Reading Time: 5 minutes
Category: Trends and Reports
Authors: Yuri Bobbert & Davis Hake
Cyber insurance is undergoing a major shift. Once viewed as a fallback for when cyber defenses fail, it’s now becoming a tool for actively managing risk and protecting capital. As threats become more complex (and losses from third-party breaches rise) insurers and financial institutions are rethinking what qualifies a company for coverage, and how pricing should reflect real security practices.
On May 23rd, 2025, stakeholders from various large insurers met in New York City to discuss how cyber insurance is evolving, and how Zero Trust is increasingly at the center of that shift.
Moderated by Yuri Bobbert and Davis Hake, this roundtable tackled the financial incentives, underwriting practices, and supply chain vulnerabilities reshaping the market. It also tied into new academic research showing how Zero Trust practices can directly reduce the impact of cyber incident.
Key questions and answers from the roundtable
| Key Question | Response | Notable comments from participants |
| 1. How does the threat from third parties compare to other threats? | High & rising – outsourced risk does not equal outsourced liability. | “Third parties have become a major source of claims losses.” “Financial companies are deeply reliant on the defences of the third party – giving them limited control on their risk.” “Risk is outsourced through vendor surveys but liability is often not, so follow ups on vendor security are limited.” |
| 2. Is Zero Trust appropriate for small organisations? | 100 % Yes | “Zero Trust is “size-agnostic”, provided controls are right-sized and automated.” “There needs to be a simplified process for adopting Zero Trust among small companies.” Technology is usually ready, utilisation of it must be done by experts.” |
| 3. Is Zero Trust already practised in financial institutions? | Emerging but uneven. | “Adoption is strongest in the customer-facing anti-fraud layers; legacy cores lags behind in adoption of Zero Trust.” |
| 4. What security is required for FI vendors and how is it enforced? | Contract-driven baselines. | “There is an increasing use of contractual obligations and continuous-monitoring clauses. There is also no way to extend these practices down to vendors.” “Vendors are given requirements from multiple FI customers that are all different and not aligned to Zero Trust.” |
| 5. Does the cyber-insurance market incentivise Zero Trust? | 4 Yes / 2 No. | “Skeptics who are unaware of what Zero Trust entails cite lack of “financial driver” and limited actuarial evidence for any cybersecurity control or risk frameworks. Proponents note that the Zero Trust principles not only stop intrusions, but build resiliency, by limited the scope of a breach.” “The market needs more education to point to lower deductibles for verified controls.” |
| 6. What evidence do underwriters need? | Empirical loss data + configuration proofs. | “There are already concepts of Zero Trust, like MFA and network segmentation, that are common in underwriting, but there is not direct work linking Zero Trust to reduced claims & loss ratios.” “Reinsurers need to see the mapping from scorings on underwriting assessments and losses aligned with the concepts of Zero Trust. There could be maturity levels to help non-technical underwriters.” |
| 7. How can Zero Trust be driven into sensitive FI supply-chains? | Show return on security investment (ROSI) & impose contractual duties. | “Regulatory “Five Cs” (Concern, Cause, Consequence, Corrective Action, Commitment) are cited as an enforcement model. The same concepts on simplifying Zero Trust adoption for underwriters should be leveraged to support small vendors who lack the technical maturity to begin Zero Trust on their own.” |
Looping in the Research
These real-world conversations back up what Bobbert & Timmermans found in their 2025 research on “How Zero Trust as a Service” (ZTaaS) reduces the cost of a data breach”. Their study breaks down how different Zero Trust components reduce both the chances of a breach and how bad it gets when one happens. The math behind it is simple: fewer and smaller incidents mean lower insurance payouts. That, in turn, makes insurers more likely to offer better coverage and pricing.
An abridged version of their cost reduction scheme is shown below:
| ZTaaS Component | Likelihood Reduction | Impact Reduction | Total Score |
| Protect surface design | 10 | 10 | 20 |
| Technical controls (XDR, IAM, etc.) | 15+5 with Kipling “5W1H” rigor | 10 (15) | 25 (35) |
| Real-time dashboarding | 5 | 10 | 15 |
| 24×7 SOC | 10 | 5 | 15 |
| CSIRT | 0 | 15 | 15 |
Fully implemented, the stack can deliver a 30-50 % premium reduction by lowering expected loss, according to actuarial modelling cited in the paper.
What This Means for the Financial Side
These insights show a clear trend: cyber insurance is no longer just about passing risk to someone else. Instead, it’s becoming a way for companies to protect their balance sheets; if they can prove they’ve done the work.
Insurers are starting to reward organizations that can show real evidence of strong security, such as dashboards, logs, and continuous assessments. That means fewer surprises on claims, more stable premiums, and even improvements in credit ratings.
Vendor risk is also in the spotlight. Since financial institutions are still on the hook when their vendors get breached, insurers are tightening coverage terms unless those vendors are segmented and monitored in line with Zero Trust principles. Contracts are becoming key tools, especially those that include continuous monitoring requirements and performance penalties.
Meanwhile, regulators like the OCC are echoing the language of Zero Trust in their guidance. This alignment between regulators and insurers is pushing the market faster toward measurable, verifiable security practices.
The bottom line? The companies that invest in Zero Trust (and can prove it!) aren’t just more secure. They’re becoming more financially resilient, with insurance that works better, costs less, and supports their long-term growth.
