<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">

  Back to the Learning Center

Tougher Cyber Insurance Security Mandates In 2025: How You Can Prepare Blog Feature
Lisa Carroll

By: Lisa Carroll on June 24, 2025

Print/Save as PDF

Tougher Cyber Insurance Security Mandates In 2025: How You Can Prepare

Cybersecurity | IT Support | Information Security

With rising cyber incidents, it should come as no surprise that cyber insurance companies are tightening their policy coverage requirements in an effort to stem the tide.

Today, hackers are using increasingly sophisticated tools to launch attacks. Not only are threat actors using sensitive information for financial gain, but they’ve also become savvier in using it as a strong-arm extortion tool to get even more money.

The financial losses from cybercrime are projected to reach $10.5 trillion annually by 2025, according to Cybersecurity Ventures projections.

This represents a dramatic increase in the global costs of cybercrimes over the past decade from $3 trillion in 2015.

In addition, the number of cyber insurance claims swelled to 33,561 in 2023, a direct response to the rising incidence of cybercrimes, according to the National Association of Insurance Commissioners (NAIC).

Small and medium-sized businesses are increasingly being targeted in these cyberattacks, such as ransomware, business email compromise (BEC), token theft, Adversary-in-the-Middle (AitM), data breaches, and other types of phishing attacks and social engineering schemes.

Ransomware, in fact, represents the lion’s share of the claims involving recovery expense losses, about 81 percent.

In this article, we’ll outline how cyber insurance providers are reacting in the wake of a spate of large-scale cyberattacks in recent years. We’ll also examine the ways in which insurers are trying to mitigate risk and what this may mean for your business.

After reading this article, you’ll know 9 key security tools, policies, and procedures you will likely need to implement in order to obtain or renew your cyber liability policy.

With this information, you can implement the right security measures to obtain coverage and help protect your organization's financial future.

What Is Cyber Liability Insurance?

Cyber insurance is a relatively new concept, having been created in 1997 mainly as a niche industry to protect technology companies. Today, it is a multi-faceted behemoth that is only expected to grow in the coming years.

Given the evolving threat landscape, cyber insurance has become an essential part of many organizations’ overall cybersecurity strategy. According to the NAIC, the number of active cyber insurance policies in the U.S. jumped markedly, rising 11.7% to 4.4 million in 2023.

Cyber insurance covers specific financial losses caused by a cyberattack, data breach, or other type of cyber incident.

According to the latest figures from the NAIC, $16.66 billion in premiums were written for cyber coverages globally in 2023; the U.S. cyber insurance market accounts for 59 percent of that ($9.84 billion).

Fortune Business Insights projects that the cyber insurance marketplace will balloon to $120.47 billion by 2032, based on a compound annual growth rate of 24.5 percent.

What Does Cyber Insurance Cover?

Threat actors are constantly on the prowl to exploit even the smallest vulnerabilities within your environment to successfully gain a foothold into your systems. This could be through your network, computers, software, email, or other parts of your infrastructure.

Often, individuals are the weakest link within an organization, as they can unwittingly invite in attackers by taking some adverse action such as clicking a malicious link, downloading an infected file, or sharing confidential information to a “known” contact.

Once they’ve gained unauthorized access to your data, this allows them to launch a targeted attack, such as malware or ransomware. Attackers can then encrypt the data and either sell it on the dark web or hold it “hostage” until a ransom is paid.

Such cyberattacks can not only disrupt critical business operations, but also affect email communications, video conferencing, data access, file sharing, and more. 

Cyber insurance is essentially a stop-guard to minimize losses in the event of a cyber incident. Those losses could include:

  • Direct losses sustained by your business from a cyberattack

  • Recovery costs for funds transferred electronically to bad actors in phishing attacks, business email compromise (BEC), or other cybercrimes

  • Indirect financial losses incurred by your business from a cyberattack against a third-party organization, such as a software vendor

  • Revenue losses suffered because you were forced to shut your doors

  • Financial losses stemming from extortion to regain control of your systems and recover your data

What Is Driving The Rising Demand For Cyber Insurance?

The growing number of cybersecurity incidents have far-reaching consequences.

The losses are compounded by the fact that they don’t just affect the initial target of the cyberattack or data breach. An attack can spread like wildfire, ensnaring many other businesses in its path.

For instance, in a much-publicized ransomware attack on Change Healthcare, the protected information of an estimated 190 million people was stolen, including names, social security numbers, dates of birth, and medical records.

That attack on the United HealthGroup subsidiary in February 2024 paralyzed the healthcare industry nationwide, leaving many small businesses on the brink of closure.

It represented the single largest cyberattack ever to hit the healthcare industry, impacting hospitals, care facilities, pharmacies, private practices, insurers, and other healthcare organizations across the country.

The reverberations are still being felt throughout the industry.

Affected businesses have filed dozens of lawsuits, including at least 72 class action lawsuits that have since been consolidated into a federal multidistrict litigation (MDL) in the District of Minnesota.

In many of the lawsuits, the plaintiffs allege that Change Healthcare was at fault for failing to implement critical cybersecurity guardrails to protect sensitive information.

The cause of the massive data breach and its ripple effect of widespread financial devastation: lack of basic cyber hygiene.

According to published reports, Change Healthcare wasn’t using multi-factor authentication, an industry-standard cybersecurity control.

This is just one example of several high-profile ransomware attacks in various industries in recent years. The frequency and severity of such attacks are driving the demand for cyber insurance coverage.

This is just one example of several high-profile ransomware attacks in various industries in recent years. The frequency and severity of such attacks are driving the demand for cyber insurance coverage.

What Security Controls Can Businesses Implement To Mitigate Risk?

Given the rise in the number of claims caused by the growing incidence of cyberattacks, insurance companies are trying to turn the tide by requiring companies to implement more rigorous security controls.

Here are 9 essential cybersecurity controls to help you meet the cybersecurity standards for coverage:

1. Employee security awareness training

  • Regularly scheduled program of training modules

  • Features a combination of simulation exercise and security awareness information

  • Educates employees on the latest tactics being used by threat actors and how to spot and avoid them

  • Fosters agency among staff to follow your cybersecurity protocols

2. Multi-factor authentication (MFA)

  • Requires users to provide multiple forms of identity authentication and verification

    before being allowed to access a device, application, file, or other parts of your network

  • A critical component of cybersecurity that is often required by federal and state privacy laws and security regulations

3. Identity access management (IAM)

  • Implement user authentication and verification protocols to limit access to only authorized users through role-based access controls (RBAC)

  • Restricts access based on a pre-defined user role and job functions

  • Often incorporates privileged access management to limit access to highly sensitive information to only key stakeholders within your organization, such as a network administrator

4. Data encryption

  • Use advanced encryption tools to protect data both in transit and at rest

  • Helps safeguard files, folders, and other media from being stolen or compromised by threat actors through unauthorized access

5. Incident response plan

  • Create and implement a comprehensive incident response plan to outline the steps your organization will follow in the event of a cyber incident

  • Identify key stakeholders and define their roles and responsibilities

  • Establish a communication chain for internal and external stakeholders

6. Regular software patches & updates

  • Automate your scheduled software patches to ensure you have fixed any known vulnerabilities

  • Ensure your software is up-to-date to help prevent threat actors from being able to capitalize on end-of-life software that is no longer receiving critical security patches and updates from the manufacturer

7. Asset inventory and data classification

  • Perform a through inventory of your technology

  • Classify your data assets to identify any highly sensitive data that may require specific security safeguards

  • Segment your network to separate sensitive data so that it is only accessible to authorized

8. Business continuity and disaster recovery plan (BCDR)

  • Develop a BCDR plan to spell out your how your business will respond during an emergency, such as a natural disaster or cyber incident

  • Identify employees and external entities to be notified following an emergency, including any regulatory agencies

  • Determine the impact on your business

  • Establish protocols for operating during the attack and your recovery afterward

  • Ensure you have secure, accessible data backups

9. Regular risk assessments

  • Perform regular risk assessments of your environment, including penetration testing and vulnerability scanning to identify hidden vulnerabilities and determine the effectiveness of your security controls

  • Evaluate your current security posture to identify security gaps and potential threats

  • Document the risk and potential effect of such security vulnerabilities

  • Establish and implement proposed remediation controls to correct identified security flaws

  • Develop and adopt comprehensive cybersecurity controls, policies, and procedures to mitigate cyber incidents

The Bottom Line With Cyber Liability Insurance

Currently, cyber insurance is not universally mandated. Given the rapidly evolving threat landscape, however, it has become an increasingly essential tool to help businesses and insurers alike minimize risks.

A cyber incident can cause crippling damage to your business, including reputational damage, customer defections, legal consequences, and revenue loss. While cyber insurance can’t prevent such damage, it can serve as another layer of protection for your business and the sensitive information you store, process, and share.

After reading this article, you now understand that rising threat risks are spurring insurers to ramp up the security requirements for cyber liability coverage.

When evaluating a cyber insurance policy, it’s important that you know what it covers, as well as any exclusions. You should also have a clear understanding of the specific security requirements for your business. Insurers frequently deny claims because of exclusions and for failing to implement the necessary cybersecurity controls.

As a managed IT services provider (MSP), we write articles like this with one goal in mind: to provide information to help you make the best IT decisions for your business. We want to help you succeed, regardless of whether you choose to work with us or not.

While we don’t offer cyber insurance products, we strongly recommend that you shop around to find a policy that fits your business needs.

Are your current cybersecurity defenses adequate to reduce the chances of a cyberattack? 

Click the button below to get a cyber insurance checklist to see if you have the right technology in place to quality for coverage. 

This checklist will help you:

✔️Identify 12 cybersecurity tools most insurance carriers require
✔️Assess the technology gaps that may exist in your infrastructure
✔️Understand why these 12 tools are important

Get Your Checklist

About Lisa Carroll

Lisa is Kelser's VP of Revenue who works at the intersection of business and technology to help Kelser’s clients jump on growth opportunities.

Suggested Posts

Case Study

What Is CMMC Compliance? 5 Key Steps To Help With CMMC Certification

If you are a defense contractor, subcontractor or your organization does business with the Department of Defense (DoD), you know that the...

Read More »

Case Study

Manufacturers A Top Cybercrime Target: 6 Effective Ways To Reduce Risk

The manufacturing industry touches the lives of most people both here and around the world in one way or another. Its importance makes it both vital...

Read More »

Case Study

AI In Cybersecurity: How It Can Hurt And Help Your Business

Artificial intelligence is consistently ranked as the leading technology trend today. To some, its wonders represent a remarkable example of human...

Read More »

Visit Our Learning Center