Cyber Insurance – Complementary or proactive service (Part 1).

by Vitaly GLUSHNEV
CyberInsuranceSMERansomwareCybersecurity

This is a first of articles to review the current set of most common complementary and proactive services that insurance companies are packaging with their cyber insurance products.
Absolute majority of the features can be boiled down into a dozen or so, here is my personal ranking in terms of customer value, broken down into 3 tiers.
Complementary 1.3

Tier 3

Cyber risk engineering – This one refers to pre-loss technical advisory services focused on complex, bespoke operational risk — things that go beyond standard policy coverage and into active risk mitigation at the infrastructure level. It can be relevant for bigger manufacturing, critical infrastructure, energy or OT-heavy environments. For a standard commercial SME or professional services firm it delivers near-zero value.

It also tends to be advisory-only: recommendations require the insured to have internal engineering capacity to act on them, which further limits practical impact for the typical buyer.

Too ad-hoc and too industry dependent to be rated higher.

Penetration testing - High technical value in theory (plenty of respect within security industry too) — identifies exploitable attack paths that automated scanning misses. But there are two problems with this offering from my perspective. First, you need to reach certain security maturity to act on the findings (how would a small company digest a 60-pages long report with 40 vulnerabilities?).
Second, it is the least universally applicable service in the list — annual pen tests are most relevant for organizations with complex external attack surfaces, typically mid-market and above. And those companies should have those pentest running on their own.

Risk platform / portal - Enables self-service monitoring, asset visibility, and continuous risk posture tracking. Plenty of 3rd party solution to consolidate risk based on the arbitrary state of the exposed assets. Quality varies heavily, and in my personal experience, it’s a book coloring exercise mimicking as security. Some will also “assess” your risk without your consent in a “pay-to-dispute” model.
A lot of room for improvement for this type of services.

3rd party risk assessment – Similar to penetration testing, it gives a snapshot of security posture of your suppliers and service providers – but the insured often cannot compel those vendors to remediate, particularly if they are a small customer of a large platform.

Claims relevance is growing (supply chain incidents are increasing as a share of losses) but still represents a minority of total claims volume for the SME-to-mid-market segment. I think this has potential to grow in value with better mutual assurance frameworks.

Pre-breach advisory - Useful guidance on security posture, vendor selection, policy development, and control design. But no direct operational input, no measurement, and the client must have meaningful internal capacity to implement recommendations.
Smaller companies will struggle to generate value out of this exercise, but it can be useful as an independent perspective for mid-market. Tier 3 it is.

← Back to Journal