Cyber Insurance – Complementary or proactive service (Part 2).

This time we will have an overview of services that I would put into Tier 2 – broader reach and more relevance comparing to Tier 3.

Tier 2

Risk assessment - A structured baseline evaluation of the insured's security posture with a prioritized remediation roadmap. High value for organizations with no prior maturity benchmark. Still advisory in nature — value depends entirely on whether the client acts on findings. Most SMEs lack the resources to systematically implement a multi-recommendation remediation plan, meaning the assessment frequently sits unused. But findings are adapted to your size and industry, making them more appealing.

Crisis management - Covers the costs of PR consultants, crisis communications, and reputation management post-incident. Directly valuable for consumer-facing and regulated businesses where reputational damage amplifies financial loss. Stays in Tier 2 because it addresses consequences rather than causes, activates only after a loss event has already occurred. Still helpful as a source of expertise in a stressful context.
Threat intelligence - Early warning of active campaigns targeting the insured's industry or technology stack reduces time-to-patch and improves prioritization of remediation effort. Its value is contingent on the insured having internal capacity to operationalize it. A threat feed delivered to an SME without a security team produces near-zero actionable output. The tiering reflects average value across clients of different shapes and sizes, which skews toward organizations without dedicated security staff.
Can be insightful and actionable with the right tuning, even with limited resources.

Training & awareness - Human error contributes to most incidents. It stays in Tier 2 because training lacks the measurement and behavior change mechanism that simulation can provide. Training tells people what to do; simulation tests whether they do it. High breadth — relevant to every employee — but lower depth of impact per training hour. The gap between this and another approach from Tier 1 is the difference between knowing and doing.

The benefit of this offer is that company will not have to invest into production and distribution of this content, the downside is that it can be too generic for your specific niche. In my experience, trainings on their own are insufficient for a mindset shift towards a more security cautious behavior.

Crisis simulation - A facilitated tabletop or simulation exercise with realistic multi-stakeholder scenarios. Organizations with practised Incident Response procedures contain incidents faster and at lower cost — dwell time reduction is well-evidenced. It’s placed on top of Tier 2 because it sits between the operational prevention services from Tier 1 and the awareness services below it.
I personally am a big fan of this approach and was pioneering it in our organization – it has 2 massive benefits. First, it gives decision makers an opportunity to test themselves in an artificial crisis environment, which in turn will force them to reflect on their operating model, bottlenecks, unobvious dependencies. This can have long-term positive consequences, making the company more resilient strategically (I’ve seen those reflections in real time).

Secondly, this exercise can serve as a benchmark by the insurance company, to calibrate the risk based on confidence in the crisis management capabilities of the client.

I’m glad to see that more insurers are starting to practice this, it has untapped potential to benefit the industry as a whole.

Email security - Email is the initial access vector in approximately 60–70% of incidents. A dedicated email threat assessment or active tooling adds meaningful protection beyond default Microsoft 365 or Google Workspace settings, which leave significant gaps against sophisticated phishing and business email compromise. It scores below phishing simulation because most mid-market organizations already have some form of email filtering, meaning the marginal value depends heavily on the baseline. Very few insurers offer this feature — partly explaining why it is underweighted in the market despite its high claims relevance. I would guess that it could be too complex to implement for micro-small companies, so the low offering is following the low market demand.