Interesting paper from the Royal United Services Institute (RUSI) titled: Cyber Insurance and the Cyber Security Challenge.
Mission Statement of RUSI: As an independent institution, we produce evidence-based research, publications and events on defence, security and international affairs to help build a safer UK and a more secure, equitable and stable world.
Essentially the rough steps on improving overall security posture by way of Cyber Insurance:
Insurance companies all agree on minimum baseline security standards, e.g., NIST, ISO, Cyber Essentials, etc.
Make cyber coverage mandatory for all government agencies and their suppliers.
Enact legislation to make cyber insurance mandatory for large and SME, just like professional liability insurance coverage
Proposed Pre-Incident Services Insurance Companies can provide in partnership with MSSP’s:
Staff Training: This generally involves phishing-focused training. For larger businesses, training may also include scenario-based tabletop exercises with senior management.
Cyber risk rating services and vulnerability scanning: Rather than using these tools as part of an initial risk assessment, some insurers use them off cycle to monitor internet-facing IT infrastructure or provide organizations with direct access to them.
Threat intelligence services: These types of services might involve deep and dark web monitoring to identify specific mentions of an organization, or using claims incidents to create security alerts or identify trends
Access to a virtual CISO: This provides organizations without a senior cyber security manager with access to expertise