Cyber Insurance: Security Controls and Data Risk Factors

Cyber insurance has become essential for businesses of all sizes as digital threats evolve at an unprecedented pace. Yet many business leaders don't fully understand what affects their cyber insurance premiums or why one company's rate might be dramatically different from another's despite similar business models.

The insurance industry has undergone a significant shift in cyber underwriting over the past few years, moving from a focus solely on company size and industry to increasingly sophisticated risk assessments based on your actual security practices. Understanding these rating factors is critical for both managing costs and protecting your organization.

The Evolution of Cyber Insurance Rating

Until recently, cyber insurance premiums were largely based on company revenue and industry type. However, the industry has matured significantly. Today's underwriters require detailed information about your security infrastructure, conduct security assessments, and review your cybersecurity practices before providing quotes.

This shift reflects an important reality: A larger company with robust security controls is lower risk than a smaller company with minimal security measures, despite the smaller company's lower revenue.

Rating Factor 1: Industry Type and Data Sensitivity

Your industry classification is the foundation of cyber insurance rating because different industries face different cyber threats and have different regulatory requirements.

Industry Risk Classification

Insurance companies categorize industries by their cyber risk exposure:

Lower-Risk Industries (Lower premiums):

• Professional services (consulting, law)
• Accounting and tax services
• Insurance agencies and brokers
• Manufacturing (non-tech)
• Wholesale/distribution

Moderate-Risk Industries (Moderate premiums):

• Retail and e-commerce
• Hospitality and food service
• Healthcare providers (non-hospital)
• Educational institutions
• Local government

Higher-Risk Industries (Higher premiums):

• Financial services and banking
• Healthcare systems and hospitals
• Technology and software companies
• Data centers and hosting providers
• Payment processors and merchants

Highest-Risk Industries:

• Cryptocurrency and blockchain companies
• Defense contractors
• Energy and utilities
• Government agencies (federal/state)

Data Sensitivity Impact

Beyond industry classification, the type of data your company handles significantly affects your premium:

Data Types with Highest Premiums:

• Personally Identifiable Information (PII) - Anything identifying individuals (names, addresses, SSNs)
• Protected Health Information (PHI) - Medical and health records covered by HIPAA
• Payment Card Information (PCI) - Credit card and financial payment data
• Financial Records - Banking, investment, and transaction data
• Trade Secrets - Proprietary business information and intellectual property

Example: A healthcare company and a consulting firm with identical revenue might have cyber premiums that differ by 50-100% purely based on the sensitivity of data they handle. Healthcare providers collect and store PHI, which creates significantly higher liability exposure if breached.

What You Can Control: While you can't change your industry, you can:

• Minimize sensitive data collection (only collect what's necessary)
• De-identify or anonymize data where possible
• Separate sensitive data from general operations
• Restrict access to sensitive data
• Implement encryption for all sensitive data

Rating Factor 2: Company Size and Annual Revenue

Annual revenue is a primary exposure metric for cyber insurance, reflecting the volume of business operations, number of customers, and potential financial exposure.

Revenue-Based Premium Calculation

Most cyber insurance policies use annual revenue as a key rating factor:

Premium Calculation: Premium = (Industry Rate × Company Revenue) + Security Control Adjustments

Example:

• Industry: Professional services
• Base rate: $1.50 per $100,000 revenue
• Annual revenue: $5,000,000
• Base premium: ($1.50 × 50) = $75
• Wait, let me recalculate...
• Annual revenue: $5,000,000
• Base rate: $0.15 per $1,000 of revenue
• Base premium: ($0.15 × 5,000) = $750 annually

For a company with $10,000,000 revenue:

• Base premium: ($0.15 × 10,000) = $1,500 annually

Revenue Impact: Revenue directly scales the premium. Double your revenue, double your base premium (before security adjustments).

Why Revenue Matters for Cyber Risk

Higher revenue typically correlates with:

• More employees accessing systems
• More customers and client data
• More business processes and digital transactions
• Larger digital footprint and attack surface
• Greater potential damages if breach occurs

What You Can Control

• Accurate revenue reporting - Report actual revenue including all business divisions
• Organizational segregation - If you have separate business units with different risk profiles, document them separately
• Growth management - Understand that revenue growth will increase cyber premium
• Operational efficiency - Reduce unnecessary data handling and digital interactions where possible

Rating Factor 3: Critical Security Controls (Non-Negotiable)

The most significant change in cyber insurance underwriting is the shift from "nice to have" security recommendations to "absolutely required" security controls. Insurers now refuse to cover companies that lack critical controls.

Multifactor Authentication (MFA) - The Baseline Requirement

MFA Status: No longer optional—now a mandatory requirement for cyber insurance coverage.

Why It Matters: 99.9% of account-compromise attacks can be blocked by implementing MFA. Ransomware attacks frequently target organizations lacking MFA.

Requirements:

• MFA must protect all remote access points (VPN, cloud applications, email)
• MFA applies to all user accounts (not just critical accounts)
• Stronger MFA methods preferred (push notifications, biometric) over weaker methods (SMS)
• Exceptions may be documented but require special underwriting

Premium Impact:

• No MFA: Insurance may be declined or require significant surcharges
• MFA implemented: Baseline requirement met; qualifies for coverage
• MFA + stronger methods: May earn discount of 5-10%

Endpoint Security and Antivirus

Requirements:

• Endpoint protection agents on all devices (computers, servers, laptops)
• Next-generation antivirus (not just signature-based)
• Real-time threat detection and response
• Automated patch management

Premium Impact: Having comprehensive endpoint protection is table stakes for competitive premiums.

Email Security Controls

Requirements:

• Email filtering and threat detection
• Protection against phishing and malware
• Spam filtering and authentication (SPF, DKIM, DMARC)
• User awareness training on email threats

Data Backup and Disaster Recovery

Requirements:

• Regular automated backups (daily or more frequent)
• Off-site backup storage (separate from primary systems)
• Tested recovery procedures
• Documentation of backup schedule and retention

Critical Point: Ransomware attacks are devastating only if you can't restore from backups. Insurers require proven backup capabilities.

Vulnerability Management Program

Requirements:

• Regular vulnerability scanning (internal and external)
• Vulnerability assessment and prioritization
• Remediation process for identified vulnerabilities
• Documented timeline for patching (typically critical vulnerabilities within 15-30 days)

Additional Important Controls

Network Segmentation: Separating sensitive systems from general network Encryption: All data in transit and at rest Access Controls: Principle of least privilege; restriction to only necessary data/systems Logging and Monitoring: Security event logging and real-time monitoring Incident Response Plan: Documented procedures for responding to cyber incidents

What You Can Control: All of these! This is where you have maximum control over your cyber insurance costs and actual security risk.

Rating Factor 4: Cybersecurity Frameworks and Compliance Standards

Insurance underwriters increasingly assess alignment with recognized cybersecurity frameworks and compliance standards.

Framework Assessment

NIST Cybersecurity Framework

• Widely adopted standard in U.S. government and commercial sectors
• Framework covers: Identify, Protect, Detect, Respond, Recover
• Demonstrates systematic approach to cybersecurity
• Premium Impact: Alignment with NIST reduces premiums by 5-15%

ISO 27001/27002

• International standard for information security management
• Comprehensive security control requirements
• Third-party auditable (certification available)
• Premium Impact: ISO 27001 certification may earn 10-20% discount

Center for Internet Security (CIS) Benchmarks

• Specific, actionable security recommendations
• Available for various technologies (Windows, Linux, AWS, etc.)
• Easier to implement than broader frameworks
• Premium Impact: Documented CIS benchmark compliance may earn 5-10% discount

Regulatory Compliance Standards

Some industries require specific compliance:

• HIPAA - Healthcare provider data protection
• PCI DSS - Payment card processing security
• GDPR - European personal data protection
• SOC 2 - Service organization security controls
• FedRAMP - Federal cloud security standards

Demonstrating compliance with relevant standards supports lower premiums.

What You Can Control:

• Document alignment with appropriate frameworks
• Pursue relevant certifications (ISO 27001, SOC 2)
• Conduct regular security assessments
• Maintain documentation of security practices

Rating Factor 5: Third-Party and Vendor Risk Management

A significant 2025 underwriting focus is your management of third-party cybersecurity risks.

Third-Party Risk Assessment Program

What Underwriters Evaluate:

• Do you assess vendors' security practices before engagement?
• Do you maintain inventory of vendors with access to systems/data?
• Do you monitor vendor security posture over time?
• Are contracts require vendors to maintain specific security standards?
• Do you require vendors to notify you of their breaches?

Critical Vendors:

• Cloud service providers
• Payment processors
• Data analytics platforms
• Hosting providers
• Any vendor with access to your data

Supply Chain Attack Exposure

Underwriters recognize that breach exposure doesn't always come from your own systems—it often comes through compromised vendors. Demonstrating a robust vendor management program reduces your premium.

What You Can Control:

• Document vendor assessment procedures
• Maintain vendor security questionnaires
• Require security certifications (SOC 2, ISO 27001)
• Include security requirements in vendor contracts
• Monitor vendor security news and announcements
• Conduct regular vendor security reviews

Rating Factor 6: Prior Breach History and Claims

Your company's past cyber incidents and claims directly impact your premium.

Breach History Impact

No Prior Breaches:

• Standard premium rates
• Full range of coverage options available

Prior Breach (3+ Years Ago):

• May receive modest premium increase (10-25%)
• Detailed questions about response and remediation
• Over time, impact diminishes as incident ages

Prior Breach (1-3 Years Ago):

• Significant premium increase (25-50%)
• Extensive underwriting review required
• Requirement to show security improvements post-breach
• Potentially higher deductibles

Prior Cyber Insurance Claim:

• Major impact on renewability and rates
• Possible coverage exclusions
• Potential non-renewal by insurer
• May require security improvements for renewal

Multiple Incidents:

• Extremely difficult or impossible to insure at competitive rates
• Likely non-renewal or significant surcharges
• Requirement for major security remediation

What You Can Control:

• If you've had a breach, prioritize security improvements and documentation
• Report and manage claims properly
• Demonstrate corrective actions
• Maintain incident response documentation
• Build a track record of no subsequent incidents

Rating Factor 7: Security Staffing and Expertise

Insurance underwriters increasingly evaluate whether you have dedicated cybersecurity resources.

Staffing Assessment

Dedicated CISO or Security Officer:

• Full-time or part-time security professional
• Responsibility for security programs and oversight
• May support premium reduction of 10-15%

Security Team:

• SOC (Security Operations Center) capabilities
• Dedicated incident response capabilities
• Advanced threat hunting capabilities

Outsourced Security Management:

• Managed Security Service Provider (MSSP)
• Managed Detection and Response (MDR)
• Provides similar oversight to in-house team
• Increasingly accepted by underwriters

Limited Expertise:

• IT staff with shared security responsibility
• No dedicated cybersecurity focus
• Associated with higher premiums

What You Can Control:

• If you lack dedicated security staff, outsource to MSSP or MDR provider
• Document security responsibilities and accountability
• Provide cybersecurity training to management and employees
• Engage security consultants for assessments

Putting It All Together: Cyber Insurance Premium Calculation

Your cyber insurance premium combines industry, revenue, security controls, and risk factors:

Premium = (Base Rate × Revenue) × Control Adjustment Factor × History Factor × Staffing Factor

Example: Professional Services Firm

Company Profile:

• Professional consulting firm
• Annual revenue: $3,000,000
• Employees: 25
• Located in California
• Handles client financial data and business records

Rating Factors:

1. Industry: Professional services = Base rate $0.12 per $1,000 revenue
2. Revenue: $3,000,000 × ($0.12 ÷ 1,000) = $360 base premium
3. Data sensitivity: Handles financial data = 1.25 modifier
4. Security controls:
   • MFA implemented: 0.95 modifier
   • EDR/endpoint protection: 0.97 modifier
   • Email security: 0.98 modifier
   • Backups: 0.96 modifier
   • Combined: 0.95 × 0.97 × 0.98 × 0.96 = 0.887
5. No prior breaches: 1.0 modifier
6. MSSP for monitoring: 0.95 modifier
7. Final calculation: $360 × 1.25 × 0.887 × 1.0 × 0.95 = $380 annually

Comparison—Same firm without strong controls:

• Missing MFA requirement: NOT insurable at standard rates
• Standard controls only: $360 × 1.25 × 1.15 × 1.0 × 1.10 = $569 annually or declined

Actionable Strategies to Optimize Cyber Insurance Costs

Immediate (0-3 months) - Security Controls

1. Implement MFA everywhere - If not already done, this is critical to get insurable
2. Assess endpoint protection - Ensure all devices have modern antivirus/EDR
3. Inventory security tools - Document all current security controls
4. Create inventory of vendors - List all third parties with system/data access
5. Request security questionnaire - Get underwriter's detailed assessment form

Short-Term (3-6 months)

1. Implement missing controls - Deploy email security, backup solutions, vulnerability scanning
2. Develop vendor risk program - Assess and document vendor security practices
3. Enhance monitoring - Consider MSSP or MDR if not currently in place
4. Security training - Implement annual employee cybersecurity awareness training
5. Document compliance - Align with NIST or CIS framework

Medium-Term (6-12 months)

1. Pursue framework certification - Work toward ISO 27001 or SOC 2 Type II
2. Incident response planning - Develop and test documented incident response procedures
3. Advanced controls - Implement network segmentation, advanced threat detection
4. Regular assessments - Conduct annual security assessments or penetration tests
5. Vendor management - Establish ongoing vendor security monitoring

Long-Term (12+ months)

1. Industry leadership - Position as security leader in your vertical
2. Continuous improvement - Regular assessment and control enhancement
3. Executive involvement - Ensure board/C-suite oversight of cybersecurity
4. Industry certifications - Pursue relevant credentials (CISSP, CCISO, etc.)
5. Premium benchmarking - Compare your costs to industry peers

Key Takeaway

Cyber insurance underwriting has fundamentally shifted from assessing only company size and industry to evaluating your actual security practices and risk management programs. While some factors (industry, data type) are largely fixed, your security controls, vendor risk management, and security staffing are entirely within your control.

By implementing critical security controls (especially MFA), demonstrating governance and frameworks, and maintaining a robust security program, you can secure favorable cyber insurance rates while simultaneously reducing your actual exposure to cyber threats.

---

Next in the Series: Technology Errors & Omissions: Rating Factors for Software and Tech Firms

Ready to evaluate your cyber insurance rating factors? The Volare Risk Management team can assess your security controls, compare your coverage to market standards, and identify opportunities for cost optimization.