Microsegmentation Cyber Insurance Gap: 90% Of Organizations Are Falling Behind

by

Estimated reading time: 7 minutes

Almost every security leader wants microsegmentation. Almost none of them have it. That is the central finding of a new Omdia survey commissioned by Elisity, covering 352 US cybersecurity decision makers across healthcare and manufacturing. The numbers describe a market caught between intent and execution, and for underwriters assessing lateral movement controls, the microsegmentation cyber Insurance gap matters enormously.

The Numbers Behind The Gap

The headline statistic is stark. Ninety-nine percent of organizations are implementing or planning microsegmentation. Yet only 9% report that more than 80% of their critical systems are actually protected. In healthcare, that figure drops to 6%. Nearly half of all respondents experienced a lateral movement attack in the past year. At the same time, 57% rank microsegmentation as their top initiative to stop lateral movement. Organizations know what they need. They are not getting it done.

James Winebrenner, CEO of Elisity, frames the problem directly: “Microsegmentation has matured, but many organizations still carry the scars of earlier, complex approaches.” Those scars are real. Most organizations still rely on VLANs, access control lists, and agent-based tools built around network location rather than device identity. These legacy architectures require constant manual rework. They leave east-west traffic exposure wide open. And critically for cyber insurance underwriting, they check the segmentation box without delivering the control.

Microsegmentation cyber insurance: unsegmented red network showing lateral movement risk contrasts with blue identity-based zero trust segmentation zones and network segmentation controls, separated by a security shield

Why Microsegmentation Cyber Insurance Questions Need To Change

The survey includes a data point that should concern every cyber insurer. Only 32% of respondents cite cyber insurance requirements as a driver for microsegmentation investment. Zero Trust strategy leads at 68%. Regulatory compliance follows at 60%. Insurance sits last. That ranking tells underwriters something important: they currently have less influence over segmentation decisions than regulators do.

Winebrenner says the reason is straightforward. Most renewal questionnaires still ask whether an organization has network segmentation, a binary question that lets a 20-year-old VLAN architecture check the same box as identity-based microsegmentation. Only one of those approaches actually contains lateral movement. Underwriters should ask whether segmentation is identity-based or location-based, what percentage of critical assets sit under active policy, and whether that policy extends to OT and IoMT environments. The same evolution happened with MFA questions. Segmentation questions need to follow the same path.

See also  Cyber Insurance News Podcast: Incident Response And How Proactive Cybersecurity Saves Money

The OT And IoMT Blind Spot

Healthcare and manufacturing are the two heaviest ransomware target sectors. They are also the two sectors where first-generation microsegmentation fails most visibly. Agent-based tools cannot be deployed to PLCs, MRI machines, or infusion pumps. Those are precisely the devices ransomware groups target to force payment. Manufacturing respondents rank ICS and building management systems as their top device challenge. Healthcare respondents name patient monitoring systems and IoMT devices. Ransomware groups, including Qilin and BlackSuit, have pivoted specifically to OT and IoMT environments after establishing an IT foothold.

Most cyber insurance application forms treat segmentation as a single line item. An organization with solid IT segmentation but a flat OT network looks adequately controlled when it is not. The production outage or patient-safety failure that drives a large claim comes from the OT and IoMT layer, not the corporate IT network. Underwriters should assess OT and IoMT segmentation as a separate, independently evidenced control.

Identity-Based Segmentation: The New MFA Inflection Point

Sixty-nine percent of respondents name identity-based microsegmentation as their most desired capability. Only 22% have hands-on experience with modern microsegmentation solutions. That awareness gap explains much of the 90% implementation shortfall. The technology has evolved significantly. Modern platforms enforce policy directly on existing network switches — no agents, no additional hardware, no VLAN reconfiguration. Sixty-two percent of respondents say today’s solutions are easier to deploy than those available five years ago.

For underwriters, this maturity signal matters. Identity-based microsegmentation ties access policy to user and device identity rather than IP address or network location. That means coverage is auditable per session, per device, and per asset class across IT, IoT, OT, and IoMT. For the first time, underwriters can ask a real, measurable question: what percentage of critical assets have least-privilege policy actively enforced? That is a verifiable control — not a marketing claim. Winebrenner compares this moment directly to MFA’s underwriting inflection point around 2020. The market signal is the same. The questionnaire evolution should follow.

See also  Manufacturing Cyber Insurance: What Five Years Of Claims Data Tells Underwriters

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

What Underwriters And Brokers Should Do Now

The Omdia data gives underwriters a concrete framework. Partial microsegmentation is not partial protection. It is full exposure of the uncovered assets. A handful of VLANs in front of an EHR or ICS environment will not stop a modern ransomware intrusion. Coverage that does not account for the availability and resilience of all operational assets, including OT and IoMT, creates a false sense of security on both sides of the policy.

Brokers placing coverage in healthcare and manufacturing should ask clients specifically what percentage of critical systems sit under active identity-based policy, not just whether segmentation exists. The answer to that question is now measurable, increasingly standardized, and directly relevant to claim frequency and blast radius. The 90% gap in this survey is the risk that underwriters are currently pricing without asking the right questions.

FAQ – Microsegmentation Cyber Insurance Gap

What is microsegmentation in the context of cyber insurance?

Microsegmentation divides a network into secure zones and controls access between them. In a cyber insurance context, it is a lateral movement control that limits how far an attacker can move after breaching one system and directly affects the ransomware blast radius and business interruption severity.

Why does the 90% microsegmentation gap matter for underwriters?

The gap means most organizations in high-risk sectors like healthcare and manufacturing have limited active containment for east-west attacks. Legacy VLAN and ACL architectures check the segmentation box on renewal questionnaires without delivering meaningful lateral movement control.

What is identity-based microsegmentation, and why does it matter for underwriting?


Identity-based microsegmentation ties access policy to user and device identity rather than network location. Unlike legacy approaches it is auditable per asset, covers OT and IoMT devices that cannot run software agents, and provides a measurable percentage of critical systems under active policy, a verifiable control underwriters can assess.

See also  Healthcare Cybersecurity Report: 81% of Health Leaders Prioritize Cyber Resilience | EY–KLAS 2025

Why are OT and IoMT environments a separate underwriting concern?

Agent-based segmentation tools cannot be deployed to PLCs, medical devices, or industrial control systems. These are the environments ransomware groups target to cause production outages and patient-safety failures. Most application forms do not ask about OT and IoMT segmentation separately, creating a significant coverage assessment blind spot.

What questions should brokers ask clients about microsegmentation?

Ask whether segmentation is identity-based or location-based, what percentage of critical systems are covered by active policy, whether that policy extends to OT and IoMT environments, and how that coverage is monitored and evidenced. Binary yes/no segmentation questions no longer reflect the risk accurately.

How does cyber insurance influence microsegmentation investment?

The Omdia survey finds only 32% of organizations cite cyber insurance as a driver for microsegmentation the lowest-ranked driver behind Zero Trust strategy and regulatory compliance. Underwriters have less influence over segmentation investment than regulators. More prescriptive questionnaire language would close that gap.

Martin Hinton

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment

×