Cyber insurance is the ‘final backstop’ – but not the whole answer. So, what is?

Protecting a company’s balance sheet from catastrophic cyber events should not come at the expense of robust cybersecurity.

In the complex world of cyber risk, insurance is the final line of defence – but it can’t stand alone. As threats multiply and policies grow more nuanced, success depends on aligning coverage with real-world risks and fostering better collaboration between cybersecurity teams and insurance stakeholders.

That’s the view of David Anderson, vice president of cyber at Woodruff Sawyer, speaking on the Asceris podcast hosted by CEO Anthony Hess.

“Cyber insurance is the ultimate final backstop: it's not even a seat belt; it's the airbag,” Anderson said. “It's the last thing stopping you from going through the windscreen.” 

But for him, protecting a company’s balance sheet from catastrophic cyber events should not come at the expense of robust cybersecurity measures.

Titled ‘no. 54, privacy, ransomware, and risk: 2025 cyber insurance trends’, Anderson talked to podcast enthusiast and Asceris CEO Hess as part of a series of illuminating talks from global cyber leaders.

Anderson began by diving straight into the practical side of accessing cyber insurance and said: “Spend on cyber insurance should not be coming out of the CISO’s (chief information security officer) budget, and the CISO should not be punished if there is some perception that the company’s risk strategy negatively impacts the renewal process.” 

Anderson argued that underwriters' recommendations – such as implementing 24/7 SOC (security operations centre) monitoring or managing privileged accounts – should empower CISOs, not hinder them.

“What underwriters are looking for is culture, preparedness, awareness and visibility.”

Complex but effective

Describing cyber insurance as one of the most critical risk transfer tools available, Anderson admitted it remained highly nuanced. 

“Every cyber insurance policy is unique: they’re not like standard workers’ compensation or property policies. 

“Each has different definitions for key terms such as ‘computer system’ or ‘operational technology’.” 

This complexity makes it imperative for brokers to align policies with a client’s specific risk profile, and Anderson shared insightful examples from his own experience.

The podcast also addresses the disconnect between cybersecurity professionals and insurance decision-makers. 

“CISOs and cyber insurance stakeholders often speak different languages,” Anderson observed, suggesting cross-functional collaboration as a solution.

“When it comes to the cyber insurance renewal, I need this list of people at the table: the CISO, general counsel, procurement and the CFO (chief financial officer),” he stated.

Facing the future together

Anderson dispelled the myth that compliance equals invulnerability. “Every insured has a problem; compliance does not equal impenetrability."

“What underwriters are looking for is culture, preparedness, awareness and visibility,” he said. 

Reflecting on the future, Anderson emphasises the need for education and awareness. “We need to empower cross-functional dialogue,” he insisted. 

For Anderson, the key to success lies in thoughtful alignment: 

“The most important data point to understand around a cyber insurance policy success rate is whether or not it dovetails to the insurance policy holder's actual landscape of risk.”

Anderson explained that by prioritising collaboration, clarity and resilience, companies can not only secure better coverage but also foster a more integrated and effective approach to cyber risk management. 

“We want to build long-term partnerships,” Anderson said.

To hear the full podcast, or many others highlighting different issues facing the cyber insurance sector, click here.

Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.