Cyber insurers are rethinking automated alerts as false positives – noisy signals and ‘alert fatigue’ undermine trust, prevention and performance
Cyber insurers have spent the last few years building powerful scanning and monitoring tools. Now they are grappling with a hard truth: too many alerts can be as dangerous as too few.
From frustrated IT teams to skeptical brokers and burned‑out vendors, “alert fatigue” is emerging as a serious weakness in cyber risk management – and a growing focus for insurers looking to refine how, when and why they contact clients about vulnerabilities.
When every ping is urgent, nothing is
Derek May (pictured centre-left), vice president, technology and cyber at HUB, said the problem is no longer a lack of insight, but the volume and quality of signals pushed at clients.
He described what many brokers now call “alert fatigue”: automated messages arriving too often, sometimes on issues that are already handled – or that turn out to be false positives. That, he warned, quickly erodes trust between insureds, their IT teams and the insurer.
Those alerts “are coming in too rapidly, too frequently, and oftentimes, or sometimes, at least, they’re false positives,” May said. The result is predictable: “All that does is annoy the IT team, because now their CEO, CFO, is saying, deal with this. And they said, we have, why are we still getting the alerts?”
In that environment, even valid warnings risk being ignored. May likened it to the “boy who cried wolf” effect: if insurers fire off alerts without clear purpose, “at some point that alert is just going to go off… You have to do it with purpose. And if it stops being done with purpose, it’s going to lose its effectiveness.”
Alerts that come with a next step
For Miki Ho (pictured left), head of underwriting, Canada, at Resilience, the answer is not to abandon alerts, but to raise the threshold and sharpen their content.
Resilience does send vulnerability notifications, he said, but only when three conditions are met: the vulnerability actually exists in the client’s environment, it is demonstrably leading to claims, and there is a clear fix that can be actioned.
“When we send those, we want to know that the vulnerability exists, it is leading to claims. And not only that, there’s a remediation,” Ho said. “Because if you’re sending an alert and there’s no remediation, it’s okay. That’s great to know about. But what do I do next?”
Without a clear “what now?”, alerts become just another source of noise – and a political problem inside the insured, where security and IT teams can find themselves blamed for issues they cannot meaningfully address.
Getting the dials right
From the capacity‑provider side, Michael Phillips (pictured right), head of global cyber portfolio underwriting at Coalition, said MGAs and insurers are still calibrating how loud and how often to speak.
“First, I think we’re still getting the dials right,” he said, calling it an ongoing conversation between underwriters and brokers. On one side is the real risk of “signals fatigue and disengagement”. On the other is the need to move fast when a truly critical issue is discovered.
Beneath the alerting debate is a classic insurance problem: information asymmetry. Scanning technology has given carriers a way to narrow the gap between what they know about a risk and what the insured or broker sees – but that power cuts both ways. Used well, it supports better selection, pricing and prevention. Used poorly, it floods clients with low‑value noise.
“When we think about MGAs and the value chain, one of the core areas of innovation was the opportunity that scanning would present to close the gap [in] risk assessment asymmetry,” Phillips said. The challenge now is deciding which findings justify going back to the client – and which belong in the underwriter’s internal models only.
False positives: the dark cloud over scanning
If alert fatigue is the symptom, poor data quality is often the cause. That is where technology providers come under pressure.
Jonas Schwade (pictured centre), CEO of cysmo Cyber Risk, said insurers can easily be given “thousands of data points” on a single organisation, but “80% of them won’t be useful.” The real work is deciding which small set of signals actually matter for underwriting, sales and loss prevention.
He described false positives as “the dark cloud over scanning,” arguing they damage trust not just in tools, but in the insurance proposition itself. When alerts repeatedly prove wrong or irrelevant, clients and their IT service providers stop taking them seriously – sometimes without even looking at the underlying evidence.
In many cases, Schwade said, IT service providers initially wave insurer alerts away, telling clients not to worry and labelling them false positives without investigating. When cysmo goes back with hard evidence that an exposed system or vulnerability is genuine, those same providers often reverse position and move to remediate.
His point was that unless insurers are confident in the reliability of their own data, they have little ability to push back on these “false positive” claims; the discussion ends there, and the underlying risk simply remains on the client’s network.
Building services around the signal, not just sending it
For carriers such as Arch Insurance, which supports its own direct cyber book and provides capacity to MGAs, alerts are part of a broader service model.
Christopher Gonzales (pictured centre-right), vice president and cyber and professional liability lead at Arch, said clients increasingly look to insurers for insight as well as indemnity. That includes helping them interpret where risk is emerging and connecting them with vetted vendors and tools that can address those issues in practice.
Insurers see the pain points in claims “and a lot of clients are unaware sometimes of what we’re seeing,” he said. The job is to turn that claims feedback into something usable – curated recommendations and options, not just more noise.
Schwade argued that is where scanning and alerting will ultimately prove their worth: not in generating as many signals as possible, but in delivering a small number of high‑quality, actionable warnings that clients trust – and act on.
“If you don’t have the security on your side that this data is actually reliable, you won’t be able to fight that war,” he said.
Related Stories
