Written by Zeph Sibley, Security Operations Engineer
The world of cybersecurity is changing. Dated inflexible practices like locking everything down the same way and treating every system as equally critical are being left in the past. The new standard across the cybersecurity industry is clear: a risk-based approach.
At INSHUR, we’re all in on this. We’re building our cybersecurity program around risk, around understanding what matters most and protecting it effectively. This isn’t just best practice, it’s a commitment to walking the InsurTech walk.
What is a Risk-Based Approach?
With the threat of cybercrime rising year on year it’s tempting to try to protect everything equally, but that’s a losing battle. No company, no matter how large, has unlimited resources.
This means we have to work smarter. We need to understand what assets we have, and what the true threats to those assets are. How likely are they to happen? What would it cost us if they did?
From there, we act. We put controls in place where they will reduce the most risk. We monitor. We adjust. We prepare for the worst while focusing on the most important. It’s a continuous cycle, not a one-time project.
This is how modern cybersecurity is built, and it’s where the entire industry is heading. Companies that cling to outdated, one-size-fits-all defences are finding themselves outpaced and exposed, wasting time and money on half-baked threats and security theatre.
Why Risk and Insurance Go Hand in Hand
At INSHUR, we don’t just understand risk. Risk is our business.
Insurance has always been about understanding risk: measuring it, pricing it, managing it. This is why the risk-based approach to security was easily translated across the business. It’s not enough to know that a cyber threat exists. We need to know how likely it is, how bad it would be, and what we can do to lower that risk to an acceptable level.
Several regulatory bodies already champion this model. The UK Financial Conduct Authority frames its handbook around the concept of risks, with systems and controls to manage it. New York State specifically requires that each financial services company “assess its specific risk profile and design a program that addresses its risks in a robust fashion” (New York State Department of Financial Services, 2023).
When we assess cybersecurity risk, we are not only protecting ourselves, we are protecting our customers. Understanding how cyber threats evolve, how they affect business operations, and how risk controls perform in the real world will help us design better services, protect customer data, and serve our clients with more insight and precision.
Cybersecurity and insurance have a lot in common. Companies that can see this, and act on it, will lead the future.
Examples of This Approach
We’re expanding risk based thinking into every aspect of our approach, but here are three main things we are doing right now that make us more secure than ever.
- We have empowered teams to track their risks and the decisions behind them in tickets, the same way they track other bits of work. This ensures that risks don’t get overlooked or misunderstood.
- We analyse vulnerabilities in terms of risk, rather than just taking the severity score at face value. This means contextualising vulnerabilities against our system; a high might really be a medium, and a medium might really be a high. Through this practice we can cut through the noise and focus on what we are truly vulnerable to.
- We are building people’s ability to understand risk through threat modelling. Beginning with a series of security-led workshops we have started the process of analysing new features for risks and threats. In this way we invest in each person’s knowledge and sow the seeds of security culture.
Staying Cutting Edge
We are proud to say that our risk-based approach puts us at the forefront of cybersecurity practice. Industry leaders, from aforementioned regulators to security frameworks like NIST and ISO, are urging companies to prioritise risk management. Gartner and other analysts have predicted that within a few years, risk-based cybersecurity will not just be a best practice — it will be an expectation.
By building on a risk-first foundation now, we are positioning INSHUR not just to keep up, but to lead. We are investing in the tools, processes, and ability of our people to make hard choices: where to harden, where to monitor, where to accept risk, and how to explain those choices clearly to our stakeholders.
Risk management is not about fear. It’s about knowledge. It’s about action. It’s about building resilience in a world where change is constant and threats evolve daily.
Final Thoughts
Cybersecurity will never be “finished.” There will always be new threats, new risks, and new technologies. But by taking a clear-eyed, risk-based approach, we are ready.
At INSHUR, we aren’t just protecting ourselves. We are building a stronger future — for our customers, for our industry, and for everyone who counts on us.
We’re not playing catch-up. We’re leading the way.
