Skip to main content


A CISO’s guide to cyber risk: How to make cyber risk more insurable

Red car driving on winding road through snowy forest, toning blue. Concept banner winter travel, aerial view.

Cyber resilience is paramount for any organisation in an increasingly digital world, where cybersecurity threats evolve rapidly and demands for data protection grow. Amid this shifting risk landscape, the chief information security officer (CISO) plays a critical role in enhancing an organisation’s cybersecurity. In the first article in our CISO’s guide to cyber risk, we examined the steps an organisation can take before and during a cyber incident to mitigate its impact. In this, the second article in the series, we explore key considerations for CISOs in companies that want to improve their insurability. By improving their insurability — that is, their suitability for insurance coverage — companies can usually achieve wider coverage and better terms and conditions.

Understand the baseline of your cybersecurity programme

Before implementing an action plan to improve an organisation’s cybersecurity, a CISO should have a clear awareness of its current cybersecurity controls and how they rank against their peers. A tool such as the Marsh Cyber Self-Assessment can analyse the maturity of an organisation’s cybersecurity posture, by using multiple data points from within and outside the insurance market, and pinpoint areas requiring improvement. The assessment also provides an overview of an insurer’s perspective   on the organisation’s existing controls.

Marsh’s proprietary research has identified 12 key controls considered as best practices by cybersecurity experts and insurers alike and are as follows:

In the past year, insurers have focused on patch management, given unpatched vulnerabilities are a leading cause of intrusions into systems. Insurers also consistently scrutinise privileged account management (PAM). Privileged accounts are the keys of a network, so when they are compromised by attackers, the likelihood of significant harm is extremely high. Insurers also expect, as a minimum, endpoint protection (EPP) and endpoint detection and response (EDR) solutions across an organisation’s servers and laptops to detect malicious programmes and contain their spread. 

Tailor cyber controls to your business model

Improving cybersecurity undoubtedly boosts the ability of an organisation to obtain effective cyber insurance. However, a CISO usually needs to strike a balance between strengthening controls and introducing security that could slow down workflow — and undertake a cost benefit analysis of each. 

For example, enforcing complex passwords and frequent password changes may lead to frequent password reset requests and delays in accessing systems. Too many scans could interrupt user activity while strict firewall rules and intrusion prevention systems can block legitimate network traffic. A CISO can ensure security measures support and enable business operations — rather than hinder them — by continually adapting controls to fit the business model. Contracts with third-party vendors who provide controls should be reviewed regularly to assess whether their services still align with the organisation’s needs.

Prioritise your cyber threats

A clear picture of an organisation’s cybersecurity priorities enables a CISO to decide where to allocate resources to address risk. There are solutions available to help a CISO articulate the return on investment from putting a specific control in place. For example, Marsh can work with the organisation to undertake a financial stress test. The assessment can identify the potential impact of implementing a PAM solution designed to secure and manage privileged accounts and access within an organisation. The presence of PAM solutions in an organisation generally results in lower claims in the event of a cyber incident.

Contextualise potential cyber incidents for the C-suite

While major cyberattacks receive widespread media attention, there is a significant number of serious cyber incidents that remain private. Organisations that experience a cyberattack are often reluctant to disclose the incident publicly in order to protect their reputation and brand, while the C-suite may not have a nuanced understanding around current cyber trends and risks. 

Tabletop exercises can bring to life how a cyber incident could impact an organisation’s operations and its relationships with stakeholders. Dry runs of cyberattacks explore the reputational, operational, financial, and legal impacts that incidents could have on organisations, and the appropriate strategies for managing and minimising these.

Demonstrate your robust cybersecurity culture to insurers

Insurers are more likely to cover risk if an organisation can demonstrate a vigorous cybersecurity programme. CISOs can demonstrate a full understanding of their remit and provide assurances — for example, of levels of staff cybersecurity training and governance of the organisation — by holding meetings with insurers, whether as part of a market presentation or in a one-to-one meeting. 

It is important for CISOs to maintain open lines of communication with insurers. At renewals, if there has been a claim on a cyber policy, CISOs are likely to be asked to provide details about the incident, including its financial cost and lessons learned. Clear and honest communication with insurers and early engagement ahead of renewals are key to ensuring a seamless risk transfer process. 

How Marsh can help

Respondents to the Global Risks Perception Survey, included in the Global Risks Report 2024, ranked cyberattacks as the fifth biggest risk for 2024. Cyber insecurity also ranked highly as a short- and long-term risk. By adopting a proactive approach, however, organisations can stay one step ahead of cybercriminals and protect their critical assets. 

As your cyber risk adviser, Marsh can help you in a number of ways:

Incident management: Our cyber incident management team can help review your current cyber incident response plan, support you during and after an incident, and assist with an insurer vendor panel review.

Risk advisory: Our advisory team can work with you to enhance cybersecurity resilience in view of technology advancements and the ever-evolving threat landscape.

Risk intelligence: Our economic modelling and quantification tools (such as Blue[i]) can inform risk transfer and cybersecurity decision making.

Insurance: Our proprietary insurance programmes in partnership with leading insurers enable efficient cyber risk transfer.  

For more information on how to make your organisation more insurable, please contact your Marsh risk adviser.