But this triggers the question of why in the first place get cyber insurance.
It is clear that when you establish good controls and processes, track the implementation of your processes, and monitor your cyber risk 24/7, then your breach probability is reduced significantly (and even the underwriters realize that). So if you have money to spend on insurance, why not use it to enhance controls, have a strong ransom-protected backup, and be more protected? No need for insurance.
I know, there is no 100% guarantee. But I also know that there are good chances that the insurers may find a reason why not to pay because you did not follow 100% of what you said you will…
I am a strong supporter of implementing controls properly which means enforcing cyber processes on people and then getting the end result of low breach probability and high readiness.
With that, why spend on insurance?