Why Cyber Insurance Will Become Stricter in 2024 – and What Companies Need to Do
The market for cyber insurance has changed radically: premiums have increased, exclusion clauses have grown, and the requirements for policyholders have become stricter. Those who want an affordable policy in 2024 must prove that basic security measures are in place – MFA, backup, incident response. No security, no insurance coverage.
TL;DR
- Cyber insurance premiums 2023: +11 percent on average (Marsh)
- MFA has become a mandatory prerequisite for 95 percent of insurers
- Exclusions: State-sponsored attacks, infrastructure failures, war
- Deductibles: On average 50,000-250,000 EUR for medium-sized businesses
Why Insurers Are Tightening the Screws
The ransomware wave of 2020-2022 shook the cyber insurance market. Loss ratios exceeding 100 percent forced insurers to make adjustments: higher premiums, stricter underwriting criteria, and clearer exclusions. The market is professionalizing – to the advantage of well-prepared companies.
The good news: Since 2023, premiums have stabilized. Companies with demonstrably good security hygiene receive more favorable conditions. Security investments thus have a direct, measurable ROI through reduced insurance costs.
The New Minimum Requirements
Almost every insurer now requires the following before signing a contract: MFA for all remote access and privileged accounts, regular and tested backups (ideally offline/immutable), Endpoint Detection & Response (EDR) on all endpoints, patch management with defined SLAs, and security awareness training for employees.
Those who cannot prove these basics either do not get a policy or pay significant risk surcharges. The insurers’ questionnaires have become more detailed – blanket assurances are no longer sufficient.
Exclusion Clauses: What Is Not Covered
The most important exclusions in 2024: State-sponsored cyberattacks (“War Exclusion”), systemic events (failure of a major cloud provider), known, unpatched vulnerabilities, and intentional breaches of duty. The Lloyd’s Market tightened War Exclusion clauses in 2023 – a trend that other insurers are following.
Particularly relevant: If a company makes false statements in the questionnaire (e.g., claims to have MFA but has not implemented it), the insurer can refuse to pay. Transparency is mandatory.
Cyber Insurance as a Security Catalyst
Paradoxically, cyber insurers are driving security maturity in the medium-sized business sector more than regulation. While NIS2 fines remain abstract, the insurance premium is a concrete, annual cost item. CISOs successfully use insurance requirements as an argument for security investments with the board of directors.
The strategic approach: Security measures that simultaneously meet insurance requirements, support NIS2 compliance, and reduce real risk have a triple ROI. MFA, EDR, and backup are the obvious candidates.
Key Facts
Premium Development: +11 percent in 2023, stabilization in 2024 (Marsh Global Insurance Market Index)
MFA Requirement: 95 percent of insurers require MFA as a prerequisite
Rejection Rate: 28 percent of SME applications are rejected (Coalition 2024)
Frequently Asked Questions
Do I need cyber insurance as an SME?
Recommended if your business operations depend on IT – which is practically always the case. The question is not whether you need it, but to what extent. At a minimum, cover business interruption, forensic costs, and notification obligations (GDPR).
How do I lower my premium?
Consistently implement MFA, deploy EDR, regularly test backups, document your incident response plan, and prove security awareness training. Each of these measures measurably reduces the premium – typically 10-25 percent in total.
Does the insurance cover GDPR fines?
Usually no. GDPR fines are not insurable in most jurisdictions because they are considered personal sanctions. However, the costs for notification, legal advice, and crisis communication following a data protection incident are typically covered.
Related Articles
- Why Your Cyber Insurance May Not Pay Out in an Emergency – The Toxic Exclusion Clauses of the Industry
- Cybersecurity Trends 2026: The 7 Developments Security Decision-Makers Need to Know
- Cybersec Europe 2026: Brussels’ Security Conference at the Heart of EU Regulation
More from the MBF Media Network
cloudmagazinCloud MagazinMyBusinessFuturemyBusinessFutureDigital ChiefsDigital ChiefsHeader Image Source: Pexels / Vlad Deep
