KSC/NIS2 and cyber insurance costs. A guide for CEOs and CFOs

Over the past few years, discussions about cybersecurity at the board level have undergone a rapid evolution. They used to be technical discussions about the cost of equipment. Today, thanks to KSC/NIS2, they have become a strategic conversation about personal responsibility. But there is another area that is hitting the company’s finances just as hard and catching the attention of the chief financial officer (CFO): the cyber-insurance market. Premiums are rising at triple-digit rates, and obtaining a policy is beginning to resemble a complex audit.

Insurers have begun to ask very difficult questions and refuse to pay claims to companies that cannot demonstrate “due diligence.” This is where the new KSC/NIS2 law becomes a paradoxical ally for CFOs and management. The requirements it imposes are an almost perfect reflection of what insurers demand in order to even consider issuing a policy. KSC/NIS2 compliance ceases to be just a regulatory cost; it becomes a key investment in optimizing risk transfer costs.

Why are cyber-insurance costs rising so rapidly?

The cyber-insurance market is in crisis. For years, insurers have treated “cyber” policies like any other, estimating risk based on historical data. The problem is that the scale and frequency of cyber attacks, especially ransomware, exploded unpredictably. Insurers stopped doing the math – they paid out gigantic claims for production downtime and ransomware, which exceeded collected premiums many times over.

In response, the market drastically “hardened.” Insurers have raised premiums by hundreds of percent, but more importantly, they have become extremely rigorous in their risk assessment. Today, it is not enough to fill out a simple questionnaire. A company applying for a policy undergoes a detailed audit – the insurer wants to know everything about its safeguards.

As a result, companies that don’t invest in security face a choice: either pay an astronomical premium for very limited protection, or don’t get it at all. This puts the CFO in a very difficult position trying to balance the budget.

What is “cyber insurance readiness” (cyber insurance readiness)?

“Cyber-insurance readiness” is a new term that is making inroads in finance departments and boards of directors. It denotes the state in which an organization is able to prove to an insurer that it takes cyber security seriously and has implemented basic but advanced security controls. It is the ability to pass an insurance audit.

The insurer no longer wants to “take your word for it.” It wants hard evidence. Does the company use multi-factor authentication (MFA)? Does it have detection and response (EDR/XDR) systems in place? Does it regularly test its business continuity plans (BCP)? Does it have 24/7 monitoring (SOC)?

Cyber-insurance readiness is therefore nothing more than having a mature security program. As nFlo’s strategy notes, assessing this readiness is a key module that allows Chief Financial Officers (CFOs) to translate identified technical risks into financial risks and optimize the cost of obtaining insurance.

How does KSC/NIS2 affect the process of applying for a cyber policy?

The new KSC/NIS2 law and insurance questionnaires are almost two identical documents. KSC/NIS2 legally enforces the implementation of exactly the same checks that insurers are asking for. This is a fundamental convergence.

For an insurer, a company subject to KSC/NIS2 is a high-risk entity. At the same time, if this company implements the requirements of the law, it becomes a well-managed risk entity. The insurance questionnaire will ask: “Do you have a documented risk analysis policy?” – KSC/NIS2 makes it mandatory. The insurer will ask: “Do you have business continuity plans and do you test them?” – KSC/NIS2 explicitly requires it. The insurer will ask: “Do you manage supplier risk?” – KSC/NIS2 makes this a firm legal requirement.

This means that the KSC/NIS2 implementation process is at the same time a process of building “cyber-insurance readiness.” Soon insurers will start asking one simple question, “What was the result of your KSC/NIS2 compliance audit?”

Does simply buying a policy relieve the board of KSC/NIA2 liability?

This is a key question to which the answer is: absolutely not. This is a trap of thinking that management and CFOs must not fall into. Insurance is a transfer of financial risk. KSC/NIS2 imposes regulatory and personal liability. These are two very different things.

An insurance policy may (though not necessarily in full) cover ransomware, production downtime or data restoration costs. However, the policy will not pay an administrative penalty imposed on the head of the entity (CEO, board member) for failure to fulfill supervisory duties. Such a penalty is personal and sanctioning in nature – it is meant to “pain” the manager for negligence.

What’s more, an insurer can refuse to pay a claim if, in the course of a post-incident examination, it discovers that the company has made an untruth in the questionnaire (e.g., it has indicated that it has an MFA, but in practice has not applied it). Insurance is not a shield. It is a safety net that will only work if a solid foundation has been built beforehand.

What specific evidence of compliance will the insurer require before issuing a policy?

The insurer will no longer be content with declaring “yes, we have security.” It will demand evidence of the implementation of “appropriate and proportionate” technical and organizational measures – exactly the same as KSC/NIS2.

As a CFO, you need to be ready that your CISO will be asked to present:

Risk analysis results: The insurer wants to know that you understand your risks .
Audit and testing reports: Do you regularly conduct penetration tests, vulnerability scans and configuration audits?
Policies and Procedures: First and foremost, the Business Continuity Plan (BCP) and evidence of its testing.
Evidence of implementation of key controls: Can you confirm MFA implementation on all administrative accounts and remote access? Do you have EDR systems in place? Do you have monitoring (SIEM/SOC) in place?
Evidence of supply chain management: How are you vetting your IT suppliers?

Each “no” or “don’t know” on this list drastically increases the premium or leads to the exclusion of key risks from the policy, rendering it useless.

Why is risk analysis (required by KSC/NIS2) crucial for an insurer?

Risk analysis is the foundation upon which the entire KSC/NIS2 directive is based. It is also the foundation on which the insurer builds its assessment. Why? Because risk analysis shows the company’s management maturity.

A company that has not conducted a formal risk analysis is, from an insurer’s perspective, operating “blindly.” It doesn’t know which of its assets are critical, doesn’t understand the potential business impact of an incident, and can’t justify why it spent money on security A rather than B. Such a company is unpredictable and a huge risk.

A company that has a documented risk register (compliant with ISO 27005, for example) shows the insurer that it manages security in a conscious manner. It shows that its budget for cyber security is not haphazard, but the result of a rational assessment of risks. For the insurer, this is a signal that it is dealing with a partner that is “exercising due diligence” – and this is grounds for a premium reduction.

How does the implementation of technical measures (MFA, EDR, SOC) reduce insurance premiums?

Insurers know exactly what works. Their statistics from thousands of incidents are unforgiving. They know that the vast majority of ransomware attacks that end in ransom payments were made possible by two factors: a lack of multi-factor authentication (MFA) and a lack of monitoring (SOC) to detect the attack early enough.

Therefore, the implementation of these specific technical measures has become a “base table” in risk assessment. A company without MFA is almost uninsurable today. A company that has implemented MFA and has EDR systems (to protect workstations) , but does not have 24/7 monitoring (SOC), will get a policy, but with a high premium.

Only the company that can demonstrate the full package – prevention (MFA, EDR), detection (SOC 24/7) and response (BCP plans tested) – becomes a “premium customer” for the insurer. This is an entity that has realistically invested in lowering its risk, and therefore deserves a much lower premium. The investment in the CORE and RESILIENCE Package therefore has a direct return in the form of reduced risk transfer costs.

Will the insurer ask about my supply chain security (SCRM)?

Until recently, this was not common. Today, it is one of the key questions. Insurers, like the developers of KSC/NIS2, have come to understand that a supply chain attack is one of the most devastating and costly scenarios. An attack on one software vendor can compromise thousands of its customers.

The insurer knows that if your company does not manage the risks of its IT suppliers, your de facto security is illusory. So it will ask you directly, “Do you have a vendor security assessment policy?”, “Do your contracts with ICT suppliers contain security clauses?”, “Do you conduct audits of your critical partners?”.

Failure to implement the SCRM process that KSC/NIS2 requires will result in either exclusion from the policy of damages resulting from an attack on the supply chain (rendering the policy largely useless) or another drastic premium increase.

How does the KSC/NIS2 readiness audit (START Package) become a negotiation tool with the insurer?

Here we come to the crux of the matter from the CFO’s perspective. You have to incur costs to implement KSC/NIS2. But how do you prove the return on that investment? The answer lies in the insurance process.

When it comes time to renew your cyber policy, instead of passively answering a questionnaire, you can proactively present your insurer with the results of a KSC/NIS2 (START Package) readiness audit conducted by a reputable third-party partner. Such an audit is nothing more than a professional, independent assessment of your “cyber-insurance readiness.”

By presenting the insurer with an audit report and a roadmap for implementing the missing elements (the CORE Package), you send a powerful signal: “We are aware of the risk, we have a plan to mitigate it and we are actively managing it under the supervision of the board.” Such a document is the strongest negotiating tool you can have. It allows you to claim a much lower premium because you provide hard evidence of due diligence.

How should CFOs and CISOs work together to optimize cyber risk costs?

KSC/NIS2 and the insurance crisis are forcing an alliance that has not been obvious until now: the CISO and CFO alliance. The CFO is no longer seeing the CISO as a “cost center” and is beginning to see him as a “financial risk manager.”

The CISO’s job is to translate technical risk into business language. Instead of saying “I need SIEM,” the CISO says: “The lack of SIEM and SOC prevents us from meeting the 24-hour requirement and raises our insurance premium by 30%.” This is language the CFO understands.

This cooperation must be formalized. The CFO must involve the CISO in the insurance negotiation process. The CISO must provide the CFO with regular progress reports on the implementation of KSC/NIS2, which the CFO can use in discussions with insurers and brokers. Implementing KSC/NIS2 is not a cost; it is an investment in reducing the total cost of risk (TCO of Risk), which consists of the cost of sanctions, the cost of incident and the cost of transfer (insurance).

Financial Risk Management (Cyber) for the CFO: Summary Box.

The table below shows how investing in KSC/NIS2 compliance (in the nFlo model) directly translates into risk cost reduction.

KSC/NIS2 requirement (Challenge).	Operation under nFlo Packages	Impact on Insurer Rating (and Cost Reduction).
Risk Analysis / Audit	START package: KSC/NIS2 compliance audit and insurance readiness assessment[cite: 77, 79].	Proof of maturity: The company consciously manages risk. Key to starting premium negotiations.
Technical Measures (MFA, EDR) [cite: 30, 32].	CORE package: Implementing key security technologies[cite: 85].	Risk Reduction (Prevention): Meeting absolutely basic requirements. Without this, the policy is impossible or extremely expensive.
Reporting in 24 hours [cite: 36, 37].	RESILIENCE package: 24/7 SOC and Incident Response service.	Risk Reduction (Detection): A key factor in minimizing damages. Significantly reduces premiums.
Business Continuity	CORE/RESILIENCE package: development and testing of BCP/DRP plans[cite: 84, 96].	Reducing the cost of the damage: Proof that the company knows how to get back to work after an attack, reducing costly downtime.
Supply Chain	CORE/RESILIENCE package: active SCRM audits[cite: 86, 95].	Reducing systemic risk: Eliminates a “blind spot” in the assessment. Reduces the risk of exclusions in the policy.