Five cyber risk practices every broker & business should know

As the cyber insurance market shows signs of stabilizing after years of volatility, the threat environment is becoming more complex and far reaching than ever. The rate of year-over-year premium decreases has slowed, but the frequency, severity, and sophistication of cyberattacks continue to rise.

The increase in cyber premiums has slowed since its peak in 2022, according to Fitch Ratings, yet Industrial Cyber reports that global ransomware attacks increased 32% in 2025. For brokers and risk managers, this underscores the need for proactive strategies to reduce exposure and strengthen resilience. Here are five best practices that can help businesses of all sizes prevent attacks and recover quickly when they occur.

Stolen or misused credentials remain the principal doorway to data breaches across industries.

Verizon’s 2024 Data Breach Investigations Report found credential theft as the initial access vector in 38% of breaches, far outpacing phishing and vulnerability exploitation.

That reality makes robust identity controls, especially multi-factor authentication (MFA), non-negotiable. In fact, MFA reduces compromise risk by almost 99%, according to Microsoft.

Applied consistently to employees and vendors, MFA meaningfully reduces attack paths. Regular access reviews, prompt removal of dormant accounts, and conditional access policies further limit exposure as roles and relationships change.

Effective MFA is not a set-and-forget control. It requires disciplined governance, visibility across the organization, and ongoing monitoring of login activity and anomalous behavior, such as attempts to access data outside normal usage patterns.

Organizations that harden access controls while prioritizing usability often see both security and adoption improve.

Attackers overwhelmingly favor known, unpatched software flaws.

And these flaws continue to grow. More than 240 known exploited software vulnerabilities were added in 2025 to the Cybersecurity and Infrastructure Security Agency’s tracking catalog.

Yet organizations take a median of 55 days to patch half of critical vulnerabilities, according to Verizon. This gives adversaries a generous window to do harm.

That time can be reduced by automating software patch discovery and remediation, and through including patch resolution metrics in Service Level Agreements with key vendors.

Vendors can be a key entry point for cyberattacks so managing them is critical.

Beyond carefully selecting and onboarding vendors, maintain a living inventory of all of them, classify them by data sensitivity and system criticality, and require evidence of patch hygiene, data breach and incident response commitments in contracts.

Not all data is equal. Classify information by sensitivity and business criticality, then apply appropriate encryption and access controls.

Design data backups to survive targeted attacks. One effective approach is to follow the 3-2-1 rule, three copies, on two media, with one off site.

Regularly validate restored data to ensure consistent recovery across systems and to avoid discovering corrupted data during a crisis.

Develop your data protections and backup strategy assuming you will be attacked. Segment sensitive data, shorten retention, and minimize the type and amount of data collected.

Isolated data backup and a clear well-rehearsed playbook are two critical tools for minimizing the impact of ransomware attacks.

Quickly detecting and responding to a cyberattack are among the best ways to limit its financial and operational impact.

To do this, a company should document its enterprise-wide incident response plan, define clear roles and responsibilities, and regularly conduct tabletop exercises and breach simulations.

Pair this with continuous security monitoring, whether internally or through a vendor to surface threats earlier and shorten the breach lifecycle. There is a clear link between speed and outcome; organizations that detect and contain breaches faster materially lower their costs.

Have clear systems in place for coordinated communications with regulators, customers and vendors throughout an incident.

Cybersecurity can feel daunting, but these five practices give brokers and their clients a practical roadmap for preventing attacks and recovering faster when they occur.

In a stabilizing but still selective insurance market, organizations that implement and demonstrate these fundamentals are better positioned for underwriting success and, more importantly, for resilience.

To learn more about how Liberty Mutual helps businesses move from reacting to cyber incidents to confident readiness with trusted cyber insurance solutions, visit our cyber insurance website.