Why CISOs don’t trust cyber insurance — and how the industry can fix it

Some chief information security officers (CISOs) don’t trust cyber insurers because historically it hasn’t felt like a partnership, but there are ways to rebuild trust, says Lindsey Maher, head of global cyber development at CFC.

“It’s common for a CISO to feel insurers reduce their very complex environments to checklists, speak a different language, or show up only at renewal or crisis — and subsequently, CISOs feel judged rather than supported,” Maher tells Canadian Underwriter. “The good news is the industry is shifting: the more we build transparency, context, and collaboration into the relationship, the faster that mistrust disappears.”

This mistrust isn’t new, it’s been there since the earliest days of the product, Maher says. “I entered the market in 2010 and feel fairly certain it predates that.”

It comes from two worlds that grew up separately: security teams built around engineering and threat response, and insurers built around risk transfer.

“For years we didn’t share the same language, the same data, or the same expectations, so CISOs often felt judged rather than supported,” she tells CU. “That legacy still lingers, but it’s changing fast.

“As an industry, we’re finally building the shared understanding and transparency that turns insurance from a checkbox into a genuine partner in resilience.”

Maher addressed the issue in a Feb. 25 LinkedIn post, Why CISO’s Distrust Cyber Insurance — and How to Fix It.

There can even be accusations that insurers are just looking for ways not to pay claims. “If you work in cyber insurance, you know the narrative simply isn’t true,” she writes in the post. “We’ve been transparent about our claims acceptance rate (now 99.4%), and we know many of our peers have similar numbers.

“Yet every week, another LinkedIn post goes viral accusing insurers of playing ‘gotcha’ with claims.”

The irony is that CISOs are the very people cyber insurers are trying to protect.

Sources of disconnect

The problem stems from several sources:

CAIB New Edition 1.0 – a New Standard for Broker Education Image

Insights Paid Content

CAIB New Edition 1.0 – a New Standard for Broker Education

Preparing brokers to navigate an increasingly complex insurance landscape.

By 

Sponsor Image

• Cyber underwriters often pursue some of the toughest security certifications in the world just to speak the same language as CISOs — only to turn around and dictate what their security posture ‘should’ be. “That dynamic breeds tension, not trust,” Maher writes.
• CISOs don’t hate controls; they hate when insurers evaluate them in a vacuum. ‘MFA everywhere’ sounds great — unless operational constraints or compensating controls achieve the same outcome. A company can have every control and still get breached, or have fewer controls and remain resilient. When insurers reduce complex environments to checklists, CISOs feel unheard and oversimplified, Maher says.
• Cyber policies are complex and when read like legal puzzles, fear of hidden exclusions grows, Maher writes.
• Claims can feel like negotiations not lifelines. The initial incident response time is a coveted award of who can respond the fastest and who can mitigate the quickest. “Followed by a lengthy and painful business interruption adjustment process that doesn’t line up.”

To rebuild trust, the insurance industry should shift from ‘checklist underwriting’ to ‘risk-based underwriting,’ Maher writes. “Binary yes/no questionnaires don’t reflect real‑world environments. Underwriting should be a qualitative dialogue — the kind only a human can have, especially in an era where AI threatens to automate everything else, including underwriting.”

The industry should also explain why a control matters and how it affects premiums. By sharing loss data and rewarding improvements, transparency can turn suspicion into collaboration.

“Cyber insurers should be shouting their claims acceptance rates from the rooftops!” Maher writes. “Yet every week, another LinkedIn post goes viral accusing insurers of playing ‘gotcha’ with claims.”

Policies need to be in plain language, rather than legalese, she says. For example, include explicit definitions of what’s meant by ‘as soon as reasonable,’ what constitutes a systemic event, and clear examples of what is and isn’t covered.

It’s also important to highlight the personal liability CISOs face. “Avoiding punitive language and offering clarity around protections can transform insurance from a threat into a safeguard.”

Integrating insurance with security improvements can help. The best insurers already offer bundled or discounted tools, shifting insurance from a passive risk transfer mechanism to an active security accelerator.

“For SMEs, this can be the reason they buy cyber insurance full stop,” writes Maher. “For CISOs at larger companies, it’s the way they differentiate between who they place their business with.”

She says cyber insurance and cybersecurity are two halves of the same mission: protecting organizations from existential digital threats.

“Yet somewhere along the way, we allowed miscommunication, complexity, and misaligned incentives to fracture that relationship…Something is fundamentally wrong if the very people we’re trying to protect feel alienated from us.

“And something powerful can happen when we fix that.”

Jason Contant

Jason has been an award-winning journalist with Canadian Underwriter for more than a decade, including the past three years as associate editor and, before that, as digital editor for seven years.