Cyber risk is no longer a technical issue; it’s a boardroom imperative. Yet despite the escalating frequency and severity of cyber incidents, the adoption of standalone cyber insurance among small and mid-sized businesses (SMBs) remains alarmingly low, hovering around just 4%. This gap is a strategic blind spot.
The recent SafeHouse Initiative podcast, From Risk to Recovery: Every Stop on the Cyber Insurance Journey, hosted by Jeff Edwards and Tawana Johnson, offers a timely and comprehensive roadmap for navigating this complex terrain. As someone who has spent over three decades advising global financial institutions and Fortune 500 clients on risk financing, captive strategy, and enterprise risk management, I found the conversation both validating and urgent.
Many SMBs still view cyber insurance as a luxury or assume it’s covered under traditional property and casualty policies. This misconception is dangerous. As Tawana Johnson, Vice Chair of Data Privacy and Cybersecurity at Lewis Brisbois, explains, the cost of a breach can be existential. From ransomware attacks to regulatory fines and class-action litigation, the financial and reputational fallout can be devastating.
What’s more, the cyber insurance market has evolved dramatically. Applications that once fit on a single page now require detailed disclosures, and some carriers even deploy threat intelligence teams to assess applicants’ networks. This shift reflects a broader trend: cyber underwriting is becoming more data-driven, more forensic, and more aligned with enterprise risk management principles.
One of the most compelling insights from the podcast is the role of the breach coach—a legal quarterback who coordinates between the insured, the insurer, and digital forensics teams. This function helps provide necessary leadership under pressure.
As Johnson describes, breach coaches are often the first call a business makes during a cyber crisis. They ensure that all communications and investigations remain protected under attorney-client privilege, which is an essential safeguard in the event of litigation. But their role goes far beyond legal protection.
They are counselors, crisis managers, and advocates who help clients navigate the chaos of a breach. They coordinate with digital forensics and incident response (DFIR) vendors, negotiate with threat actors when necessary, and ensure that all expenses—from legal fees to ransom payments—are properly approved and covered by the insurer [1].
Importantly, breach coaches represent the client, not the insurance company. This tripartite relationship ensures that the business’s interests are front and center, even though the insurer pays the bill. As Johnson puts it, “We spend a lot of time with our clients helping them stay calm. We are involved with business owners on the worst day of their business life… and we’re here to help them come out on the other side” [1].
In my own consulting work—whether designing cyber risk strategies for private equity portfolios or integrating GRC frameworks into insurtech platforms—I’ve seen firsthand how critical this role is. It goes beyond responding to incidents and aims to build resilience into the DNA of the organization.
The SafeHouse series outlines a full-stack approach to cyber insurance, from risk quantification and broker engagement to underwriting, claims, and litigation. It’s a model that mirrors the enterprise risk lifecycle and underscores the need for cross-functional collaboration.
For risk leaders, this is a call to action. We must:
Cyber insurance is not a silver bullet, but it is a strategic lever. When thoughtfully structured and integrated into a broader risk strategy, it can be a powerful tool for protecting enterprise value.
As we continue to navigate the digital frontier, let’s move beyond reactive thinking. Let’s build systems, cultures, and partnerships that are proactive, resilient, and ready for what’s next.
References