Cyber insurance needs better quantification: KPMG

Cyber insurance has become a staple in many organisations’ risk strategies, but its strategic value is often under-leveraged. For many firms, it remains disconnected from broader decisions about how to manage cyber risk. That’s a missed opportunity, according to James Hanbury, global lead director, CRI at KPMG.

When used well, cyber insurance is more than a financial backstop, Hanbury believes. It can play a vital role in a rounded risk management strategy, helping organisations navigate uncertainty, reinforce resilience and align around a clear risk appetite. But to get there, we need to start with something many organisations still lack – a consistent way of quantifying cyber risk. 

Quantification connects dots that are otherwise left hanging

The most resilient organisations don’t just transfer risk – they integrate it. They treat insurance as part of a broader conversation about business objectives, risk appetite and where best to invest for impact.

That’s where cyber risk quantification (CRQ) comes in. It helps organisations put a number on cyber exposure in financial terms: “How much could this scenario cost us?” “Where are we over- or under-insured?” “What investments will best reduce our potential for loss?”

Once cyber risks are expressed in financial terms, it becomes easier to compare the cost of controls to the cost of transfer – and to have a more joined-up conversation between CISOs, CFOs, insurers and risk managers.

When done well, CRQ allows insurers and insureds to speak the same language. It enables buyers to make informed decisions about what risks to retain, reduce or transfer – and enables underwriters to better assess and price that risk.

Building a more proactive cyber risk strategy

Cyber insurance is sometimes described as a passive instrument: you buy it, you hope not to use it. But that underplays the strategic role it can play.

When organisations apply CRQ consistently, they become better at identifying, quantifying and reducing risk before it results in loss. We’ve seen clients use quantification to target their risk reduction efforts, price different control investments and determine where risk should be accepted or transferred. The result is a far more proactive approach – one where insurance is not a fallback, but an active component in a broader resilience strategy.

The shift is cultural as much as technical. In my recent blog series on CRQ, I shared examples of how teams build confidence in the method, overcome scepticism, and embed quantification into governance, planning and decision-making. When that happens, the role of cyber insurance becomes clearer, too. It’s no longer a mystery purchase in a distant negotiation – it’s part of a risk-adjusted decision portfolio.

Bringing risk appetite into focus

Risk appetite is often written down but rarely operationalised. One of the greatest benefits of CRQ is that it helps bring risk appetite to life.

Instead of vague statements like “we have low appetite for cyber risk”, quantified scenarios help organisations define how much loss they are willing (or unwilling) to tolerate. This in turn informs how much risk should be retained and how much transferred.

We see this most clearly in organisations that align their CRQ efforts with their cyber insurance renewal cycle. By modelling relevant loss scenarios (e.g. ransomware, supply chain compromise, business email compromise), they can better estimate the magnitude and frequency of potential loss and consider the financial and operational impact of different risk treatments. This provides clearer justification for premium spend and helps design a more relevant coverage strategy.

It also leads to better conversations with brokers and carriers; not to second-guess their expertise but to equip all parties with a more informed, scenario-driven view of risk.

“CRQ… leads to better conversations with brokers and carriers; not to second-guess their expertise but to equip all parties with a more informed, scenario-driven view of risk.”

Making cyber insurance count

Cyber insurance has matured in recent years, but it’s still navigating the tension between a fast-evolving threat landscape and a still-maturing data environment. Quantification can help bridge that gap.

CRQ is not about reinventing risk management or replacing insurance judgment. It’s about giving organisations the tools to make more informed, more strategic decisions about how they manage and transfer cyber risk.

Done well, it can support resilience, inform investment, and clarify risk appetite. And when those things are aligned, cyber insurance doesn’t just protect the balance sheet – it becomes part of the engine that drives better cyber risk decisions.

If you’re exploring how to bring quantification into your risk strategy, and making better use of your cyber insurance, please do get in touch or explore our blog series.

James Hanbury is the global lead director, CRI at KPMG. He can be contacted at: James.Hanbury@kpmg.co.uk

For more news from AIRMIC Today, click here.

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.