donate EXPLORE
donate
Future of Digital Security

Q&A: The Strategic Potential of Cyber Insurance

By Lillian Ilsley-GreeneTaylor GrossmanSophia Mauro on April 29, 2025

  • Do you have up-to-date, active firewall technology?
  • How much revenue did you earn last fiscal year?
  • Do you have an incident response plan to respond to a network intrusion?
  • Do you encrypt private or sensitive data on your networks?
  • Do you have a process in place to regularly download and install patches?

A company hoping to purchase cyber insurance might need to answer these questions as part of their application, helping the underwriter to evaluate and price their level of risk.

If they answer ‘no’ to one of these questions, through the underwriting process, they may need to pay more on their premiums–imposing a cost for their increased level of cyber risk. But in a new report out this week, IST makes the case that cyber insurance has the strategic potential to be more than a passive player that uses annual renewal conversations around premiums to drive change. By becoming more active in their recommendations about cybersecurity products and services, cyber insurers can actually help their policyholders achieve better proactive, pre-incident cybersecurity.

To learn more, I sat down with report authors Sophia Mauro, Director of Strategic Communications, and Taylor Grossman, Director for Digital Security.

Read the report

Q&A: The Strategic Potential of Cyber Insurance

What benefits could bundling have for policyholders, especially less resourced ones?

Sophia: “Let’s say the underwriting process finds that a business does not currently have a dedicated cybersecurity team that continuously monitors its network for threats. Underwriting might simply price that risk accordingly, and increase the rate that the business pays on its policy premium. This could incentivize the business to make investments to lower their risk, and therefore their premium. All too often, however, the potential policyholder instead pays the higher premium without improving their cybersecurity posture or opts out of buying insurance altogether. The current state of affairs, therefore, preserves the financial stability of insurers, but it doesn’t necessarily end up improving the cybersecurity posture of their insureds.

Bundling—a regulatory term for the combination of insurance with a value-added product or service, offered at an additional cost, that helps to mitigate or manage loss—allows insurers to give their policyholders a clear path to better cybersecurity. A business could realize the benefits of bundling either by receiving a rebate on their premium when they adopt a new security service, or by receiving a reduced rate on the security service itself. Either way, the business is not just told they have to shape up, but given a path to do so.

What’s more, bundling can have significant benefits beyond simply accelerating cybersecurity maturity. Because bundled rebates can happen dynamically, not just at the time of underwriting, they can drive continuous improvements in cybersecurity posture. They can also give insurers more data to proactively warn their policyholders when something suspicious is going on or if a vulnerability is not being addressed.

Taken together, these benefits could significantly improve outcomes, particularly among the small and medium enterprises that are operating with minimal cybersecurity teams and tight margins.”

Is bundling a feature of today’s cyber insurance landscape?

Sophia: “Yes and no.

Let’s take a trip back to the late 1800s. At the time, some life insurance agents were offering products and services entirely unrelated to the purchase of life insurance to induce customers to choose one broker over another. This created all kinds of concerns, including market distortion (is the insurance being purchased because it’s high quality, or because the value-added service is so appealing?), insolvency (do these added products and services threaten the financial health of the firm?), and unfair competition (how can smaller firms compete with larger firms who have higher budgets to offer additional products and services?). In response, states began to pass anti-rebating statutes, which sought to mitigate unfair competition and deceptive practices in the sale of insurance.

But in recent years, the conversation around rebating and bundling has shifted, in large part due to technological innovation. Everyone still agrees that offering an unrelated value-added service to induce customers to purchase one insurance policy over another is unfair and anti-competitive. But what about value-added services that can help insureds mitigate risk or reduce loss?

In 2020, the National Association of Insurance Commissioners Executive Committee voted unanimously to propose a new model law that allows for the provision of value-added services at no or reduced cost, even when not specified in the insurance policy itself.

But the model law is just that–a model. The decision about whether to lift prohibitions on bundling in insurance is ultimately up to each individual state. We found in our research that as of January 2025, 25 states have lifted some of their prohibitions on bundling, while prohibitions remain in place in the other 25.

So while the bundling of value-added services with insurance is legally allowed to some extent in 25 states, the current patchwork of legislation–coupled with the broadly (mis)understood legal precedent related to anti-rebating and anti-bundling–makes it more challenging for insurers to bundle.”

Does bundling still raise any of the same concerns that regulators tried to address in the 1880s?

Taylor: “We explored concerns around insolvency; risk assessment and pricing; and discriminatory practices in depth in our paper, assessing how they might apply to the cyber insurance context. What we found is that many of the concerns that animated regulators in the 19th century are not as relevant in the 21st. For instance, insurers are now subject to enhanced prudential supervision that directly examines their balance sheets to ensure solvency. As with any change in regulation, it’s important to consider what externalities may occur as a result, but we are confident that other changes in the regulatory landscape over the past 150 years have mitigated many of the risks once associated with bundling.

However, we also raise an emerging concern, and put forward recommendations to address it. Bundling provides new opportunities for insurers to develop close relationships with external, value-added service providers (or with their own in-house service provider), which creates new business-to-business relationships. Sending insureds to some service or product to improve their cybersecurity may be better than the status quo. However, insurance companies stand to gain market share by partnering with external vendors, who can help to direct clients back to their insurance products. These bundled offerings present a valuable sales opportunity for insurers—a factor that makes bundling compelling, but that also raises possible conflicts of interest. To address this concern, we recommend that regulators carefully consider rules that offer consumer protection against unfair business practices, including appropriate disclosure requirements and customer data protections. For example, an insurer might be required to report to state regulators the terms of the business-to-business agreement and any kick-backs they may be receiving.”

Ultimately, what do you recommend to state regulators and legislators?

Sophia: “We think that regulators and legislators should encourage cyber insurers to present policyholders with more proactive pre-breach risk mitigation tools and strategies, including by bundling insurance with security products and services.

Regulatory uncertainty is a major contributor to the lack of bundling today. We encourage state insurance commissioners to adopt some or all of the NAIC model law, which would reduce this uncertainty and make the regulatory landscape for bundling more clear.”

Where do you go from here? What other work will you be taking up in relation to cyber insurance?

Taylor: “In addition to issuing recommendations for regulators and legislators, we also offer some suggestions for future research. There’s much more to explore when it comes to understanding bundling as a model for risk management, including the specific types of incentives offered and the structure of vendor-insurer relationships, SME adoption of cyber insurance and the impact of bundling on SMEs in particular, outcomes of bundling, and barriers to bundling implementation.

There are other areas in cyber insurance IST is looking at as well. Due to challenges with systemic risk modeling, government may be well-positioned to intervene in the reinsurance market to attenuate tail risk–a topic that we will continue to explore in future research. We also believe that mapping the insurance ecosystem could be a useful starting point to understand how brokers, insurers, and reinsurers interact with each other and to pinpoint where bundling and other possible market-based solutions can be helpful mechanisms for incentivizing security practices.

This paper marks a first foray into the world of bundling—one which we hope will spark more discussion about the role of cyber insurance in realizing cyber resilience, and the potential of bundling as one avenue towards cyber resilience for SMEs and SLTTs in particular.”