What your next cyber insurance renewal will demand
Cyber insurers are moving past annual declarations and point-in-time evidence. The market is shifting toward controls that can be cryptographically verified, continuously enforced, and tied to real loss reduction.
Cyber insurance is changing the way security programs are judged.
For years, renewal was built around declarations. Organizations said they had MFA. They said backups were immutable. They said privileged access was controlled. They said third-party access was reviewed.
Insurers priced the risk on those answers, the broker's context, and whatever evidence could be attached.
But a questionnaire answer is not a control. A screenshot is not a control. A policy document is not a control.
They are claims about a control.
Cyber insurance is now moving from claims to proof. Not more paperwork. Not better screenshots. Proof.
A provable control is one that can be cryptographically verified. It replaces blind trust with math. Instead of asking an insurer, broker, board, or customer to believe that a control exists, it lets the system prove that the control is enforced and that a critical action cannot occur unless the required conditions are met.
That shift is good for security teams and good for insurers. When a control is provable, it removes uncertainty from the security program. The same uncertainty is removed from the underwriting conversation. The risk is clearer for both sides.
That is the principle behind Tide's collaboration with Lloyd's-backed underwriter Becco, which links provable controls to preferential cyber insurance coverage. It creates a commercial path for recognizing a better class of cyber risk, where security controls can be verified rather than merely asserted.
We recently contributed to Help Net Security's video series on what cyber insurance renewals are now demanding. This piece sets out the shift security leaders need to prepare for.
The companies that become easiest to insure will not be the ones with the longest control inventories. They will be the ones whose most important controls are no longer a matter of opinion.
The old model was built on weak signals
Cyber insurance tried to apply traditional insurance models to a market without centuries of actuarial history, and where today's data may be obsolete tomorrow.
That meant questionnaires, declarations, evidence packs, and underwriting judgment had to carry too much weight. In practice, this created a market built on weak signals.
An organization could answer "yes" to MFA while leaving bypass paths open. It could claim immutable backups while allowing the same compromised admin path to disable recovery. It could point to privileged access controls while standing authority remained concentrated in admin accounts, service accounts, vendors, API keys, or security tools.
The statement may be technically true. The risk may still be unacceptable.
That is the gap now being closed.
Underwriters are no longer only asking whether a control exists. They are asking whether the control changes the outcome of an attack.
Provable controls change the underwriting conversation
An attested control says, "We have this."
A provable control says, "This attack path is closed."
That is a very different risk statement.
Attestation depends on trust, interpretation, and point-in-time evidence. Provable control depends on enforcement that can be verified. In Tide's view, the strongest version of this is cryptographic verification. Critical authority is not simply handed to one person, account, vendor, or system. It only becomes usable when the right conditions are met.
This changes cybersecurity architecture, but it also changes insurance.
If a security team can prove that a compromised administrator cannot destroy recovery, the underwriter does not have to price that risk as if recovery depends on hope. If a company can prove that no single vendor can exercise unchecked control inside its environment, the insurer does not have to treat that dependency the same way as blind third-party trust.
This is where the Becco collaboration is strategically important. It reflects a market direction already underway. Better proof of control integrity creates a basis for better insurance treatment.
Security teams have been trying to remove single points of failure for years. Underwriters are now being forced toward the same conclusion because the same weaknesses that create breaches also create large claims.
Take the worry away from the security team and you take it away from the underwriter. Take it away from the underwriter and the commercial value of better security becomes easier to recognize.
MFA is no longer a yes-or-no question
MFA is the simplest example.
The market started with "Do you have MFA?" Then it moved to "Do you have MFA everywhere that matters?"
Now the real question is whether MFA can be bypassed.
Many of the breaches that made headlines in recent years did not break MFA. They went around it. Attackers used stolen session tokens, hijacked cookies, push fatigue, help desk manipulation, compromised endpoints, and weaknesses in identity workflows.
The same problem shows up in security products themselves. Authentication and access-control bypasses continue to be found in critical software, including identity, PAM, and other cybersecurity platforms. That should make the point obvious. A control that depends on a single trusted path can become the thing attackers route around.
For an underwriter, these are different risks.
One company may have MFA deployed but still allow a stolen session or bypassed workflow to reach sensitive systems. Another may have an architecture where access cannot proceed unless the correct authentication has happened in the correct context.
Those companies should not be priced the same.
The useful test is simple enough.
Could a sensitive or privileged action still happen without fresh, valid, context-bound authentication?
If the answer is yes, the organization has an exposure. If the answer is no and that fact can be verified, it has a provable control.
Standing authority is the real enemy
The single biggest question behind many cyber losses is not whether the company had tools. It is who, or what, held authority when the breach happened.
Standing authority is the always-on power sitting inside admin accounts, service accounts, vendor connections, API keys, cloud roles, and AI agents. It is the power to read data, change systems, disable controls, move laterally, deploy code, or destroy recovery.
Most security programs try to manage that power by watching it more closely. They vault passwords. They rotate credentials. They log sessions. They require approvals.
Those steps help, but they often preserve the dangerous premise. Somewhere in the environment, power still exists in a concentrated form, waiting to be stolen or misused.
Tide's view is different. Authority should not sit statically in one place. It should be emergent.
Emergent authority means power only comes into existence when the right parties, context, and conditions align. Outside that moment, there is no complete key sitting inside an account, vault, tool, or vendor for an attacker to steal.
That changes the loss profile at the root.
A compromised administrator who holds unilateral power can be catastrophic. A compromised administrator who never actually holds the full authority to act alone is a fundamentally different risk.
That distinction is exactly what cyber insurance needs to recognize.
Backups must survive admin compromise
Backups show why tick-box security fails.
"Do you have backups?" stopped being a useful question years ago. Ransomware operators now plan around the recovery path. They look for backup consoles, admin credentials, retention settings, replication paths, and recovery dependencies.
Immutability helps, but immutability is not enough.
If the same compromised admin path that controls production can disable, reconfigure, delete, or age out the backup environment, then immutability is just a setting with an off switch.
The real test is blunt.
If ransomware lands tonight and the admin tier is fully compromised, does recovery still exist?
A strong architecture separates recovery authority from production authority. Owning one should not quietly grant ownership of the other. The recovery path should be provably separate, not merely documented as separate.
That gives the insurer a better signal than "we have backups."
It says a full compromise of production administration does not grant the ability to delete, disable, or corrupt recovery.
That is the difference between evidence and proof.
Supply chain risk is authority risk
Supply chain risk becomes much clearer when viewed through authority.
Your identity provider, remote access vendor, backup platform, endpoint tool, cloud provider, and software supply chain are not outside your threat model. Many of them sit inside your control plane.
If a vendor can push code, administer identities, access data, change security settings, or disable protections, that vendor holds real authority inside your environment.
For one company, the task is to understand what each supplier can do and whether that power can be constrained. For insurers, the concern is larger. If many insured organizations depend on the same concentrated vendors, one supplier compromise can create correlated losses across a portfolio.
That is the aggregation risk insurers fear.
Architectures that reduce concentrated vendor authority are therefore not only better security. They are better insurance risks.
If no single vendor, tool, or administrator can exercise unchecked authority, the company has reduced the chance that one upstream compromise becomes a catastrophic downstream claim.
AI makes this urgent
AI increases the cost of weak authority models.
AI writes code, generates scripts, suggests configurations, processes sensitive data, and increasingly acts through connected tools. AI agents will not only recommend actions. They will execute them.
Insurers do not yet have a complete model for pricing AI risk. Nobody does.
But the control principle is already clear. Reduce the authority any one AI system can exercise, and make every agent accountable to a defined owner, role, and policy.
An AI agent should not become a magic super-admin. It should operate inside bounded authority, just like a person should. Preferably, that authority should not be static power sitting in the agent at all. It should emerge only when the right conditions are met.
That is how organizations can adopt AI without turning every automation into a new insurance exposure.
How to prepare for the next renewal
The next renewal should be used to separate claims from proof.
For each major control, security leaders should be able to show three things.
- Where the control is deployed.
- What loss scenario it is meant to prevent.
- Whether the control can be verified as enforced.
That framing is more useful than another long evidence pack.
Instead of saying the organization has privileged access management, show that no single administrator, account, or vendor can unilaterally exercise critical authority.
Instead of saying the organization has immutable backups, show that production compromise does not compromise recovery.
Instead of saying AI use is governed, show that AI agents have bounded authority and accountable owners.
The language is shifting from control existence to loss prevention.
That is the language underwriters understand.
Cyber insurance is becoming a proof market
Cyber insurance is moving away from annual declarations and toward continuous assurance.
Once control integrity can be proven live, the annual questionnaire becomes less important. Security posture becomes a signal. That signal can be monitored, priced, and recognized.
The old model created too much ambiguity. The insured declared a control. The insurer priced the risk. Months later, after an incident, everyone discovered whether the control was real enough to matter.
That model is being replaced because it has to be.
Insurers need clearer signals. Brokers need stronger ways to distinguish clients. Security teams need their real risk reduction to be recognized commercially. Boards need to know whether security spend is reducing loss, not just satisfying a form.
This is the practical significance of Tide's work with Becco. It shows how cyber insurance can start rewarding provable control architecture rather than the longest checklist.
The companies that adapt will be easier to understand, easier to price, and easier to insure.
The winners will be the organizations whose controls can be verified by design.