Published in

Why a Carrot Beats a Stick in Cybersecurity Breach Insurance

Author: Zach Atya

Director of Insurance at Measured Analytics and Insurance

Zach is on a mission to fix what he sees as shortcomings in the industry. Through sober-minded cyber risk analysis, data insights, and multisectoral partnerships, we can work together to protect the most important (and vulnerable) part of our economies, small and midsized businesses.

Just look at the headlines today and it’s plain to see: more and more companies of all sizes are getting breached… more frequently and with greater magnitude.

While there are a variety of attacks out there, the most acute and growing threat is ransomware which can cripple a business or even put it under. Consequently, many companies are now beginning to carry cyber insurance.

Cyber insurance (also known as liability insurance or breach insurance) can provide some peace of mind in the event of a breach… assuming you can get it.

The reality is that it’s becoming harder for SMBs to get breach insurance. Many insurance providers are taking a punitive “stick” approach and insisting that companies have massively robust cybersecurity systems in place to qualify for insurance. Between having to purchase additional sets of security tools and increasing rates across the market as a whole, the barrier to acquiring and maintaining cyber insurance has never been higher.

As our partner, ActZero, pointed out in their recent cybersecurity predictions for 2022, breach insurance is increasingly “a luxury for the rich” — an option only for companies with deep pockets.

The companies hit hardest by these hurdles to cyber insurance are the small and medium-sized businesses (SMBs), who are being hung out to dry by the insurance industry.

SMBs are the target of 43% of all cyberattacks, up from just 18% a few years ago. As larger businesses throw resources at cybersecurity, SMBs — which often can’t afford cybersecurity software priced in the tens of thousands of dollars — present soft targets for hackers.

The average breach now costs a company $4.24 million, compared to $3.86 million in 2020. And 60% of SMBs that suffer a breach go out of business within six months.

Having hardened systems is better for everyone, and everyone wants them. But what are SMBs supposed to do?

The insurance industry’s STICK approach

The insurance industry’s traditional approach, what we call the “stick” approach, is little more than a kneejerk reaction to offload risk. Incumbent insurers are not renewing current clients, particularly in light of the pandemic, or they’re jacking up rates.

Premiums nearly doubled in the United States from 2020 to 2021 as ransomware frequency and severity exploded during the pandemic, with rates jumping 73% in certain geographies during the same period. In some extreme cases, rates for some policies have risen by as much as 300%.

This “stick” approach is especially punitive towards clients seeking new coverage or seeking coverage for the first time. Applicants are denied coverage based on a range of cybersecurity criteria, many of which are especially difficult for SMBs to afford or implement, such as:

  • Privileged access management and/or MFA
  • Incident Response / 24/7 SOC
  • Full Backup / DR capabilities

Faced with this reality, what choice should an SMB make about its limited resources? Pay to harden systems or pay exorbitant rates for cyber insurance? The insurance industry’s “stick” approach leaves SMBs stuck between a rock and a hard place, forced to make a bad choice or not given one at all.

And given today’s threat landscape, going uninsured is an unenviable option.

An alternative: the CARROT approach

Rather than a punitive “stick” method, we think that a “carrot” approach would be more helpful.

A “carrot” approach incentivizes and rewards businesses that lower risk and keeps insurance affordable, building bridges between cybersecurity and cyber insurance. This “carrot” method recognizes that, fundamentally, both cybersecurity and cyber insurance share the goal of threat mitigation.

Measures to help SMBs lower their risk profile are precisely the kinds of solutions a “carrot” that will keep breach insurance affordable and available to all. These measures include proactive steps like vulnerability remediation, security awareness training, and systems config and hardening.

Taking such steps doesn’t necessarily make them more affordable if they’re done in-house, but instead of punishing the SMB segment and forcing companies into impossible trade-offs (check out our whitepaper for more on the opportunity cost of making ‘impossible’ cybersecurity trade-offs), they could function as partnership elements between insurers and insurers.

Instead of ultimatums, a better approach dangles a carrot. Suppose insurance companies work to provide resources and direction to SMBs like we strive to do at Measured. In that case, it can democratize cybersecurity solutions and provide cyber insurance that is within reach of SMBs.

What a partnership approach could look like

To demonstrate, let’s imagine a partnership use case:

An organization might not be insurable if they don’t have endpoint detection and response (EDR). Rather than slamming the door shut on this SMB, however, the insurer could help them become insurable by improving their cybersecurity position by addressing their security gaps.

For example, the insurer could propose their SMB partner work with a cybersecurity company to get Managed Detection and Response (MDR), which encompasses EDR, and offer the SMB better premiums to make such security enhancements.

The industry wouldn’t universally adopt the “stick” approach if viable options such as the “carrot” were more widely available.

That’s why ActZero and Measured Insurance are breaking new ground with this “carrot” approach — combining services that focus specifically on the SMB.

This innovative, synergistic partnership is rooted in machine learning and AI, leveraging them to perform risk analysis, identify emerging security threats, and democratize access to enterprise-grade cybersecurity and cyber insurance solutions for this underserved segment.

SMB clients benefit from both increased security effectiveness and financial savings. Read our press release for full details on the partnership between ActZero and Measured Insurance.


Insurers talk about being in partnership with the companies they insure, but the punitive “stick” method that is so often the reality in the industry doesn’t sound like a partnership to us.

That’s why we’re all-in on the “carrot” method described above. This approach builds a trusted and mutually beneficial partnership that draws on pre-existing synergies and takes SMBs from uninsurable to very insurable — and from low defensive capabilities to hardened systems and sound practices.

For us, the “carrot” method assists and rewards both companies over time for evolving their cybersecurity programs.

To learn more about the evolving cyber insurance situation and the rest of our cybersecurity predictions for 2022, download our white paper here.




Learn more about how ActZero designs, builds, and operates our systems and models to secure our customers

Recommended from Medium

Pen tests. Conduct, automate or not worry?

How does Spherium Finance Safeguards Liquidity Locked?

LINDA Coin — Masternode Windows Hot/Cold Wallet Setup Guide

Announcement of Concealed Weapon Detection

Policy Making in the Age of Instrumentation

Future of Internet: A technological monodromy or a Copernican pivot ?

Best antivirus for PC in 2020 (Top 7 New List)

The Rise of Privacy Tech Helps Privacy Tech Founders Solve Their Biggest Pain Points

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


More from Medium

Achieving Unity Across Piecemeal Cybersecurity Solutions

BugBase is now ISO 27001:2013 Compliant

The Network Security Pro’s Guide to RSAC 2022

Update on my