Summarize this content to 100 words:
By Steve Kinman, Director GRC, Endeavor Health
Until recently, cyber insurance was a checkbox used by risk and security teams to transfer risks identified by their risk management lifecycle. It was a safety net stapled to security programs. It’s pretty straightforward: answer a few broad questions, hope for coverage, and aim for a favorable premium. Today, insurance providers want to understand your entire risk management function. They want to know whether you identify, assess, reduce, mitigate, and monitor risks and whether you actually follow the regulatory frameworks you claim to use.
In healthcare, where I currently lead governance and risk strategy, the risk landscape is constant and unforgiving, no matter if you are protecting regulated data or maintaining security and uptime for critical systems. Insurance is a valuable tool for sharing catastrophic risks, but it should never become a crutch for security or privacy controls. In fact, when risk management is paired with security effectively, the chances of having to use insurance decrease significantly.
Cyber insurance is critical for catastrophic events, but it is not the foundation of a secure enterprise.
Risk Management – Measure What Matters
I have been involved in cyber insurance initiatives for the last 7 years, and the methods in use by insurers have changed. In my past experiences, insurance providers relied on questionnaires, spreadsheets, policy and process statements, and self-attestations. Today, insurers, in many cases, want details and proof.
I typically fill in detailed questions about access controls, segmentation, vulnerability timelines, and business continuity practices so insurers can gauge how our security team functions in real time. I am also asked how we prioritize risk, define criticality, classify data types, and manage data flow. The inquiries tend to align with the NIST pillars of Identify, Protect, Detect, Respond, and Recover, to determine insurability.
Insurers now reward the risks you mitigate, not just the risks you document. However, mitigation is only one part of risk management. Identifying, assessing, and accepting risk are equally important. A sound program must support confidentiality, integrity, and availability, regardless of whether there are regulatory requirements, because customer trust is always at stake.
Embedding Risk Mitigation
Insurers expect to see risk mitigation built into daily operations and how teams act when risks are identified in systems, software, and supply chains. In my current role, I lead third-party risk reviews where we assess vendors by access level, regulatory impact, and criticality to operations. Some systems process PHI, some are clinical systems, others support payment flows, and finally there are business systems that handle employee PII. Each scenario carries its own set of risks, and our mitigation efforts are tailored accordingly based on criticality and priority. These efforts include vendor segmentation, contract language, data flow restrictions, access controls, and vulnerability management.
Incident response cannot just exist on paper, so we also quantify risk here. We maintain tested playbooks, conduct scenario planning, and regularly report outcomes to both business and clinical leadership. Secure development practices, particularly around open-source software, proprietary code, and application risk, also matter. Insurers now ask how we manage dependencies, monitor code integrity, and validate releases before they reach production.
The Challenge is Real
While leading security at a large e-commerce company in Germany, I had the opportunity to evaluate cyber insurance for the first time. The company was ten years old, growing fast, and building a modern security program shaped heavily by GDPR, and uninsured. As the new CISO, I focused on raising our maturity so that we could even consider transferring risk to a third party.
At the time, each insurance provider had their own questionnaire and required on-site meetings to review policies and processes. Some requested similar, or at least redundant documentation. I reached out to each of them and asked if they would consider a single session with other providers in the room. I was shocked when they agreed, so I invited the four providers to a single session and had all of our domain leads present their areas directly. We walked through real controls, fielded questions, and let them see how our risk posture was operational, not just theoretical or policy-based.
Leaders transfer Risk
Cyber insurance is not just a financial decision. It is a security outcome. Security and GRC leaders must shape how coverage is applied, priced, and evaluated. If you are not at the table before renewals, you are missing a key opportunity to influence how your organization presents its risk posture. I sit with legal and finance regularly to explain where we stand and can dive into the risk register that reflects current mitigation status, control ownership, and residual risk. If we accept a risk, it is signed off and documented. If we reduce it, we show how and when. Realistically, they perform due diligence, just like we do when reviewing a vendor. They want to see that we understand our risk universe.
Mitigate First, Insure Second
Cyber insurance is critical for catastrophic events, but it is not the foundation of a secure enterprise. Start by embedding risk into incident response, vendor risk, vulnerability management, and secure development. Build transparency around identifying, assessing, and addressing risk so that insurers see you as a partner, not just a policyholder.
Policies today often contain gray areas. Coverage triggers and exclusions are not always clear. As customers, we want more transparency from insurers. At the same time, we must hold ourselves to the same standard. The more we clarify our risk posture, the more accurate and effective our insurance outcomes become.
