By Glen Williams, CEO, Cyberfort
There is a phrase that should concern every board member and security leader operating in today’s threat landscape: “We’re covered.”
It sounds reassuring. It implies preparedness. In reality, it often signals the opposite.
Cyber-insurance has matured rapidly over the past decade into a legitimate and important component of organisational risk management. Policies now routinely cover business interruption losses, legal and regulatory costs, incident response support, ransom negotiations and reputational recovery. For organisations hit by a significant breach, that financial cushion can be genuinely significant.
But somewhere along the way, too many organisations began treating the policy as a proxy for the security strategy itself. Buying cyber-insurance cover became the endpoint rather than the backstop. And that confusion is now creating a dangerous gap between perceived protection and actual resilience.
Insurance covers the aftermath
A payout, however substantial, cannot restore trust with customers overnight. It cannot reverse reputational damage. It cannot undo the operational disruption of a manufacturing plant grinding to a halt, a logistics network going dark, or a hospital losing access to patient records. And it absolutely cannot stop an attacker who has already found their way in.
The financial mechanics of insurance have never been designed to do those things. They exist to absorb economic shock after an incident, not to reduce the likelihood of one occurring.
What drives likelihood is resilience. And resilience is something most insurance policies neither measure nor reward, at least not yet.
What insurers are actually asking for
The cyber-insurance market has changed significantly. A few years ago, insurance companies were issuing policies based on relatively lightweight questionnaires, broad assumptions about controls and limited scrutiny of what organisations had actually deployed. That era is closing.
Underwriters today want evidence. They want to see demonstrable incident response capability, not a document that has never been tested. They want visibility into backup maturity and recovery timelines. They want governance structures, identity and access management, third-party risk controls and, increasingly, proof of continuous monitoring and detection capability.
The question insurers are quietly beginning to ask is no longer simply “do you have controls in place?” It is “can you prove your environment is defensible and recoverable?” Those are meaningfully different questions, and many organisations are not yet equipped to answer the second one convincingly.
For businesses that cannot demonstrate genuine operational resilience, the implications are tangible; higher premiums, reduced coverage limits, more restrictive policy exclusions and in some cases, rejected claims where the insurer determines that basic controls were absent.
The compliance trap
Much of the problem stems from how organisations still approach cyber-security. The dominant mindset in many businesses remains compliance led. Have we achieved the relevant certifications? Have we filled in the annual questionnaire? Have we renewed the policy? Box ticked.
What that mindset consistently fails to ask is the more important operational question: could we continue functioning if we were attacked tomorrow?
Compliance and resilience are not the same thing. Passing an audit demonstrates that, at a point in time, documented controls existed. It says very little about whether those controls would hold under pressure, whether staff would know what to do in a crisis, or whether systems could be recovered at the speed the business actually requires.
The organisations that discover these gaps most painfully are those that find them during an incident rather than before.
The human layer remains the weakest point
One of the persistent realities of modern cyber-risk is that the most sophisticated technology stack in the world can be bypassed by remarkably simple means. Attackers do not always need advanced tooling. Sometimes they need someone to hold a door open, a member of staff to click a plausible-looking email, or a supplier with legitimate access and poor credential hygiene.
The human and operational layer of risk remains stubbornly underestimated. Tailgating, impersonation, social engineering, compromised third-party access, and weak verification processes. These are the vectors that continue to feature in significant incidents, not because they are new or sophisticated, but because they exploit trust, routine and the natural tendency of people to prioritise helpfulness over scepticism.
Insurance provides no meaningful protection against these vectors. Only operational rigour does.
Recovery is now a board-level question
The conversation in most boardrooms has shifted from whether a breach might happen to what would happen if it did. That shift in framing is healthy, but it demands a corresponding shift in investment and preparation.
Boards are now asking how quickly systems could be recovered, what a period of downtime would cost, which data and processes are genuinely critical and whether the business could continue trading through an incident. These are not questions that insurance answers. They are questions that resilience planning answers.
Cyber-resilience has become as much a business continuity issue as a technology issue. Recovery speed, containment capability, crisis communications, operational fallback: these capabilities need to be built, tested and embedded before an incident occurs, not assembled under pressure in the middle of one.
Confusing policies with protection
None of this is an argument against cyber-insurance. It remains an important layer of protection and a sensible component of any risk management programme. For businesses operating at scale, or in regulated sectors, it is increasingly non-negotiable.
But it should be understood clearly for what it is: a financial backstop, not a strategy. It is the last line of defence, not the first. It will solve some of your problems, but not all.
The organisations best positioned today are not those with the largest policies. They are the ones that have genuinely understood where their risk sits across people, processes and data; that have built demonstrable operational resilience; and that can show insurers, customers and regulators alike that they are materially harder to disrupt than their peers.
In a threat landscape where the question is no longer ‘if’ but ‘when’, the most dangerous words a business leader can say are still “We’re covered.”
Read the article on teiss here: https://www.teiss.co.uk/news/covered-but-not-protected
