The Strategic Potential of Cyber Insurance

Welcome back to the TechnologIST! I’m Lillian Ilsley-Greene, Communications Associate at IST. This week, we published “Enhancing Cyber Resilience through Insurance: Revisiting Anti-Bundling Regulation,” a new report on the strategic potential of cyber insurance. In this month’s edition, I sat down with authors Sophia Mauro and Taylor Grossman to learn more. Also in this month’s edition: 

+ IST team members and partners take on RSA

+ Nicholas Leiserson, Michael Klein, and Tory Igoe joined IST's Future of Digital Security Team

+ IST announced 5 new cyber- and AI-focused adjunct advisors

Cyber Insurance: Towards Enhancing Cyber Resilience

• Do you have up-to-date, active firewall technology? 

• How much revenue did you earn last fiscal year? 

• Do you have an incident response plan to respond to a network intrusion? 

• Do you encrypt private or sensitive data on your networks? 

• Do you have a process in place to regularly download and install patches?

A company hoping to purchase cyber insurance might need to answer these questions as part of their application, helping the underwriter to evaluate and price their level of risk. 

If they answer ‘no’ to one of these questions, through the underwriting process, they may need to pay more on their premiums–imposing a cost for their increased level of cyber risk. But in a new report out this week, IST makes the case that cyber insurance has the strategic potential to be more than a passive player that uses annual renewal conversations around premiums to drive change. By becoming more active in their recommendations about cybersecurity products and services, cyber insurers can actually help their policyholders achieve better proactive, pre-incident cybersecurity. 

To learn more, I sat down with report authors Sophia Mauro, Director of Strategic Communications, and Taylor Grossman, Director for Digital Security. 

Read the report

Q&A: The Strategic Potential of Cyber Insurance

What benefits could bundling have for policyholders, especially less resourced ones?

Sophia: "Let’s say the underwriting process finds that a business does not currently have a dedicated cybersecurity team that continuously monitors its network for threats. Underwriting might simply price that risk accordingly, and increase the rate that the business pays on its policy premium. This could incentivize the business to make investments to lower their risk, and therefore their premium. All too often, however, the potential policyholder instead pays the higher premium without improving their cybersecurity posture or opts out of buying insurance altogether. The current state of affairs, therefore, preserves the financial stability of insurers, but it doesn’t necessarily end up improving the cybersecurity posture of their insureds.

Bundling—a regulatory term for the combination of insurance with a value-added product or service, offered at an additional cost, that helps to mitigate or manage loss—allows insurers to give their policyholders a clear path to better cybersecurity. A business could realize the benefits of bundling either by receiving a rebate on their premium when they adopt a new security service, or by receiving a reduced rate on the security service itself. Either way, the business is not just told they have to shape up, but given a path to do so.

What’s more, bundling can have significant benefits beyond simply accelerating cybersecurity maturity. Because bundled rebates can happen dynamically, not just at the time of underwriting, they can drive continuous improvements in cybersecurity posture. They can also give insurers more data to proactively warn their policyholders when something suspicious is going on or if a vulnerability is not being addressed.

Taken together, these benefits could significantly improve outcomes, particularly among the small and medium enterprises that are operating with minimal cybersecurity teams and tight margins."

Is bundling a feature of today’s cyber insurance landscape? 

Sophia: "Yes and no. 

Let’s take a trip back to the late 1800s. At the time, some life insurance agents were offering products and services entirely unrelated to the purchase of life insurance to induce customers to choose one broker over another. This created all kinds of concerns, including market distortion (is the insurance being purchased because it’s high quality, or because the value-added service is so appealing?), insolvency (do these added products and services threaten the financial health of the firm?), and unfair competition (how can smaller firms compete with larger firms who have higher budgets to offer additional products and services?). In response, states began to pass anti-rebating statutes, which sought to mitigate unfair competition and deceptive practices in the sale of insurance. 

But in recent years, the conversation around rebating and bundling has shifted, in large part due to technological innovation. Everyone still agrees that offering an unrelated value-added service to induce customers to purchase one insurance policy over another is unfair and anti-competitive. But what about value-added services that can help insureds mitigate risk or reduce loss? 

In 2020, the National Association of Insurance Commissioners Executive Committee voted unanimously to propose a new model law that allows for the provision of value-added services at no or reduced cost, even when not specified in the insurance policy itself. 

But the model law is just that–a model. The decision about whether to lift prohibitions on bundling in insurance is ultimately up to each individual state. We found in our research that as of January 2025, 25 states have lifted some of their prohibitions on bundling, while prohibitions remain in place in the other 25. 

So while the bundling of value-added services with insurance is legally allowed to some extent in 25 states, the current patchwork of legislation–coupled with the broadly (mis)understood legal precedent related to anti-rebating and anti-bundling–makes it more challenging for insurers to bundle." 

Does bundling still raise any of the same concerns that regulators tried to address in the 1880s?

Taylor: "We explored concerns around insolvency; risk assessment and pricing; and discriminatory practices in depth in our paper, assessing how they might apply to the cyber insurance context. What we found is that many of the concerns that animated regulators in the 19th century are not as relevant in the 21st. For instance, insurers are now subject to enhanced prudential supervision that directly examines their balance sheets to ensure solvency. As with any change in regulation, it’s important to consider what externalities may occur as a result, but we are confident that other changes in the regulatory landscape over the past 150 years have mitigated many of the risks once associated with bundling. 

However, we also raise an emerging concern, and put forward recommendations to address it. Bundling provides new opportunities for insurers to develop close relationships with external, value-added service providers (or with their own in-house service provider), which creates new business-to-business relationships. Sending insureds to some service or product to improve their cybersecurity may be better than the status quo. However, insurance companies stand to gain market share by partnering with external vendors, who can help to direct clients back to their insurance products. These bundled offerings present a valuable sales opportunity for insurers—a factor that makes bundling compelling, but that also raises possible conflicts of interest. To address this concern, we recommend that regulators carefully consider rules that offer consumer protection against unfair business practices, including appropriate disclosure requirements and customer data protections. For example, an insurer might be required to report to state regulators the terms of the business-to-business agreement and any kick-backs they may be receiving."

Ultimately, what do you recommend to state regulators and legislators?

Sophia: "We think that regulators and legislators should encourage cyber insurers to present policyholders with more proactive pre-breach risk mitigation tools and strategies, including by bundling insurance with security products and services. 

Regulatory uncertainty is a major contributor to the lack of bundling today. We encourage state insurance commissioners to adopt some or all of the NAIC model law, which would reduce this uncertainty and make the regulatory landscape for bundling more clear." 

Where do you go from here? What other work will you be taking up in relation to cyber insurance? 

Taylor: "In addition to issuing recommendations for regulators and legislators, we also offer some suggestions for future research. There’s much more to explore when it comes to understanding bundling as a model for risk management, including the specific types of incentives offered and the structure of vendor-insurer relationships, SME adoption of cyber insurance and the impact of bundling on SMEs in particular, outcomes of bundling, and barriers to bundling implementation.

There are other areas in cyber insurance IST is looking at as well. Due to challenges with systemic risk modeling, government may be well-positioned to intervene in the reinsurance market to attenuate tail risk–a topic that we will continue to explore in future research. We also believe that mapping the insurance ecosystem could be a useful starting point to understand how brokers, insurers, and reinsurers interact with each other and to pinpoint where bundling and other possible market-based solutions can be helpful mechanisms for incentivizing security practices. 

This paper marks a first foray into the world of bundling—one which we hope will spark more discussion about the role of cyber insurance in realizing cyber resilience, and the potential of bundling as one avenue towards cyber resilience for SMEs and SLTTs in particular."

IST at RSA

Join IST at RSA to explore hybrid warfare, ransomware, phishing, and more! And check out panels and talks from our partners and adjunct advisors, including Common Good Cyber, #Take9, ICS VILLAGE and Bryson 🦄 Bort: 

Tuesday, Apr 29

Messages that Mobilize: How to Make People Care About Cybersecurity – [KEY-T07W]: 11:35 AM – 12:05 PM PDT with Craig Newmark, Vivian Schiller, Michael S. Schmidt, and Kiersten Todt

Wednesday, April 30

WarGames 2027 & Maslow’s Hierarchy of Needs as Hybrid Warfare Nears – [SBV-W09]: 2:25 PM – 3:15 PM PDT with Joshua Corman

Thursday, May 1

Cyber Defense Matrix Workshop – [LAB1-R01]: 8:30 AM – 10:30 AM PDT with Bryson Bort, Pierre-David Oriol, and Sounil Yu

Why Democratizing Cybersecurity Is Good for Business – [PNG-R01]: 8:30 AM – 9:20 AM PDT with Jochai Ben-Avie, Harriet Gardner, Kayle Giroud, Chris Painter, and Robert Sheldon

The Hidden Cybersecurity Crisis: Securing Business & Public Infrastructure – [BOF2-R03]: 10:50 AM - 11:40 AM PDT with Kayle Giroud

Taking the Fight Upstream: Pursuing Systemic Defense Against Phishing – [HUM-R05]: 12:20 PM – 1:10 PM PDT with Kelly Bissel, Tal Goldstein, Steven M. Kelly, CISSP, and Kemba Walden

Defeating Ransomware: A 360° Review of the RTF Four Years On – [PNG-R06]: 1:30 PM – 2:20 PM PDT with Megan Stifel, Carole House, Allan Liska, Michael Phillips, and John Davis

IST in the News 

Michael Klein stresses need for K-12 Cybersecurity Council

IST Senior Director for Preparedness and Response Michael Klein spoke to EdWeek after the Department of Education announced suspension of all government coordinating councils,  including one which brought together federal, state, local, and private education stakeholders to offer guidance on and respond to cyber attacks. “If we don’t have the ability to pull together those critical leaders…we won’t be able to understand the needs in these states,” he said.

Gabrielle Tran unpacks the global AI governance regulation landscape

IST Senior Analyst for Technology and Society Gabrielle Tran joined the Humanitarian Frontiers in AI podcast, hosted by Chris Hoffman and Nasim Motalebi, to break down the industry and policy perspectives behind the ongoing geopolitical power struggle for AI governance. “Corporations will comply with stringent regulations only when the cost of noncompliance outweighs the cost of adaption,” she explained. “But in smaller markets…they might just opt out entirely.”

Elsewhere at IST 

Cyber policy experts join IST’s Future of Digital Security team

IST is excited to announce the addition of Nicholas Leiserson as Senior Vice President for Policy, Michael Klein as Senior Director for Preparedness and Response, and Tory Igoe as Future of Digital Security Associate to our Future of Digital Security (FDS) team. “In 2025, [the FDS team is] focusing our efforts on providing tailored cyber hygiene guidance and resources to the communities that need it most,” IST CSO Megan Stifel said. “Nicholas, Nike, and Tory bring unique perspectives and invaluable expertise to help us drive this important work forward.” 

IST Announces New Cyber, AI Adjunct Advisors 

Experts in the fields of cybersecurity, quantum, AI, and more, IST’s adjunct advisors work closely with our core team to identify emerging security challenges and translate discourse into action. IST is honored to announce the addition of Jack Cable as an Adjunct Senior Technical Advisor, Jonah Force Hill as an Adjunct Senior Advisor for Quantum Technology, Rob Knake as a Senior Adjunct Policy Advisor, Alyssa Lefaivre Škopac as a Senior Policy Advisor for Responsible AI, and Munish W. as an Adjunct Senior Advisor for Cyber and Supply Chain Risk. 

What We’re Reading

Want more tech and security content? Check out some of the ISTeam's favorite pieces from the past month: 

1. Anthropic was co-founded by siblings Daniela and Dario Amodei, who believe safe artificial general intelligence models are within reach. In WIRED, Steven Levy argues that the company’s most important collaborator is Claude, Anthropic’s LLM. 

2. NATO will begin using an AI system purchased from Palantir to support military operations. Palantir’s Maven Smart System (MSS Nato) uses generative AI, machine learning, and large language models, and will greatly reduce the number of soldiers required to process battleground data. 

3. In a new blog, Trend Micro analysts report finding FOG ransomware distributed by cybercriminals abusing the name of the Department of Government Efficiency (DOGE) and connected officials, and present their findings. 

4. In a private meeting last December, Chinese officials confirmed that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, sources told the Wall Street Journal. 

5. Over half a dozen countries, including the United States, France and Germany, collaborated with Europol early this month to take down multiple servers and detain 5 users connected to the Smokeloader pay-per-install botnet. 

6. Google DeepMind invited 60 Minutes to demo Project Astra, Google’s most recent AGI model. Astra can hold conversations, answer questions, and remember recent conversations. DeepMind CEO Demis Hassabis said he anticipates AGI systems will be “embedded” in our daily life by 2030. 

For more information or media requests, please contact sophia@securityandtechnology.org.