When it’s time for cyber insurance, here’s what a CFO needs from the CISO

When it’s time for cyber insurance, there are a lot of questions as part of the process—seemingly endless questions.

Matt Hillary, chief information security officer (CISO) and SVP of security at Drata, a security and compliance automation platform, has to sit down annually with the chief financial officer (CFO) and general counsel (GC) to ask and answer questions like:

• Do you have multi-factor authentication for remote access?
• Are laptops encrypted?
• Do employees have install rights on those laptops?
• Has there been a security breach in the last two years?

CFOs have budgets allocated for cyber insurance, and insurers set premium rates based on buyers’ security controls. Amidst this back and forth, CISOs are tasked with dutifully conveying an accurate cybersecurity picture to their financial colleagues.

Hillary and other CISOs and consultants who spoke with IT Brew shared effective strategies for answering finance and security questions effectively and early in the cyber insurance process.

“It’s kind of an unofficial marriage between the CISO, GC, and CFO within the company. If you don’t have a solid connection or relationship—and a working relationship and an influential type of relationship—within that cohort of those three, you’re doomed for a really painful experience as a CISO,” Hillary said.

Questions? Throughout his career, Hillary has had to answer a cyber insurance questionnaire ranging from one page to up to 70 questions.

The questionnaire allows insurers to understand a potential customer’s risk exposure, and to assign insurance options and costs accordingly.

Common questionnaire sections include: information privacy (does the applicant encrypt data when transmitted over public networks?), information-security organization (what frameworks has the company complied with?), email security (do you provide a quarantine service to users?), and internal security (do you use MFA to protect privileged user accounts?).

Explain it to me like I’m a CFO. A CISO can provide expertise to a CFO, who may lack an understanding of past security incidents and current controls. According to Nadine Moore, managing director and senior partner at Boston Consulting Group, a line of questioning could be, “Is data encrypted? Well, there’s a lot of data inside companies. Is it all encrypted? Is some of it encrypted?”

Data is a complicated subject for CFOs and security pros alike. When Hillary supported veterinary and dental clinics, calculating all data elements—a potential cyber insurance prep task—might lead to multiple database queries (and even an exclusion of, say, pet records, which don’t count as protected health information).

Defining all data elements could lead to a CFO asking, “We have how many of these records? Why do we even have those records?” Hillary said.

Add and extract. According to Identity Theft Resource Center, the first half of 2025 saw 1,732 data compromises—54.9% of 2024’s total of 3,155 incidents, putting it slightly ahead of last year. IBM’s latest Cost of a Data Breach report, which reviewed security incidents between March 2024 and February 2025, calculated an average loss of $4.44 million.

Here’s one common cyber insurance question a CFO asks a CISO, especially at an expanding company, according to Mimecast CISO Leslie Nielsen: Do we need more coverage?

To answer that question, Nielsen pulls cost calculations from reports like IBM’s annual review and Verizon’s Data Breach Investigations Report (which analyzes figures like median ransomware amounts). If costs increase by a certain percentage, perhaps a group discusses upping their coverage to cover a similar percentage increase, Nielsen said.

Let’s meet up sometime. As CISOs augment security capabilities, their organizations can get more coverage and better insurance pricing, Moore told us. However, flipping a security-question checkbox from “no” to “yes” requires budget and IT effort.

Adding a company-wide control like multi-factor authentication is “not a ‘let’s put it in over the weekend’ thing,” Moore said. She added that orgs should bring documentation to the cyber insurance meeting, like external audits, to demonstrate security posture.

Hillary emphasized the importance of regular meetings via risk steering committees to keep the CFO informed—and to make sure the first time a CFO, CISO, and GC get together for questions isn’t an hour before the cyber insurance broker arrives.

“I have not seen a CFO yet be surprised by these requirements,” he said. “And in fact, I’ve been more on the side of CFOs being like, ‘What more do you need? Like, how do we help you make sure that we’re protected here?’”