Operational resilience: the role of cyber insurance in protecting companies

by Marcelo Vitório*

Being at Mind The Sec 2025, the largest cybersecurity event in Latin America, was a valuable opportunity to closely observe how the market has been evolving around a topic that is now central for any organization: operational resilience. In a context of increasingly sophisticated attacks, the discussions made it clear that security is not just about prevention, but about the ability to maintain operations and preserve reputation even in the face of an incident. Today, the question is no longer whether a company will be attacked, but when — and what the impact of that attack will be. This new scenario demands constant preparation, strategy, and maturity in risk management.

The discussions showed that the best-prepared companies are those that structure their resilience on three pillars: technology, processes, and people. Technology encompasses systems and tools that strengthen defenses; processes ensure continuity, governance, and efficient response; and people translate the security culture into behavior. But there is a fourth layer that supports this entire system of moving parts: the financial capacity of organizations. This is precisely where cyber insurance gains prominence, offering protection against the residual risk that remains even after all mitigation investments. There is no complete resilience without financial solidity. Cyber insurance is the component that closes the cycle between prevention, response, and recovery.

In recent years, the market has experienced significant fluctuations. After the spike in attacks during the pandemic, several insurers withdrew, making the product more expensive and limiting its availability. However, the scenario has changed, and today we see a more balanced and accessible environment, with insurers returning to the cyber insurance market and companies advancing in their maturity in fighting cyber threats — making them more prepared to purchase insurance and, as a direct consequence, reducing the premiums of this final layer of operational resilience.

According to CNseg and Susep, between 2019 and 2023 there was an 880% increase in the volume of cyber insurance contracts. This growth confirms that the market is aware of the importance of transferring part of the financial risk. This trend was reinforced by new regulatory requirements, such as Banco Central’s Resolution BCB 498/2025, published on 09/05/2025, which includes the mandatory contracting of cyber insurance for all technology service providers connected to the National Financial System (RSFN), whether fintechs or not.

There is still vast room for growth. Recent surveys show that less than 40% of Brazilian financial institutions have a specific cyber insurance policy, and that the country lost approximately R$ 2.3 trillion to cyberattacks in 2024, while total investment in security did not exceed R$ 47 billion. This imbalance highlights how much there is still to evolve.

The maturing of the market is a direct reflection of the evolution of companies. Today, cyber insurance is no longer seen merely as financial protection, but as a tool of governance and operational continuity that contributes to the confidence of investors, clients, and partners. It is a positive movement — a cycle in which better risk management leads to better insurance conditions, and better insurance encourages more robust security practices. True operational resilience emerges when prevention and protection go hand in hand, from risk management to impact transfer.

*Marcelo Vitório is responsible for Cybersecurity and Information Technology at Horiens.