By Michael Vallas, Global Technical Principal, Goldilock Secure
For years, cyber insurance has acted a little like a corporate comfort blanket. Boards could transfer risk, satisfy governance requirements and reassure customers and investors that a financial backstop was in place.
With global ransomware damage projected to reach $57 billion in 2026, premiums are rising as exclusions widen and policies become increasingly selective, applying only to specific attack classes or technology domains.
Crucially, underwriters are no longer accepting claims of security capability at face value. They want increasingly detailed evidence that organisations can defend, contain and recover from a cyberattack. Without demonstrable control, you’ll pay more for less cover, or struggle to secure renewal at all.
From checklists to close inspection
Cyber insurance renewals were once straightforward. Organisations completed a questionnaire, and enough “yes” answers usually did the trick. That approach isn’t enough for securing coverage anymore. Insurers now want evidence that controls work in live environments, backed by deeper underwriting scrutiny and post-incident evidence.
Underwriters are now focused on how quickly an organisation can detect an attack, stop lateral movement, isolate affected systems, and recover without reinfection. A failure in any of these areas, or inability to limit the blast radius of an attack, can turn a single breach into a catastrophic multi-million-pound loss.
The true scale of that loss is then driven by how many systems are affected, how long recovery takes, the daily revenue lost during downtime and the total cost of remediation. In a recent major incident where production came to a halt and losses were estimated at tens of millions per week, the effects rippled far beyond the organisation itself, impacting the wider community and supply chain.
Cyber risk moves to the balance sheet
Insurers are pushing ever more responsibility back to policyholders, making investment in resilience a prerequisite for coverage. Recent incidents have shown just how quickly losses can escalate once operations grind to a halt. Unlike larger companies, most organisations and their suppliers cannot rely on emergency government support if revenue dries up for weeks.
As a result, cyber defences have become financial controls. The ability to keep core operations running, or to selectively isolate systems to prevent total shutdown, can be the difference between a manageable incident and a liquidity crisis.
The questions for CFOs and boards
For the executive suite, the focus is operational. Business and finance leaders should be asking questions tougher than simply which tools are in place. They should be asking whether the organisation can protect its networks, that incident response plans have been fully tested, and that recovery is fast, reliable and provably clean. This upward risk reporting is critical so leadership can provide timely visibility of critical cyber threats and potential liabilities to the board.
Since boards focus is on governance and oversight, there must be assurances that systems under threat can be disconnected, responses can be executed quickly, that the blast radius can be limited, and operations can then be restored with a provable audit trail. This top-down risk decisioning means boards can define the organisations risk appetite, ensure measures are in place to reduce downtime and limit financial exposure then guide their cyber insurance decisions.
Overconnectivity: the multiplier effect
At the heart of the issue is overconnectivity. Research shows attackers can reach high-value assets in as little as 31 minutes in highly interconnected environments.
Yet many critical systems, like backups, operational technology and cloud workloads, remain permanently reachable even when not in use. That always-on convenience benefits attackers too, unless lateral movement is deliberately constrained through controls such as strict segmentation.
Cyber risk behaves like fire: the damage is determined by how far it spreads. That’s why for insurers, the decisive factor isn’t whether you’re breached, but how quickly and effectively you can stop damage spreading.
Disconnecting to defend
Keeping sensitive systems permanently connected delivers little strategic value while significantly increasing your blast radius. Always-on connectivity expands the attack surface and increases maximum loss when a breach occurs. A more resilient approach is to treat access to high-value assets as conditional – bring critical systems online only when required and disconnect them from the network when risk rises beyond agreed thresholds.
When the ability to connect and reconnect exists outside the protected environment, attackers cannot see or tamper with it. This allows critical systems and backups to remain physically isolated and brought back online in tightly controlled, auditable windows.
For insurers, reducing unnecessary exposure blocks attackers at the point of entry, prevents breaches from cascading across the business, and slashes consequential losses. For finance leaders, it provides an explainable control that lowers the risk of extreme loss and adds certainty to how incidents are assessed during a claim.
Cyber cover must be earned
Organisations that treat renewal as a paperwork exercise should expect tougher scrutiny and higher costs. By contrast, companies that manage cyber risk with financial discipline are in a far better position. Stronger controls translate into stronger terms and reduce the likelihood of ever needing to claim.
Most importantly, putting robust, low-level risk control in place – right beneath the threats themselves – effectively enforces top-level policy and risk controls in a clear, practical way. This provides organisations with a more complete and dynamic framework for managing risk, empowering them to address threats in real time, asset by asset and zone by zone, from the ground up.