Compliance Cost Institute

Cyber Insurance Underwriting

Cyber insurance underwriting is the risk evaluation process by which insurers assess an organization’s cybersecurity posture, business profile, and loss exposure to determine policy terms, coverage limits, exclusions, and premium pricing for cyber liability and data breach insurance policies. The underwriting process has evolved significantly since 2020 — driven by ransomware losses that pushed industry loss ratios above 70% — with insurers now requiring detailed technical evidence of security controls rather than relying solely on self-reported questionnaires. Modern underwriting evaluates organizations across multiple dimensions: security controls maturity (MFA deployment, endpoint detection and response, backup architecture, privileged access management, email security, patch management cadence), business characteristics (industry vertical, annual revenue, geographic footprint, data volume and sensitivity), claims history (prior incidents, near-misses, regulatory actions), and third-party risk exposure (supply chain dependencies, vendor access to systems). Premium factors vary substantially by industry — healthcare organizations typically pay 50% to 100% higher premiums than professional services firms due to elevated regulatory and breach cost exposure, while manufacturing and critical infrastructure face surcharges driven by operational technology risks and ransomware targeting. Policy structures include first-party coverages (incident response costs, business interruption, data restoration, ransomware payments, notification expenses) and third-party coverages (regulatory defense, privacy liability, media liability, PCI DSS fines). Common exclusions that organizations must understand include: acts of war and nation-state attacks (an increasingly contested area after the NotPetya litigation), failure to maintain minimum security standards, known but unremediated vulnerabilities, and social engineering losses that may require separate endorsements. Sub-limits — reduced coverage caps for specific loss categories like ransomware, regulatory fines, or dependent business interruption — can significantly reduce effective coverage and should be carefully negotiated during policy placement.