Cyber attacks are no longer just a technical problem. They are an economic risk.
That is why more and more cyber insurance companies are imposing specific requirements on companies' cyber security – and this is where CIS 18 plays a key role.
This article explains:
- Why cyber insurance policies use CIS 18 as a reference
- What requirements are typically imposed
- How to avoid rejection, increased premiums, or lack of coverage
Why cyber insurance has become harder to obtain
In recent years, cyber insurance companies have experienced:
- More ransomware attacks
- Higher compensation claims
- Poor security among policyholders
The result is:
- Stricter requirements before subscription
- Multiple rejections
- Higher deductibles and premiums
Today, insurance companies don't just ask if you have security—they ask how you work with it.
Why CIS 18 is used as a benchmark
CIS 18 was developed by the Center for Internet Security and is based on analyses of real attacks and known threats.
For insurance companies, CIS 18 provides:
- A standardized reference
- A verifiable level of security
- A way to assess risk objectively
In short:
CIS 18 reduces uncertainty – and uncertainty is costly for insurance companies.
Read more about CIS 18 here:
https://securefirst.dk/cis18-compliance/
Typical requirements from cyber insurance companies
Although requirements vary, they often recur within these areas:
Awareness training for employees
Many attacks start with phishing. That is why insurance companies often require documentation for:
- Ongoing awareness training
- Testing employee behavior
Awareness training:
https://securefirst.dk/awareness-traening/
Phishing tests and measurement
Not just training – but measurement.
Insurance companies want to see that the company:
- Testing phishing in practice
- Reduces click-through rate over time
Phishing simulation:
https://securefirst.dk/phishing-simulation/
Incident Response – what do you do in the event of an attack?
Many insurance claims go wrong because the company does not respond correctly.
Therefore, the following is often required:
- Clear procedures
- Documentation
- Roles and responsibilities
This overlaps directly with both CIS 18 and NIS2.
NIS2 compliance:
https://securefirst.dk/nis2-compliance/
Overview and monitoring
Insurance companies increasingly expect companies to:
- Monitors known data breaches
- Responds quickly to new risks
Monitoring of data breaches:
https://securefirst.dk/monitorering-af-databrud/
What happens if the requirements are not met?
Lack of cybersecurity can lead to:
- Rejection of cyber insurance
- Increased premium
- Limited coverage
- Rejection of compensation in the event of an incident
It is not unusual for insurance policies to contain clauses that make coverage conditional on documented safety work.
How CIS 18, NIS2, and cyber insurance are connected
- CIS 18: Practical Controls
- NIS2: Legal requirements and responsibilities
- Cyber insurance: Financial risk assessment
Companies that work in a structured manner with CIS 18 are often stronger in all three areas.
Overview of NIS2:
https://securefirst.dk/nis2-compliance/
How SecureFirst makes requirements manageable
SecureFirst is built for precisely this intersection between:
- Compliance
- Safety in practice
- Documentation
The platform brings together:
- Awareness training
- Phishing simulation
- Monitoring
- Reporting to management and insurance
See the platform:
https://securefirst.dk/
Calculate level and price:
https://securefirst.dk/prisberegner/
FAQ – cyber insurance and CIS 18
Is CIS 18 a requirement for cyber insurance?
Not formally, but many insurance companies use CIS 18 as a reference for an acceptable level of security.
Can you get cyber insurance without awareness training?
It is becoming increasingly difficult. Awareness is often a minimum requirement.
What do insurance companies look at most?
Human behavior, phishing risk, incident response, and documentation.
Does NIS2 assist with cyber insurance?
Yes. NIS2 forces companies to adopt structures that also reduce insurance risk.
