The combination of risk mitigation, risk transfer and incident response services that cyber liability insurers offer can help reduce cyber exposures, a pair of cyber experts said.

But policyholders might not access all the services available, so insurers should work to become more closely aligned with their cyber customers, they said during a session Tuesday at Riskworld,  the Risk & Insurance Management Society Inc.’s annual conference in Atlanta.

Insurers can compel organizations to adopt specific cyber risk mitigation strategies as a condition of coverage, said Brett Tucker, technical manager of cyber risk management at Carnegie Mellon University’s Software Engineering Institute in Pittsburgh.

“It’s an idea that you’re sharing best practices and making sure that people are staying up with the state of the art in terms of technology,” he said.

Cyber insurers have a responsibility to drive cybersecurity standards higher and have the ability to reward preparation and punish a lack of consideration of the risks, said Benjamin Bertossi, New York-based cyber product specialist at Chubb Ltd.

“There should be always a shared goal of cyber resiliency between an insured and an insurer, and there should be with that an understanding that preemptive measures and proper loss mitigation is what leads to the most effective risk transfer for your organization,” he said.

Cyber insurers offer security and breach response services to policyholders, but buyers might not understand the extent of the services offered, Mr. Tucker said.

Insurers should ensure that they are on the list of organizations that policyholders call when they learn of a breach, so they can use the services they provide to reduce their own exposures as well as those of their customers, he said.

To ensure cybersecurity is embedded in their organizations, chief information officers and chief information security officers should have regular meetings with other C-suite level executives, Mr. Bertossi said.

“Cyber risk should be at least a quarterly topic of discussion, not just one that occurs at the time of renewal of your insurance program,” he said.

Cyber policyholders are seeing some positive trends, Mr. Bertossi said. For example, over the past quarter most demands in ransomware attacks were negotiated down to 30% to 40% of the initial demand, he said.