Revealed — Incident response planning linked to fewer cyber insurance claims

Organizations that regularly test their cyber incident response plans are significantly less likely to face breach-related insurance claims, according to new research from Marsh McLennan’s Cyber Risk Intelligence Centre (CRIC).

The study, Cybersecurity signals: Connecting controls and incident outcomes, found that businesses engaging in tabletop exercises and breach simulations were 13% less likely to experience a material cyber event than those that did not.

The analysis, based on Marsh’s Cyber Self-Assessment data and claims records, looked at the effectiveness of 12 core security controls commonly used by cyber insurers when assessing risk. Incident response planning ranked fourth in reducing breach-driven claims, behind endpoint detection and response (EDR), logging and monitoring, and staff awareness training.

While traditionally viewed as a post-breach activity, Marsh said the findings demonstrate that structured response planning also drives stronger day-to-day security practices, cutting the likelihood of a claim.

The report also pointed to other correlations. According to the report, for every 25% increase in EDR deployment across laptops and workstations, the probability of a breach fell by 10%. Firms using phishing-resistant multi-factor authentication were 9% less likely to experience a cyber event than those using weaker forms of MFA.

A potential shift in underwriting practices

The results are expected to resonate across the cyber insurance market, where carriers are under pressure to curb loss ratios amid rising claims costs. In recent years, underwriters have introduced stricter control requirements, with EDR and MFA now widely seen as essential for cover. Incident response planning has been encouraged but not consistently mandated.

The CRIC findings could accelerate a shift in underwriting practices, with insurers more likely to make detailed response plans a condition of cover or a factor in pricing and policy terms. Brokers, in turn, are expected to use the data to push clients to evidence preparedness through drills and scenario testing, arguing that doing so can help negotiate broader cover and more favourable premiums.

As one of the fastest-moving segments of the commercial insurance market, cyber remains a challenge for carriers and insureds alike. Marsh’s analysis suggests that investment in practical risk controls does not only improve resilience but also directly influences the availability and affordability of insurance protection.