backups can stay physically isolated and only be brought online in tightly controlled, auditable windows.
This level of physical segmentation gives underwriters confidence that blast radius and catastrophic loss are constrained. For finance leaders, it offers a clear, explainable control that reduces both the probability of extreme loss events and the uncertainty around how an incident will play out and end up defining the insurance claim.
Turning a red flag back into a safety net
Cyber insurance isn’t disappearing, but its role is changing. It is moving from a broad safety net taken for granted to a tightly priced financial instrument linked to demonstrable resilience. Organisations that treat renewal as a paperwork exercise will pay more for less cover, face tougher scrutiny, and risk finding renewal is not guaranteed.
Those who treat cybersecurity as a financial control – actively balancing spend on protection versus insurance – will secure broader cover on better terms and be less likely to need it.
For CFOs and finance leaders, the critical task is to continuously map cyber exposure in financial terms, to insist on evidence of control, containment and recovery rather than tool inventories. It is vital to look beyond software-only defences, only hardware-enforced ways of disconnecting and protecting critical systems on demand can beat the software-based attacks.
Be the first to comment