Is Evidence-Based Underwriting Changing Cyber Insurance?

Is Evidence-Based Underwriting Changing Cyber Insurance?

Simon Glairy is a visionary in the Insurtech space, navigating the complex intersection of cybersecurity and financial risk with surgical precision. With years of experience refining how organizations defend against and recover from digital threats, he has witnessed the shift from simple paperwork to rigorous, data-driven validation. In a landscape where a single breach can paralyze a global enterprise, his insights into the evolution of cyber insurance are critical for any organization looking to stay resilient in an era of AI-driven fraud and sophisticated attacks.

The following discussion explores the fundamental transformation of cyber insurance, moving away from static, annual assessments toward continuous, evidence-based monitoring. We delve into why simple attestations of security measures like multi-factor authentication are no longer enough for modern underwriters and how the rise of deepfakes and synthetic identity fraud is forcing a complete rethink of forensic readiness. Glairy explains the shift from “noise to signal” and why the ability to prove a control’s efficacy is now the baseline for coverage.

The industry is clearly moving away from simple “check-the-box” questionnaires toward evidence-based underwriting. How is this change fundamentally altering the relationship between insurers and the companies they protect?

The shift toward evidence-based underwriting is perhaps the most significant structural change we have seen in the cyber insurance industry in recent years. In the past, the relationship was built on a foundation of trust and self-reported snapshots, where an organization would simply submit documentation to demonstrate that certain controls existed. However, as cyber threats evolved at a pace faster than the paperwork could accommodate, insurers realized that the challenge isn’t a lack of information, but the ability to separate the noise from the signal. Now, instead of just asking if a security control exists, insurers are demanding to see validation that the control actually functions as it was designed to. This creates a much more active partnership where the insurer acts as a validator of cyber maturity rather than just a passive recipient of claims.

For years, annual snapshots were the gold standard for assessing risk, but you have noted that these are becoming obsolete. Why is a periodic review no longer sufficient in today’s volatile digital environment?

The reality is that cyber risk does not stand still; it is a living, breathing entity that changes almost daily. An organization can experience a massive shift in its security posture in the matter of just a few weeks due to a corporate acquisition, a migration to the cloud, or even a sudden expansion of its remote workforce. When you rely on an annual questionnaire, you are looking at a static image of a moving target, which provides a false sense of security for both the insurer and the policyholder. To address this, we are seeing a move toward continuous cyber risk assessment through technological means that monitor exposure in real-time. This allows organizations to proactively discover risks they were previously unaware of, such as a new software application or an entirely new ecosystem of vendors that was introduced months after the last annual review.

Insurers are becoming much more demanding when it comes to the efficacy of security controls. What specific failures are underwriters seeing that have led them to distrust self-reported data?

Not long ago, an underwriter was perfectly content if an organization claimed that multi-factor authentication, or MFA, was deployed across its environment. But recent high-profile cyber events have revealed a startling gap between policy and reality, where MFA might have been disabled for certain privileged accounts or security monitoring solutions were missing entire segments of cloud assets. We have seen cases where endpoint protection solutions did not cover all devices, or logging solutions failed to capture the necessary forensic information required to understand a breach. From an insurance perspective, an attestation of a control’s presence means nothing if that control malfunctions during a crisis. Underwriters now want proof of control efficacy, ensuring that the safety nets organizations claim to have are actually strung tight and ready to catch a fall.

When a breach occurs, the pressure to provide answers is immense. How does the reliance on digital forensic evidence change the way an organization must prepare for a potential incident?

The moment a cyber incident takes place, the insurer needs concrete answers to a specific set of questions: What happened, when did the compromise occur, and were the security controls functioning as they should? While interviews with employees provide some context, they are notoriously unreliable during the chaos of a breach, making digital forensic evidence—like log files, cloud telemetry, and authentication records—the only way to get precise answers. Traditionally, these investigations required a significant amount of time, with investigators spending hours or even days painstakingly recreating attack trajectories. Today’s environment does not provide the luxury of such a slow process because regulators, legal teams, and customers expect immediate transparency. Enterprises are now forced to invest in technological solutions that speed up these investigations, ensuring that their findings are both fast and legally defensible under scrutiny.

With the rise of AI-powered threats like deepfakes and synthetic identity fraud, how are insurance policies and forensic requirements evolving to meet these high-tech challenges?

Advances in artificial intelligence are redefining the cyber landscape by allowing adversaries to fake executive voices, create synthetic identities, and launch phishing attacks at an unprecedented scale. This forces insurers to adjust their policies to cover unusual circumstances that were once the stuff of science fiction, such as whether a multi-million dollar transaction was authorized by a real employee or an AI-generated impersonation. Investigating these incidents requires a much higher level of advanced forensic analysis skills to determine if a communication came from a valid executive or a sophisticated deepfake. Organizations can no longer wait until after an incident to figure out how to handle these complexities; they must have the forensic maturity to parse through AI-driven fraud systems. This evolution means that the “proof” required for a claim is becoming much more technical and nuanced than ever before.

You have introduced the concept of “investigation readiness” as a key metric for insurers. What does a “ready” organization look like in the eyes of an underwriter today?

Investigation readiness is becoming a vital metric because it tells an insurer exactly how an organization will react when—not if—a cyber incident occurs. An underwriter looks at how quickly investigators can access required information, whether the chain of custody for digital evidence is preserved, and if the procedures are consistent and repeatable. If an organization can demonstrate that its findings can be independently validated and that they have the infrastructure to perform rapid investigations, they are seen as a much lower risk. We expect that within the next five years, this type of evidence-based underwriting will take center stage, making investigation readiness a primary factor in determining premiums. While questionnaires will still exist, they will be secondary to the proven ability to maintain a defensible and transparent forensic environment.

What is your forecast for the state of cyber insurance five years from now?

In five years, I expect evidence-based underwriting to be the absolute standard, where the traditional annual questionnaire is viewed as a relic of a less sophisticated era. Insurers will likely rely on automated, continuous risk monitoring feeds that provide a real-time pulse of an organization’s security health, specifically focusing on the validation of security control effectiveness and the ability to handle AI-related exposures. We will see a shift where claims validation is almost entirely dependent on preserved digital evidence and the integrity of the chain of custody, leaving very little room for ambiguity. Ultimately, the industry will move toward a model where insurance is not just a financial safety net, but a rigorous certification of an organization’s ongoing operational resilience and forensic capability.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later