Framework for Cyber Insurance
A structured approach to assessing cyber risk that improves cybersecurity, not just transfers it.
The Problem
Cyber insurance has become a board-level conversation in every major enterprise. High-profile incidents — software supply chain compromises, ransomware events, data breaches, large-scale IT outages — have made it impossible to treat cyber risk as an operational concern alone. Insurance is now part of the architecture.
Yet cyber insurance has a quiet problem that the industry has been reluctant to confront. It has not, in aggregate, improved cybersecurity or reduced cyber risk since the late 1990s.
Josephine Wolff, Associate Professor of Cybersecurity Policy at the Fletcher School of Law and Diplomacy at Tufts University, makes this argument with depth and rigour in her 2022 MIT Press book Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks. Her core observation: cyber insurance normalises the payment of online ransoms, which is the opposite of what cybersecurity is trying to achieve. A mature cybersecurity posture aims to disincentivise such payments. A mature insurance product, in its current form, reimburses them.
The Financial Times, reporting on the systemic nature of cyber risk after a recent global IT outage, called the insurance industry braced for losses running into billions — but also potentially the biggest winners, since such events feed demand for cyber insurance. The market grows. The risk underneath does not necessarily shrink.
This framework is offered as a way to close that gap.
What This Framework Is
The Framework for Cyber Insurance is a structured approach to assessing cyber risk that serves two parties at once. Enterprises use it to understand the cyber risk posture that determines the insurance premium they will pay. Insurers use it to evaluate the risk involved in underwriting those enterprises.
The framework rests on a single observation. Existing cyber insurance underwriting relies excessively on technical metrics — penetration testing reports, vulnerability assessment scores, security accreditations. These measure only a fraction of an enterprise’s actual susceptibility to compromise. They miss the organisational dimensions that determine whether the technical posture will hold under pressure.
Five critical factors capture what the technical metrics miss:
| Business Entropy | Risk Tolerance | Management Strategy | Operational Maturity | Cyber Resilience |
|---|
The first two relate to how the business is run. The next three relate to how the cyber function operates inside the business. Together, they describe an enterprise’s true exposure to cyber risk in a way that technical metrics alone cannot.
The framework is operationalised through a Risk Assessment Questionnaire, a software-driven self-attested instrument that collects detailed information across each of the five factors and produces a structured maturity assessment. The questionnaire is supplied as an accompanying spreadsheet.
The Five Critical Factors
1. Business Entropy
Entropy is a scientific concept most commonly associated with disorder, randomness, and uncertainty. The higher the entropy in a business, the more disordered and uncertain its outcomes will be.
Large organisations are often mired in bureaucracies, leading to inefficiencies and decision paralysis. Small and medium businesses, including startups, frequently lack the formality and structure that would let them respond predictably to cyber incidents. Unclear strategy, undefined risk measurement, and inconsistent operational processes all elevate entropy. So does rapid growth without governance maturing alongside it.
The Risk Assessment Questionnaire captures the elements likely to contribute to business entropy. These include organisational structure, decision rights, change velocity, governance maturity, and the alignment between business strategy and operational reality.
A business with low entropy responds predictably to a cyber incident. A business with high entropy responds chaotically. Insurers should care about this. Most do not measure it.
2. Risk Tolerance
Risk appetite and risk tolerance are distinct, and the distinction matters.
Mary Carmichael, President of the ISACA Vancouver Board of Directors, explains it cleanly, guided by ISACA’s Risk IT Framework. Risk appetite is the amount of risk an organisation is willing to accept to achieve its objectives. Risk tolerance is the acceptable deviation from the level set by risk appetite and business objectives.
The two are concentric. Risk appetite defines the impact an organisation is willing to absorb to accomplish its objectives. Risk tolerance defines the impact an organisation can absorb to stay in business. They represent inner and outer boundaries that the organisation should play within.
Risk appetite reflects internal and external context. Banks operate under regulatory frameworks that mandate minimal risk appetite for certain categories. Software firms may accept more risk to drive customer growth while maintaining minimal appetite for reputational damage. The questionnaire calibrates risk appetite and tolerance by assessing the impact of threat scenarios — financial loss, data leakage, disruption of services — and capturing how the organisation has formally bounded each.
An organisation that cannot articulate its risk tolerance has not yet done the foundational work that cyber insurance underwriting should require. An organisation that has articulated it precisely is materially less likely to be surprised by an incident.
3. Management Strategy
Management strategy is where culture meets capability. The strongest cybersecurity postures begin not with controls but with the way leadership thinks about cyber risk and the standards they hold the organisation to.
The Cybersecurity Model for Startups, a separate framework offered alongside this one, grounds its first principle in Heather Adkins’s well-known observation that successful startup security begins with CEO and founder fanaticism from day one. The principle applies to every organisation, not just startups. Boards and executive teams who treat cyber risk as a governance priority — funding it accordingly, asking deep probing questions, holding the function accountable — produce different outcomes from those who treat it as a technical specialism somewhere down the org chart.
Organisations with strong management strategy do two things consistently. They prioritise educating the board, management team, and entire workforce on cybersecurity, testing them with phishing simulations and helping them develop awareness of emerging technologies — AI, blockchain, agentic systems — in an evolving threat landscape. And they develop an operating model, adopt industry-standard frameworks and best practices, and pursue security accreditations that assure customers, partners, third parties, and shareholders.
The questionnaire captures effort across both dimensions. Robust management strategy is a leading indicator of a robust cyber posture. Weak management strategy is a leading indicator that the technical metrics, however good, will not hold under stress.
4. Operational Maturity
Operational maturity is about doing things consistently well, to the point that the right cyber behaviours become second nature — like cycling or swimming, once learned, never forgotten.
Four dimensions define operational maturity in the context of cyber risk. Planning and complete coverage of all assets, maintained as a systematic inventory and regularly reconciled. Consistency of execution against established processes. Backups and tested disaster recovery and business continuity plans. Vulnerabilities remediated within the shortest possible timeframes from discovery.
The questionnaire captures each of these dimensions across the organisation’s actual operating record, not its stated intentions. The adoption and diffusion of new technologies induces constant change in business processes; operational maturity therefore also requires effective change management. An organisation that can demonstrate maturity across these dimensions has earned the right to a different insurance posture than one that cannot.
5. Cyber Resilience
It is an arduous challenge to manage the security processes necessary to protect an organisation from the almost daily discovery of vulnerabilities, breaches, and adversaries. The CVE database alone publishes thousands of new entries every year.
Cyber resilience starts from a different assumption than cyber protection. Protection seeks to prevent compromise. Resilience assumes that protection layers will eventually be compromised and prioritises the ability to bounce back into shape.
The practical challenge is establishing visibility into the technical security metrics that govern cyber hygiene across the entire infrastructure and application environment. Organisations that embrace this challenge stand a materially better chance of building genuine resilience. The questionnaire captures the technical metrics that allow resilience to be assessed and measured. These cover detection capability, response time, recovery capability, post-incident learning, and the maturity of the underlying control environment.
How the Factors Combine
The five factors do not operate in isolation. They combine to determine the insurance premium an organisation should reasonably expect to pay, and the risk an insurer should reasonably expect to underwrite.
The combinations produce different outcomes. Three illustrative scenarios:
| Business Entropy | Risk Tolerance | Management Strategy | Operational Maturity | Cyber Resilience | Insurance Premium |
|---|---|---|---|---|---|
| High | Low | Robust | Robust | Robust | Low |
| High | Low | Good | Good | Weak | Medium |
| Low | High | Weak | Robust | Robust | High |
The first scenario shows an organisation where high business entropy and low risk tolerance are well-compensated by robust management strategy, operational maturity, and cyber resilience. The underwriting case is favourable. Premium is low.
The second scenario shows the same business profile, but with weakening cyber resilience and operational maturity. Premium rises to medium. The technical posture has begun to drift from the management commitment.
The third scenario is the most instructive. Low business entropy, high risk tolerance, robust operational maturity, and robust cyber resilience — but weak management strategy. Premium is high. The framework correctly recognises that without management commitment, the technical posture is not sustainable. A weak management strategy will eventually erode the other factors. Insurers who underwrite this profile without surfacing the management gap are exposed.
Decision tables of this kind are illustrative. Organisations and insurers must adjust the depth and weight of the questions to their specific business context. The framework provides the structure; the calibration is contextual.
The Risk Assessment Questionnaire
The framework is operationalised through a Risk Assessment Questionnaire delivered as an accompanying spreadsheet. The questionnaire is a prototype for what should eventually be a software platform — a self-attested instrument that captures detailed information, supported by evidence where appropriate, across each of the five critical factors.
The output is a structured maturity assessment. The maturity assessment informs the premium calculation. The premium calculation provides the basis for a defensible underwriting decision.
Three principles guide how the questionnaire is used.
Self-attestation with evidence. The organisation completes the questionnaire honestly. Selected responses must be substantiated with evidence — policy documents, audit reports, incident logs, vulnerability scan results. Self-attestation without evidence collapses the framework’s value.
Calibrated to context. The questionnaire is not a single template. Banks, software firms, healthcare providers, and infrastructure operators face different threat landscapes and different regulatory expectations. The questionnaire’s depth and weights must be adjusted to fit the organisation under assessment.
Periodic, not one-time. Cyber risk shifts. Business entropy rises with growth and acquisitions. Management strategy changes with leadership transitions. Cyber resilience improves or decays with investment and neglect. The questionnaire should be re-run periodically, with results compared over time, so both the insured and the insurer see the trajectory.
How to Apply the Framework
This framework is most useful in three contexts.
For enterprises evaluating cyber insurance, the framework provides an honest internal mirror before the insurer’s assessment begins. Completing the Risk Assessment Questionnaire surfaces the gaps that will most affect premium and underwriting terms. Addressing those gaps before the formal underwriting cycle produces materially better outcomes than reacting to the insurer’s findings.
For insurers underwriting cyber risk, the framework provides a basis for assessment that goes beyond technical metrics. The five factors capture the organisational signals that determine whether a technical posture will hold. Underwriting decisions calibrated to these signals are more accurate and more defensible.
For boards and audit committees overseeing cyber risk, the framework provides a structured way to evaluate the organisation’s actual posture rather than the reported one. The five factors map cleanly onto the questions a competent risk committee should be asking.
Grey Orbits applies this framework in three engagement modes. Advisory to enterprises preparing for cyber insurance renewal or first-time purchase. Consulting to insurers seeking to refine their underwriting methodology. Board engagements where cyber insurance has surfaced as a governance question.
A Closing Reflection
Cyber insurance, as it stands, is a financial product layered over a risk that the financial product itself does not reduce. Wolff’s argument deserves to land with the weight that her research supports. The insurance industry is not the cause of the cyber risk problem, but its current product design has not been part of the solution either.
A different design is possible. A cyber insurance product that prices its premium against a structured assessment of the five critical factors creates an incentive structure that rewards good cybersecurity rather than merely compensating for bad outcomes. Organisations with robust management strategy, operational maturity, and cyber resilience pay less. Organisations with weakness in those factors either pay more or are required to remediate before underwriting completes.
That is the framework’s wider purpose. Not just a tool for underwriting decisions, but a structure for aligning the cyber insurance industry with the cybersecurity outcomes it should be supporting.
Sources and Further Reading
Books and Research
Standards and Frameworks
- ISACA Risk IT Framework
- ISACA, Using Risk Tolerance to Support Enterprise Strategy
- Mary Carmichael, Risk Appetite vs Risk Tolerance: What Is the Difference?, ISACA Now Blog, 2022
Threat Reference
Incidents Referenced
- Financial Times reporting on the CrowdStrike incident and the systemic nature of cyber risk
- SQL Slammer worm outbreak, 2003
Related Grey Orbits Frameworks
This framework is offered under a Creative Commons Attribution 4.0 International licence. Practitioners, insurers, and educators are welcome to reference and adapt it, with attribution to Grey Orbits and a link back to greyorbits.com.
The accompanying Risk Assessment Questionnaire is available as a working prototype. Request the current version by contacting support@greyorbits.com.
For advisory engagements applying this framework to your insurance posture or underwriting methodology, contact support@greyorbits.com.
Copyright © 2024, GREY ORBITS, All Rights Reserved
Disclaimer: All views expressed here are entirely mine.
