Traditional cyber underwriting is dangerously outdated, especially for SMEs facing fast-moving, systemic threats. Insurers must move beyond static questionnaires and adopt real-time, resilience-focused models.
Ransomware is now aimed squarely at cloud platforms and interconnected vendors -mapped in real time through exposed assets, dark web chatter, and systemic weak points. The Cloud Security Alliance's 2024 survey found that over 55% of security executives reported experiencing a SaaS security incident in the past two years.
That’s why Neal Jardine (pictured), chief cyber intelligence and claims officer at BOXX Insurance, is calling for a complete overhaul. With nearly two decades in cyber risk, he said legacy audits have become placeholders - too slow, too surface-level, and too reliant on self-reported controls.
“Asking whether a company has MFA is no longer enough. Threat actors are constantly adapting, and what was once a best practice can become obsolete in months. We need real-time visibility into how controls are deployed and maintained - not just if they were checked off on a questionnaire six months ago,” Jardine said.
Today’s underwriting demands real-time visibility, scanning internet-facing exposures, monitoring open-source intel, and understanding how interdependent systems create systemic exposure.
“Underwriters need to consider what businesses rely on each other,” Jardine said. “If an entire industry depends on the same tech provider, that’s systemic exposure.”
Jardine believes it’s time to reframe cyber insurance entirely. The notion of coverage as a “cost transfer” or post-breach backstop is no longer viable.
“We need to get rid of the idea that cyber insurance is just a cost transfer and a reactive tool,” he said.
Instead, he sees cyber insurers as active partners in digital resilience. That means encouraging early outreach and eliminating the fear that calling in help signals a failure.
“A call to your cyber insurer shouldn’t signal failure - it should signal vigilance,” Jardine said. “You’re not necessarily having a breach. Maybe something just doesn’t look right. That’s exactly when to reach out.” It’s a model that hinges on frequent engagement - not just annual renewals.
According to Jardine, over 80% of BOXX clients who call in to the BOXX Hackbusters team to report a cyber issue resolve it without any cost or the need to make a claim, turning insurers into strategic allies that reduce risk rather than emergency responders.
That approach is especially crucial for small and mid-sized enterprises (SMEs), which face growing exposure without the in-house teams or tools to manage cyber threats on their own. Jardine has seen the shift firsthand.
“Years ago, it was only large enterprises buying cyber insurance. Now even small general contractors are hearing stories about invoice fraud and asking their broker about how to stay protected,” Jardine said.
“That’s why we bundle over $125,000 worth of cybersecurity tools and services - like Attack Surface Management (ASM), threat intelligence, cyber training, and security policies, combined with dedicated personal human expertise via 24/7 Hackbusters incident response and vCISO support into every policy. SMEs shouldn’t have to choose between affordability and cyber resilience – and BOXX recognizes this.” he said.
But SMEs can’t be treated like scaled-down versions of large enterprises. Their vulnerabilities often lie in financial fraud, email compromise, and cloud outages causing business interruption—not high-profile ransomware attacks.
“Cyber will blow things up if you underwrite SMEs like big firms,” Jardine said. “That’s why we built BOXX 5.0 specifically to address the real exposures small and mid-sized businesses face—like cloud outages and outsourced service provider failures.
“Most SMEs rely on platforms like Microsoft 365, cloud backups, and SaaS tools to function. If those go down, so does their business. BOXX 5.0 offers the most comprehensive SME cyber coverage on the market - so brokers don’t get caught flat-footed when the cloud fails,” he said.
Language remains a major stumbling block. Many policies still use industry terminology that hasn’t evolved with the audience.
“Some policies still rely on terminology the industry moved on from a decade ago,” Jardine said. “If the language doesn’t resonate with today’s buyers, we’re not closing the gap - we’re widening it.”
BOXX has focused on removing barriers to access - offering plain-language questionnaires, self-service scanning tools, and flexible cybersecurity templates. Jardine recalled one SME client prepared to spend tens of thousands on a custom framework before BOXX stepped in with a more affordable solution.
“It’s about making sure the price matches their exposure, and the services fit what they can handle, it’s why we offer our free vCISO service to clients,” he said. “It’s having their own cyber security experts on call when they need it at no cost. This removes barriers and helps clients see us as a partner, not a loss transfer technique.”
This realistic, right-sized approach to cyber risk has become central to BOXX’s strategy - and Jardine thinks it should be standard across the industry. Gone are the days when cyber insurance could afford to be passive or generic. Systemic risk, third-party dependencies, and evolving threats demand precision and partnership.
“It’s not just about insuring risk - it’s about continuously understanding it, adapting to it, and helping clients stay one step ahead,” Jardine said.
