One question we’re asked on a weekly basis: Is Cyber Insurance actually worth it?

The short answer is yes.

The long answer depends on how your organisation views and measures cyber risk, what maturity looks like in your region, and what you expect cyber insurance to do for you.

It’s fair to say cyber insurance is definitely on the agenda for organisations worldwide. Sometimes driven by the board. Sometimes by auditors. But less often by cyber security teams.  And whilst cyber insurance can be valuable, but it can also create false confidence if misunderstood. 

Today we are opening up the debate, and will set out what cyber insurance does well, where and where it falls short…

The Global Backdrop

Across all regions, insurers are reacting to the same pressures:

• Rising ransomware and extortion claims
• AI-enabled attacks increasing speed and scale
• Poor correlation between security spend and real risk reduction

As a result, cyber insurance has tightened significantly. Policies are more selective, controls scrutinised and claims are challenged.  This has changed the role insurance plays in a cyber strategy.

UK

In the UK, cyber insurance is increasingly shaped by:

• Alignment with Cyber Essentials and ISO 27001
• Greater focus on ransomware controls and recovery
• Board-level scrutiny following high-profile UK breaches

What we see in practice:

• Insurers requesting evidence of MFA, backups, and incident response
• Questionnaires that resemble light-touch audits
• Premiums rising even where controls are mature

Cyber insurance is often treated as compliance rather than a risk tool, and that is often where value is lost.

Europe

In Europe, the picture is complicated by regulation:

• NIS2 raises expectations around resilience and accountability
• Fines and regulatory action are often excluded from cover
• Cross-border incidents introduce jurisdictional complexity

Key challenges include:

• Gaps between regulatory liability and insurable loss
• Ambiguity around what constitutes a “covered incident”
• Increasing scrutiny of third-party and supply chain risk

For many European organisations, cyber insurance does not offset regulatory exposure, but only covers a subset of operational impact.

New Zealand

In New Zealand, cyber insurance adoption is growing quickly, driven by:

• Cloud-first strategies
• Smaller internal security teams
• Increased ransomware targeting mid-market organisations

Common patterns we see:

• Heavy reliance on insurer-recommended controls
• Less internal testing of incident response assumptions
• Overconfidence in cover limits

This creates risk when response expectations exceed policy reality.

Solid Reasons to Buy Cyber Insurance

• Financial support during a major incident
• Board reassurance and risk transfer
• Support for business interruption scenarios
• Access to legal, forensics, and response services

Used correctly, cyber insurance can complement a security programme, but used incorrectly, it becomes a substitute for one.

Where AI Changes the Equation

AI affects cyber insurance in two directions:

• Attackers are using AI to scale phishing, credential abuse, and reconnaissance
• Insurers use AI and analytics to assess risk, detect fraud, and challenge claims

This means:

• Poor controls are identified faster
• Inconsistent security postures are penalised
• Claims scrutiny is increasing, not decreasing

AI reduces tolerance for ambiguity on both sides.

The Cyber Insurance Debate

Cyber insurance is not a safety net: It is a financial instrument with conditions. Many organisations only discover the exclusions after an incident. If your controls would not withstand a regulator’s scrutiny, insurance will not save you. Policies rarely cover fines, negligence, or systemic failure.

Cyber insurance can weaken accountability: Boards sometimes see insurance as risk transfer rather than risk reduction.  Insurers are becoming de facto security assessors. Their questionnaires increasingly shape security priorities, not always correctly.

A strong cyber programme reduces the need for insurance, not the other way round. Insurance should sit at the end of a risk journey, not the start.

So, is it worth the conversation?  Yes. But it should be the right conversation.

Cyber Insurance Works Best When:

• Mapped clearly to real business risk
• Understood by security, the board, legal and finance together
• Treated as a complement to controls, not a replacement

From what we see across UK, European, and New Zealand organisations, the biggest failures come from assumptions, not attacks.

If cyber insurance is on your agenda, the most important first step is not choosing a policy.
It is understanding whether your current cyber posture will actually stand up to insurer scrutiny, regulatory expectation, and real incident conditions in your region.

We work with organisations across the UK, Europe, and New Zealand, and see first-hand how cyber insurance expectations differ by market, regulator, and insurer. What passes in one region often fails quietly in another.

At ITogether, we support organisations through a Cyber Insurance Readiness Assessment that:

• Maps your existing controls to insurer expectations, not assumptions
• Identifies gaps that could invalidate cover or weaken a claim
• Accounts for regional regulatory pressure, including UK frameworks, NIS2, and local NZ realities
• Translates technical exposure into board-level risk language
• Helps you decide whether insurance meaningfully reduces risk, or simply shifts paperwork

👉 For a clearer view of where you stand, and what cyber insurance providers are really looking for in your region, we can guide you through the process with clarity, context, and experience.

🇬🇧 📞 +44 (0) 113 341 0123

🇳🇿 📞 +64 (0)9 802 2444

📧 hello@itogether.com