Cyber insurance and System Hardening: an important connection

Insurers are raising the prices of their cyber insurance policies. This can be changed, for example, with professional System Hardening.

Gigantic damage, hardly any defense

Cyber attacks are uninsurable, according to Mario Greco. The statement caused a stir, because Greco is not just anyone. As Chief Executive Office of the Zurich Insurance Group, he heads one of the largest insurance companies in the world.

With the statement, Greco described an explosive situation: Our world is becoming increasingly insecure, but the consequences of climate change-environmental damage and armed conflicts are not the only major threats. Attacks by so-called cyber criminals also threaten our survival.

Hackers are attacking startups and major corporations alike. And they target critical infrastructures. On the one hand, to sabotage them or cause direct damage. On the other, to use ransomware to extract large sums of ransom money.

The problem is not just the cyber attacks. Much more serious is the fact that many companies are still doing too little to combat them. They take no or little effective IT security measures. Or they forget eminently important mechanisms such as backup/restore, network segmentation or System Hardening. But: System Hardening is part of a holistic strategy.

The consequences of growing cyber attacks

Cyber insurance providers are feeling the effects: Demand is rising, but expenses are growing even more rapidly. In 2021, expenses exceeded revenues for the first time, according to the German Insurance Association. The combined ratio shot up from 65 percent to 124 percent within a year. Insurers are thus incurring losses on their cyber insurance policies.

That is why insurers are currently reacting in various areas:

    • They are examining the initial situation of claimants more critically than before
    • They are cutting benefits or, in certain cases, no longer paying at all
    • They are raising their premiums – in some cases massively

This means for your company, if it wants to take out cyber insurance: you have to expect higher costs and less claims coverage, and you may not receive a policy at all.

If the worst comes to the worst – a successful cyber attack – your company will be left with all the costs in case of doubt. And these can quickly cost hundreds of thousands or even millions of dollars. The security disaster may even lead to insolvency, because important company data can simply no longer be recovered or (main) customers terminate the business relationship.

What precautions can you take?

The answer is simple: Secure your IT systems! Make it as difficult as possible for attackers to break into your infrastructure and cause major damage. And if your systems are compromised, you need to detect it as quickly as possible and initiate countermeasures.

Follow the IT security triad “Protect – Detect – Respond” or the five steps of the NIST Cybersecurity Framework: “Identify – Protect – Detect – Respond – Recover”.

In each area, there are numerous measures you can take. For example, you should deploy anti-malware suites as well as SIEM and MDR solutions to cover the “detection” and “response” areas. And if you follow the Zero Trust paradigm, you know that you must first harden your systems to significantly reduce the attack surface.

Do you get a cyber insurance without hardening?

If you want to take out cyber insurance for your company, you usually have to fill out a questionnaire. With the “checklist”, the insurer clarifies how well you currently secure your IT systems. If basic measures are not met here, the risk increases. Accordingly, your company will not be accepted at all or only on poor terms.

More and more insurance companies expect you to comply with the state of the art. You can prove this with audits and certifications, among other things. One important standard is the final version of ISO 27001, which is not a “nice to have” but a “must have” for certain companies – for example, above a certain size. Accordingly, cyber insurers demand ISO 27001 evidence or other adequate evidence.

ISO 27001, as well as various new IT laws and regulations, explicitly require the secure configuration of hardware and software. This means that your company must, among other things, bring its systems up to the state of the art techniques and harden all Windows servers – ideally in accordance with CIS, DISA, ACSC or BSI standards.


If your company has a cyber insurance policy, it can be a good thing. In the event of a loss, your insurer will cover some or all of the costs. For example, it pays compensation for business interruption, the cost of data recovery or IT forensics investigations.

To receive these benefits, you need to do something: secure your systems as best you can and keep regularly updated evidence ready just in case. For the evidence generation you can use AuditTAP.

If you have trouble getting cyber insurance, or if the amounts are too high, you should be alarmed: When it comes to information security, data protection and compliance, your insurance company expects more from you! Tackle the issues as soon as possible – otherwise the risk increases that your (uninsured) company may soon become a victim of cyber gangsters.

Do you want us to help you?

Would you like to know how you can professionally realize (automated) System Hardening and implement it in your company? Contact us – our System Hardening experts will help you soon!

Contact us!

Image: Pexels

Leave a Reply