Estimated reading time: 8 minutes
Buying a cyber insurance policy still begins with a questionnaire. That process is no longer enough. In a recent Cyber Insurance News podcast, I spoke with Tristan Morris, co-founder and CEO of SplitSecure, and Dylan Hamilton, business development lead at SplitSecure. SplitSecure builds credential and privileged access management tools to provide insurers with verifiable proof that security controls are working. Together, they made a clear case. Insurers rely too heavily on static forms. Attackers keep finding the gaps that those forms miss.
This is important in a soft market. Buyers answer standard questions about multi-factor authentication, staff training, and incident response plans. These answers help assess risk, but they only give a brief snapshot. Morris described the questionnaire as just ‘a snapshot in time.’
For underwriters, brokers, and CISOs, that snapshot no longer carries enough weight. Cyber insurance policy requirements are now moving toward controls that can be verified in real use. That shift carries direct implications for any policy tied to identity, access, and ransomware exposure.
SPOTIFY
APPLE
AMAZON
The Gap Between Policy And Practice
I opened the discussion with this: buyers hear about MFA, training, cyber hygiene, and incident response, but real risk isn’t in policy, but in daily actions.
This gap is key: forms begin the process, but good underwriting now depends on verification. Executives are shifting their focus from technical details to real business risks. Which controls actually work? Which gaps lead to major claims?
Questionnaires Miss The Exceptions That Attackers Need
Morris and Hamilton kept coming back to one point: attackers look for exceptions. A company might use MFA almost everywhere, but one unmanaged account can still be a risk. Even with an access control policy, a single privileged user might have too much access.
This distinction matters: many controls appear adequate on paper, but their true value lies in daily enforcement. Failure around a single key account results in the same losses for insurers and operational damage for buyers.
I asked both guests to move past abstract terms and explain what really happens when an attacker finds a way in. This helped non-technical decision-makers see the real issue. The problem isn’t how the control is described, but how much risk it leaves.
Credential Theft Sits At The Center Of Claims Severity
The conversation had a clear flow: credentials give access, access leads to ransomware, and ransomware causes big losses. Morris pointed to the Verizon and IBM 2025 Data Breach Reports. About 30% of payouts involve credentials stolen from third parties. Vendors, contractors, and auditors with access can become entry points. Once attackers get admin or infrastructure credentials, they can reach backup systems and production environments, disable backups, and then launch ransomware. In 2025, 91% of cyber insurance payouts were related to ransomware.
Hamilton added the scale that makes that figure striking. Ransomware represents less than 10% of claims by volume. It accounts for 91% of incurred losses.
That is why cyber insurance policy requirements increasingly focus on identity controls and privileged access discipline.
Hamilton brought in a business perspective. He said, in cybersecurity, “prevention is the hardest thing to sell.” CFOs and general counsel know this challenge well. Security budgets compete with other business needs, and insurance adds another factor. Buyers want coverage, while underwriters want proof. The best approach now connects both to measurable loss prevention.
Why MFA Alone No Longer Satisfies Insurers
The podcast made a balanced point on MFA. It is still a valuable control. Companies should still use it. Morris argued that many insurance workflows treat MFA like a complete answer. That view gives buyers and insurers a false sense of comfort.
Morris identified three live attack paths that bypass MFA in practice. Social engineering convinces an employee to disable it. Session hijacking waits for a legitimate login and then takes over the open session. Info stealers sit on a device and harvest credentials as they pass through. All three are active in the current threat environment.
The lesson is clear: control presence is not control quality. Underwriters and brokers see this, and buyers need to demonstrate they do too.
What Proof Actually Looks Like
The podcast didn’t just talk about the problem it offered a real solution. Morris explained what proof of good credential management looks like. SplitSecure creates an audit log for every account, secret, and key it manages. The log tracks every use, every policy, who asked for access, and who approved it. Cyber insurers can automatically review this log to confirm good practices are in place everywhere, without needing a manual survey.
Morris explained the logic behind underwriting. Right now, insurers look for problems by checking for misconfigured accounts, but this approach can’t catch everything. What they really need is a clear definition of good practice. A verifiable log that shows controls are always applied gives them that proof.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
Privileged Access And Vendor Risk Define The Worst Case
One of the most important parts of our conversation was about privileged access. Morris said underwriters should ask which account could cause the most damage if it were compromised. This question avoids jargon and matches how business leaders think about big risks.
Hamilton made a similar point from another angle. He said underwriters should ask CISOs how the company handles sensitive credential access for third-party vendors compared to employees. The right answer is that everyone is treated the same. Having uniform standards, not making exceptions for convenience, is what creates strong access controls.
I steered that discussion toward a practical business truth. Friction can protect value. A faster process may help productivity. A narrower access model protects the balance sheet.
What This Means For Underwriting In 2026
Pricing remains soft, but insurers now want stronger, continuous evidence that controls work not just annual declarations especially regarding identity, privilege, and third-party access.
Policy requirements are moving away from simple checklists and toward real governance and resilience. CFOs get guidance on risk, general counsel sees a governance framework, and CISOs can identify where to invest to lower claim severity.
Buying a cyber insurance policy still begins with a familiar process. The next stage of underwriting will depend on what companies can prove.
Watch the episode on YouTube or at the links below
SPOTIFY
APPLE
AMAZON
Podcast FAQs
What Does A Cyber Insurance Policy Actually Measure Today?
Most policies still measure declarations. Buyers confirm controls exist. Underwriters record the answers. What a modern cyber insurance policy increasingly needs to measure is evidence. Do the controls work consistently? Are they applied to every account? Can the insurer verify that without re-surveying the company each year? The market is moving from self-reported compliance toward continuous, verifiable proof.
Why Do Questionnaires Still Create Risk For Buyers?
A questionnaire records a company’s security posture at one point in time. Security environments change daily. New accounts are created. Exceptions are granted. Vendors receive access. None of that appears on the form the buyer completed at renewal. Attackers do not respect the renewal cycle. They look for the weakest point in the current environment, not the one documented last year.
How Does Credential Theft Lead To Ransomware Losses?
Stolen credentials give attackers account access. Admin and infrastructure credentials give them access to backup systems and production environments. Once they control both, they can disable recovery options and launch ransomware. According to the Verizon and IBM 2025 Data Breach Reports, 91% of money paid out by cyber insurers in 2025 was ransomware-related. Credential theft remains the primary cause.
What Should A CISO Show An Underwriter Beyond An MFA Checkbox?
They should show evidence of consistent application. Which accounts have MFA enabled? Which do not, and why? Are exceptions documented and reviewed? Can the company produce an audit log showing credential use, access approvals, and policy enforcement across its entire environment? That kind of evidence moves the conversation from declaration to proof.
Why Is Privileged Access The Highest Priority For Cyber Underwriters?
A single compromised privileged account can give an attacker control over critical systems, disable monitoring tools, and trigger an enterprise-wide event. The Delinea 2025 report found that privileged access management is the single largest differentiator in how underwriters assess insurability. Identifying the highest-risk accounts and demonstrating how they are protected is now a core underwriting question.
What Should Executives Ask Before Renewing A Cyber Insurance Policy?
Three questions matter most. Which accounts or vendor relationships create the worst-case loss scenario if compromised? Are those accounts subject to tighter access controls and approval requirements than standard accounts? And can the company produce verifiable, continuous evidence of those controls — not just a completed questionnaire?
