Cyber underwriting is rapidly becoming one of the most technically detailed areas of the insurance market, forcing insurers and brokers to move beyond the traditional model of disclosure-based underwriting.
Unlike many financial lines policies, which still rely largely on proposal forms and material fact disclosure, cyber insurers are increasingly analysing companies’ technical security controls directly, from multi-factor authentication to vulnerability scanning.
For George Grimshaw (pictured), divisional head of technology and cyber at Clear Group, the shift reflects the fundamentally different nature of cyber risk.
“You could argue the way cyber policies are underwritten now is more in depth and a better way of underwriting the risk,” he said.
That shift is beginning to set cyber apart from many traditional insurance lines, where underwriting still relies largely on disclosure through proposal forms rather than direct analysis of technical risk controls.
That evolution is also highlighting how cyber exposures increasingly intersect with other areas of the insurance market, particularly property, directors and officers (D&O), and crime cover.
One of the most complex overlaps is emerging between cyber and property insurance, particularly where digital attacks trigger physical damage.
In sectors such as manufacturing, cyber incidents affecting operational technology could disrupt production or damage machinery. However, traditional property policies are typically structured around predefined physical perils such as fire or explosion, which can leave uncertainty where cyber events lead to material damage.
“If you’re a manufacturer, have a cyber attack, and that cyber attack somehow causes physical damage to your machinery, it could be that that’s not covered by your cyber policy and any commercial combined policies you have,” Grimshaw said.
For brokers placing risks in manufacturing or production-heavy sectors, ensuring those exposures are clearly addressed within insurance programmes is becoming increasingly important.
Cyber risk is also becoming a growing concern for directors as expectations around corporate cyber governance increase.
Regulatory and legislative developments are placing greater responsibility on boards to oversee digital resilience and cyber risk management. In the event of a significant breach, directors could face scrutiny over whether appropriate controls, including insurance protection, were in place.
“If you have an M&S [or] Co-Op level attack of your business, then your directors could be held personally liable if they didn’t take cyber risk management seriously or cyber insurance seriously,” Grimshaw said.
As a result, brokers are increasingly discussing cyber governance alongside D&O placements when advising clients on risk management frameworks.
Cyber risk has also reshaped crime insurance as fraud has increasingly shifted into digital channels.
Traditional crime policies were largely designed around physical theft or employee dishonesty. Modern wordings increasingly incorporate social engineering and cyber-enabled fraud, but this evolution can create complexity where cyber and crime policies may respond to the same event.
“We need to ensure as brokers that we’re not dual insuring our clients across cyber policies with cybercrime sections, and they’re also holding crime policies at the same time,” Grimshaw said.
Careful coordination between cyber and crime cover has therefore become an important part of structuring insurance programmes.
Cyber underwriting itself has evolved significantly as insurers attempt to manage systemic risk in an increasingly digital economy.
Large-scale incidents such as the NotPetya attack demonstrated how a single cyber event can generate losses across multiple organisations and industries. In response, insurers have introduced clearer cyber war exclusions and strengthened underwriting scrutiny.
“They’re tightening up cyber underwriting to ensure there’s no systemic risk aggregation - more granular assessments of security controls, multi-factor authentication, backup protocols, and looking deeper into risk management,” Grimshaw said.
Unlike many traditional lines, where underwriting still relies heavily on disclosure, cyber insurers are increasingly analysing technical risk indicators directly within client environments.
Cyber risk has also exposed limitations in traditional insurance structures, many of which were designed around geographically defined physical risks.
Digital threats, by contrast, are borderless and instantaneous, forcing insurers to rethink how policies define triggers, business interruption and aggregation across portfolios.
Cyber risk is forcing insurers to rethink how policies are designed and how risks are assessed across multiple lines.
“Cyber accelerated the way insurance wordings have been modernized, and the underwriting process,” Grimshaw said.
As digital dependency continues to grow, that shift may influence underwriting approaches well beyond the cyber market.
