Nairobi, 2 November 2025

I recently attended a cyber insurance masterclass where Flissa Doroff – Director of Cyber Insurance and Legal Partnerships at Sygnia – delivered an engaging and eye-opening session titled “Lessons from Loss: Turning Post-Incident Evidence into Actionable Underwriting Intelligence.”

Flissa is a Thought Leader & Subject Matter Expert and has worked across cyber-related roles at AIG, Marsh, AXA XL and Mosaic Insurance.

Her presentation leveraged her hands-on experience across the full cyber insurance lifecycle and explored the widening gap between rapidly evolving cyber threats and traditional ways insurers evaluate risk.

She also showed how claims data — especially insights drawn from real incidents — can transform underwriting decisions and strengthen organisational resilience.

Understanding the Cyber Risk Landscape

Flissa opened with a stark illustration of today’s threat environment:

• New vulnerabilities emerge every 17 minutes

• Threat actors execute over 11 attacks per minute globally

This pace of change renders point-in-time questionnaires and static underwriting assumptions insufficient. The key message was clear — cyber risk is dynamic, and insurance practices must evolve to match that speed.

She noted that proactive security measures are often misunderstood as punitive rather than protective, while traditional questionnaires frequently miss the actual exposures that lead to breaches.

Why Claims and Underwriting Must Work Together

A central theme was the essential collaboration between claims professionals and underwriters.

Claims teams see what truly fails during incidents — from misconfigured controls to escalation bottlenecks. Their insights can:

• Strengthen underwriting requirements

• Clarify warranties and expectations

• Reduce coverage ambiguity

• Create a continuous feedback loop from real events to future underwriting decisions

This partnership, she argued, transforms each incident into actionable intelligence that improves risk assessment and industry resilience.

The Power of Real-Time Incident Data

While assessments and scans predict exposures, incidents reveal reality.

Several data points underscored this:

• 88% of SMB incidents involved ransomware-related breaches

• SME claims with Business Interruption were 650% more expensive than those without

• 47% of incident costs (2020–2024) stemmed from crisis services

• 50% of claim values globally arise from BEC and phishing

• Ransomware drives 60% of high-severity claims, with losses 6–7 times higher than BEC

These numbers highlight a simple truth: small, frequent events drain resources quietly, while large attacks can destabilise entire organisations.

Incident Response Findings: What Really Happens on the Ground

She then shared practical observations from recent incident response engagements — many of which challenge common assumptions about “good controls.”

Multi-Factor Authentication (MFA)

Most MFA failures come from user behaviour, fatigue or social engineering, not technology. Partial deployment of privileged accounts remains one of the biggest exposure points.

Endpoint Detection and Response (EDR)

One recurring issue is incomplete coverage. During investigations, IR teams check:

• Whether EDR tools blocked any activity

• Whether logs were complete

• Whether all critical systems, servers and endpoints were covered

“Dwell time” — how long attackers stay undetected — remains one of the clearest measures of control effectiveness.

Coverage Friction: Where Issues Still Arise

Although the majority of cyber claims are paid, some pressure points continue to appear:

• Wrongful collection

• Interruption exclusions

• Overlapping PI and cyber scenarios

• Verification gaps during cybercrime events

These issues often stem from misalignment between declared controls and what was actually implemented, or from policy wording that hasn’t kept pace with evolving attack methods.

Building Organisational Readiness

Flissa was clear that readiness is less about having perfect systems and more about knowing how to respond when it matters.

She encouraged organisations to:

• Run tabletop exercises

• Simulate real-world scenarios through wargames

• Strengthen privacy and security training

• Prepare leadership for incident-driven decision-making

Teams that practise regularly tend to recover more quickly and with far fewer disputes during claims.

The Evolving Cyber Insurance Landscape

The discussion also touched on broader market shifts, including:

• The emergence of stand-alone AI insurance

• New interpretations of war exclusions within the Lloyd’s market

• Increased losses linked to crypto-related incidents

• The ongoing influence of collapses such as Bibitcase and FTX

The takeaway was that the cyber insurance market is still maturing, and adaptability is now a core skill for insurers, brokers and insureds alike.

Collaboration, Intelligence and Capacity Building

Flissa closed with a powerful reminder: cyber resilience depends on continuous learning and open collaboration across underwriting, claims, incident response teams and insured organisations.

At Specialty Claims Academy (SCA), we share this mindset. Our programmes are built to strengthen cyber incident literacy, improve investigative capability and support insurers and adjusters in navigating the complex realities of cyber claims.

By investing in people and encouraging shared intelligence, we can build a more resilient cyber insurance ecosystem for the region.

📧 training@specialtyclaims.co.ke
🌐 www.specialtyclaims.co.ke

Author:
Fredrick A. Oloo
BCom (Ins.), Dip CII, Dip CILA
Lead Trainer & Director – Specialty Claims Academy (SCA)

( Also: Managing Director – Niche Loss Adjusters & Marine Surveyors Ltd
Council Member – Institute of Loss Adjusters & Risk Surveyors (IARS – Kenya)
Committee Member – Chartered Institute of Loss Adjusters (CILA – UK)’s Future Focus Special Interest Group