The fusion of cyber insurance with security services is a key trend in the industry, designed to help policy holders achieve and then maintain — after the policy has been purchased — adequate security in the face of ubiquitous and constantly updated cyber threats. Unfortunately, cyber insurance bunding of policies with security services is being blocked or impeded by state insurance regulators in 25 states and D.C., according to a useful and timely new report from the non-profit Institute for Security + Technology (IST).
“Right now (in many of these states), traditional insurance policies can only provide reduced premiums at the time of underwriting or during the renewal process. A bundled security and insurance package might incorporate discounts or rebates into the security service, rewarding best practices or adoption of new cybersecurity systems over time,” the report notes (italics ours).
Why Block Carriers from Helping Clients Improve Their Security?
The regulations blocking cyber insurance bundling stem not from anything specific about cyber policies, but rather abuses in the sale of life insurance dating back to the 1800s. “At the time, some life insurance agents were offering products and services entirely unrelated to the purchase of life insurance to induce customers to choose one broker over another,” recounts Sophia Mauro, a co-author of the study. “This created all kinds of concerns, including market distortion (is the insurance being purchased because it’s high quality, or because the value-added service is so appealing?), insolvency (do these added products and services threaten the financial health of the firm?), and unfair competition (how can smaller firms compete with larger firms who have higher budgets to offer additional products and services?). In response, states began to pass anti-rebating statutes, which sought to mitigate unfair competition and deceptive practices in the sale of insurance.”
States Prohibiting Cyber Insurance Bundling
The National Association of Insurance Commissioners several years ago approved an updated model law permitting bundling, but half of America’s states still block such offerings. According to the report, these states still place prohibitions on bundling (as of 1/25/2025): Alaska, Colorado, DC, Delaware, Georgia, Hawaii, Idaho, Louisiana, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, Oklahoma, Oregon, South Carolina, Tennessee, Texas, Vermont, Virginia, Washington, and Wisconsin.
While the IST makes a compelling case for updating insurance rules for the era of cyber security, it’s unclear how quickly most state regulators can or will change the rules. We’re doubtful they can move at anywhere near the speed of cyber criminals and their increasingly rapid adoption of technology for cyber crime. As an example, while New York State permits some version of bundling, the insurance authorities there are already slowing the implementation of AI in the industry to fight “systematic biases” and discrimination.
History of Cyber Insurance
We also recommend the portion of IST the report outlining the history of the cyber security insurance market, which goes back to the first policy, underwritten by AIG, in 1997.
