The insurance industry is already grappling with a sharp rise in the frequency and severity of ransomware and social engineering attacks. While many organizations assume that simply having a cyber insurance policy is sufficient, the reality is far more nuanced.
According to Scott Bailey (pictured), cyber underwriting leader at CFC, companies need to go beyond viewing cyber insurance as a safety net. Instead, they should invest in proactive risk mitigation – starting with employee training.
Brokers, too, have a pivotal role to play in this evolving landscape. Rather than focusing solely on the fine print of coverage, they must act as advisors and educators, helping clients understand their exposure and guiding them toward stronger cyber hygiene, Bailey said.
Working in partnership with underwriters, they can help make the insured safer, which in turn helps make the policy more sustainable and affordable, Bailey says.
At the heart of today’s cybersecurity threat landscape is a stubborn truth: human error remains the number one vulnerability. Despite advancements in cybersecurity technology, attackers continue to exploit human behavior as their primary entry point – and employee awareness is more critical than ever.
Bailey pointed to the recent wave of Scattered Spider attacks as a cautionary tale. This sophisticated hacking group, previously known for targeting major UK retailers like Marks & Spencer, has reportedly set its sights on the insurance sector. Their weapon of choice? Social engineering.
“They gain access not by breaking through firewalls but by manipulating people,” Bailey said. Tactics include SIM swapping to intercept two-factor authentication and impersonating employees to trick IT help desks into resetting credentials – low-tech, high-impact maneuvers that can bypass even the most robust technical controls.
“These attacks are often initiated with a phone call from someone pretending to be an internal employee,” he said. “And unless staff are trained to spot these tactics, the results can be devastating.”
Another persistent misconception in the market is that cyber insurance is solely about reimbursement after an incident. While coverage for financial loss remains a core function, Bailey argued that the best policies now offer a comprehensive ecosystem of prevention, monitoring, and real-time support.
“People often think cyber insurance is just about getting money back if something goes wrong,” Bailey said. “But it’s moved well beyond that”.
At CFC, for example, policyholders gain access to a proactive threat intelligence platform that monitors hacker forums, dark web activity, and cybercriminal chatter. If a client is identified as a potential target, the insurer sends out alerts – along with guidance on how to mitigate the threat before an incident occurs.
“We act as an extra set of eyes and ears,” Bailey said. “It’s like having a cyber watchdog built into your policy.”
Bailey said that this preventative layer is especially important for small and medium-sized businesses that may lack dedicated cybersecurity teams.
While CFC has been a vocal proponent of proactive cyber defense, Bailey was quick to point out that the insurer is not alone in embracing this philosophy. The cyber insurance sector as a whole is undergoing a transformation – one that prioritizes prevention and partnership alongside protection.
“The whole industry is realizing that if we can help clients avoid cyberattacks altogether, that’s a win for everyone: the policyholder, the insurer, and the broker,” he said.
This shift reflects what Bailey refers to as the "secure and insure" model – a framework that mirrors traditional insurance lines. Just as property insurers offer fire risk surveys or casualty insurers provide workplace safety training, cyber insurers are beginning to help clients strengthen their digital defenses.
“It makes perfect sense,” Bailey said. “Why wouldn’t a cyber insurer help their policyholders improve their risk posture if it leads to fewer breaches and better outcomes for everyone?”
But doesn’t helping clients harden their defenses lead to lower premiums – and, in theory, lower revenue for insurers?
Not necessarily, Bailey argued.
Insurers can introduce ways to align their incentives with its clients’ improved risk profiles. As one example, Bailey pointed at nil deductible policies for clients – like well-prepared brokerages in Canada – that demonstrate strong cyber hygiene and readiness.
“If a business is properly prepared, we can offer them full indemnity (via a nil deductible option) with no out-of-pocket costs in the event of a loss,” Bailey said. “That’s a huge incentive for the client – and a fair reflection of the lower risk they present.”
