Insurance that protects, not just pays
IN Partnership with
CFC’s distinct approach combines proactive defense with cyber insurance. By identifying zero-day vulnerabilities and providing real-time threat intelligence, it’s protecting organizations before cyber threats escalate into costly incidents
More
AS CYBER THREATS evolve at an unprecedented pace, CFC has positioned itself as a leader in proactive risk management, not just through traditional insurance but also by taking a direct role in cyber defense.
CFC has become the first insurance company to have zero-day vulnerabilities attributed to its name, a move that signals a fundamental shift in how the insurance industry interacts with cybersecurity.
A zero-day vulnerability is an undiscovered flaw in an application or operating system. Because a vendor is unaware of the security gap, there are no patches or fixes, leaving systems vulnerable to threat actors.
CFC is a specialist insurance provider, pioneer in emerging risk, and market leader in cyber. Our global insurance platform uses cutting-edge technology and data science to deliver smarter, faster underwriting and protect customers from today’s most critical business risks.
Headquartered in London with offices in New York, Austin, Brussels, and Brisbane, CFC has over 500 staff and is trusted by more than 100,000 businesses in 90 countries.
Find out more
“Traditionally, insurance was a promise to pay out, but from CFC’s perspective, it’s a promise to protect as well”
Jason Hart, CFC
This capability changes the game for cyber insureds. Instead of merely responding to cyber threats, CFC is eliminating them at the root.
According to Hart, this approach is not just about having technological capability but also about strategy. CFC has restructured its cyber and proactive teams under global leadership to enhance consistency across territories.
"We’ve always had these unique capabilities,” Hart said, “but bringing them together under one entity has compounded this.”
Hart, who joined CFC just over a year ago, brings a lifelong background in cybersecurity. From founding one of the world’s first ethical hacking companies in the late '90s to serving as CTO of a major security vendor, he has seen the rapid growth of the cybersecurity industry. He stressed that the work that CFC’s threat intelligence and incident response teams has done is substantial.
“In a very short time, we’re already seeing the value of this, not only from being the world’s first (insurer) to identify zero-days but also in gathering intelligence on active threats before they escalate,” Hart said.
In one recent case, he added, the CFC team uncovered data on initial access brokers, or hackers who bypass security controls, plant back doors, and sell access to the highest bidder, often leading to ransomware attacks. With this intelligence, the team alerted affected policyholders before their data could be exploited.
The traditional approach to cybersecurity often relies on vulnerabilities being discovered by independent researchers, who then report them in exchange for recognition or financial rewards. These vulnerabilities are later catalogued and addressed by organizations worldwide. But CFC is disrupting that model.
“We have identified zero-day vulnerabilities before anyone else, including threat actors. This allows us to mitigate risks before they’re published or exploited,” said Jason Hart, managing director, proactive & global security services at CFC.
“One of our unique capabilities is delivering high-level threat intelligence feeds. For example, if we know ransomware groups are planning a targeted attack, we can provide this intelligence to our clients in advance,” Hart said. “Depending on the organization’s size, whether it’s SME (small to medium enterprise), mid-corporate, or a large enterprise, we can also offer a direct intelligence feed. Larger organizations with dedicated security teams can integrate this enriched threat data as part of their policy.”
Technology plays a crucial role in delivering this protection, and CFC has built an entire ecosystem around its policies, including an app to engage insureds about their cybersecurity posture.
“The app is a way to communicate with the insured and inform them about immediate threats. More importantly, if an incident occurs and systems are down, they can inform us through the app and have that direct, out-of-band communication to allow us to support them,” Hart said.
The app also provides additional services, including phishing simulations, threat intelligence, and vulnerability testing, reinforcing its role as an essential security tool rather than just an insurance add-on.
Share
Pioneering zero-day vulnerability discoveries
Published April 7, 2025
Share
Contact Us
Specialty
Best in Insurance
Resources
Risk Management
TV
News
CA
RSS
Sitemap
Contact us
About us
Conditions of Use
Privacy policy
Terms & conditions
People
Copyright © 2025 KM Business Information Canada Ltd
Contact Us
Specialty
Best in Insurance
Resources
Risk Management
TV
News
CA
RSS
Sitemap
Contact us
About us
Conditions of Use
Privacy policy
Terms & conditions
People
Copyright © 2025 KM Business Information Canada Ltd
Contact Us
Specialty
Best in Insurance
Resources
Risk Management
TV
News
CA
Copyright © 2025 KM Business Information Canada Ltd
RSS
Sitemap
Contact us
About us
Conditions of Use
Privacy policy
Terms & conditions
People
What sets CFC’s proactive cyber risk management apart?
From an insurance standpoint, this proactive approach is rippling across the entire industry landscape. Historically, cyber insurance has been a financial safety net, stepping in when an organization has already suffered an attack. CFC is rewriting that role.
“Traditionally, insurance was a promise to pay out, but from CFC’s perspective, it’s a promise to protect as well,” Hart said. “There’s generally a lot of noise around cybersecurity, people telling organizations about all the different vulnerabilities and risks. But our unique selling point is to highlight only what truly matters: what could lead to an incident.”
This kind of precision not only saves clients from unnecessary panic and “alert fatigue” but also reduces costs associated with mitigating threats that may not be relevant.
“We proactively identify threats that pose real risks to our insureds, doing so in a non-invasive way without requiring them to install anything on their networks,” Hart explained. “Instead, we inform them only when they face an immediate risk or a high probability of compromise. This allows them to focus on running their business, knowing we’ll step in when action is truly needed.”
Beyond vulnerability discovery, CFC’s restructure also ensures a more responsive service. It has implemented a “follow-the-sun” model for incident monitoring and response, meaning client support is available 24/7 across different global time zones.
Embracing insurance’s growing role in cybersecurity
Identifying a zero-day vulnerability
Initial systems or software analysis
Fuzzy testing (inputting unexpected data to observe how the system reacts)
Identifying patterns or flaws
Code review and reverse engineering to uncover security gaps
Testing the vulnerability
Documenting, reporting, and monitoring for exploitation
Around $272,300 (£147,044)
Average value of ransomware demand:
The value of cyber insurance
Around $6,800 (£3,715)
Average cost of cyber insurance to SME (<100 employees), including proactive protection services:
Source: CFC
At the core of CFC’s expanding capability is a broader message about the value of cyber insurance and the insurance industry’s growing role in the cybersecurity space.
“I’ve been in cybersecurity my whole life and have now crossed over to the insurance industry,” Hart reflected. “There’s this misconception among CISOs that there’s no value in cyber insurance, but I can categorically tell you the value that a CFC policy provides is outrageous.”
Cyber monitoring and incident response services alone, Hart pointed out, would cost thousands. CFC’s study revealed that the average monthly cost to an SME (defined as companies of up to 100 employees) to outsource all these services amounted to more than $9,100 (£4,962), leading to an annual spend of just over $110,300 (£59,566). However, the typical yearly cost of a cyber insurance policy for an SME is only around $6,800 (£3,715).
“You’ve got organizations around the world paying huge sums of money for an incident response retainer. With a policy, you get that unlimited incident response access with some of the best teams in the world,” said Hart. “We respond within 15 minutes of an incident, handle forensics, data mining, and business resumption, all included in the policy.”
For CFC, the promise to protect, not just pay out claims, is also about making businesses more cyber resilient from the outset.
“Our policy includes a comprehensive suite of services and technology to support them throughout their cybersecurity journey, helping them operationalize cybersecurity as a core business cost,” Hart said.
“There's this misconception among CISOs that there's no value in cyber insurance, but I can categorically tell you the value that a policy provides is outrageous”
Jason Hart, CFC
IN Partnership with
