Mandating Zero Trust Architecture as a Condition of Cybersecurity Coverage

mdecrow@maine.edu Article, Paper, , , , , ,

Mandating Zero Trust Architecture as a Condition of Cybersecurity Coverage

Joe Jambor

 

Abstract

The Change Healthcare breach in February 2024 exposed the protected health information of 190 million individuals and cost UnitedHealth Group nearly $3 billion. The breach occurred because two-factor authentication was turned off on a single portal, but was ultimately destructive because once the intruder was inside the system, there was little that could be done to stop them. This Article argues that cybersecurity insurers are uniquely positioned to prevent breaches like this one by driving adoption of Zero Trust Architecture (ZTA), the “never trust, always verify” framework codified in NIST Special Publication 800-207, by requiring its implementation as a condition of coverage. Despite its proven success rate, full ZTA adoption remains critically low, with only ten percent of large enterprises projected to reach a mature Zero Trust posture by the end of this year, as cost, institutional resistance, and legacy technology continue to impede progress. Market incentives alone have failed to move the needle. Drawing on four intersecting bodies of law; the contractual doctrine of conditions precedent in insurance agreements, federal sectoral cybersecurity regulatory frameworks including the FTC Safeguards Rule and HIPAA’s Security Rule, the state insurance regulatory architecture under the McCarran-Ferguson Act, and the rapidly evolving common law standard of reasonable cybersecurity, this Article establishes that insurer-mandated ZTA requirements are legally permissible, practically achievable through a phased implementation framework tailored to enterprises of all sizes, and essential to stabilizing the cyber insurance market while reducing legal liability for insureds.

Introduction 

In today’s digital landscape, cybersecurity threats are increasingly sophisticated and pervasive, posing significant financial risks to businesses and organizations[1]. Cybersecurity insurance has emerged as a critical tool for mitigating these risks, providing financial protection against data breaches and other cyber incidents. However, as the complexity and frequency of cyber-attacks escalate, traditional security measures are often inadequate, driving the global cyber insurance market towards a projected US$30 billion by end of the decade. [2] While the cybersecurity insurance market is currently stable and growing, this growth is set against a background of increasingly sophisticated cyberattacks aided by advances in technology that increase both frequency and destructive power.[3]

One means of improving an organization’s cybersecurity posture is through the application of the principles of Zero Trust Architecture. While more costly than some traditional models, ZTA offers a comprehensive level of protection that dramatically reduces the frequency and cost of attacks.[4] Despite this, adoption has been slow, with many organizations failing to take concrete steps towards a completely secure cybersecurity posture due to challenges such as cost, institutional resistance, and legacy technologies which are highly resistant to incorporation into a more rigorous cybersecurity regime.[5]

This paper argues that a stable cybersecurity insurance market depends on an improved cybersecurity posture among insured entities and that thorough implementation of Zero Trust frameworks is the best way to achieve that goal. Adoption of ZTA would significantly diminish the harm caused by cybercrimes such as ransomware and phishing, and prepare industries for a future where threat actors will be able to leverage emerging technologies such as AI and quantum computing to cause even more damage. This paper further argues that the requirement of  zero trust architecture for cybersecurity insurance policies will have the broader beneficial effect of helping companies reduce their legal liability, ensure regulatory compliance, and align their practices with judicial expectations of “reasonable” cybersecurity practices, thereby further ensuring the continued existence of an economically viable cyber insurance marketplace for both insurers and consumers. Finally, this paper proposes that existing insurance standards and legal precedent would allow for the requirement

The Cyberthreat Landscape 

Technological advancement has always been a double-edged sword in cybersecurity, giving both threat actors and defenders access to a constantly evolving set of tools. Hackers find new ways to exploit bugs and penetrate networks, while defenders develop technologies that automate cyber defense, making it more consistent and affordable. This evolutionary arms race is far from even, however, with the FBI’s most recent report showing nearly 860,000 cybercrime complaints in the US alone. .[6] These threats come from a variety of actors ranging the spectrum from “script kiddies” (novice hackers who often pay for the tools they use to attack), to highly sophisticated state actors who have penetrated some of the most complex systems in the public and private spheres.[7] The combination of new actors and technologies offers a grim prognosis where ransomware is expected to escalate, identity theft will evolve with AI-driven tactics, and critical infrastructure faces heightened risks due to geopolitical tension.

Traditional security measures such as firewalls and intrusion detection systems have been proven to be woefully deficient in the face of these advancements, and the increased use of cloud services and IoT devices has expanded the attack surface, making it even harder for organizations to secure their networks. To compensate, companies are spending more on cybersecurity and taking advantage of emerging technologies such as advanced AI integration, quantum-resistant cryptography, autonomous threat detection and response. The scale of the problem is worsened by the fragmented state of cyber defense. Despite efforts by CISA and NIST, the response offered by private and public actors to cyberthreats varies from instance to instance, with only the most egregious failings catching the public eye and little consensus on who bears ultimate responsibility for the problem.[8] This fragmentation means that even if a company does adopt adequate cybersecurity they may still be vulnerable to a threat actor who targets a third party such as a vendor or software supplier and accesses their system.

Cybersecurity Insurance 

Cyber insurance emerged as a market solution to the emerging digital economy and its growth has gone hand in hand with both the development of digital commerce and with digital crime. The concept of cybersecurity insurance emerged in the late 1990s, with the first product launched in April 1997 by Steven Haase at an International Risk Insurance Management Society convention.[9] This marked a significant moment in recognizing cyber risks as insurable. Initial policies focused on errors and omissions coverage, often excluding first-party coverage and including exemptions for rogue employees and regulatory claims.[10] In these early days policies primarily covered online media and errors in data processing (EDP). They did not include comprehensive security measures but focused on professional liability for software and media risks.[11]

By the early 2000s, policies began to include first-party coverage for business interruption and third-party coverage for regulatory defense.[12] At each step in its development, cybersecurity insurers were faced with the challenge of writing policies against a backdrop of uncertainty regarding the risk profiles and nature of claims. As the number of attacks grew, there arose a growing recognition that insurers were more likely to litigate against cyber claims filed under traditional Commercial General Liability Insurance, and that the courts were sympathetic to those lawsuits.[13] To adjust, businesses and insurers increased their focus on cyber-specific policies, which were considered to be better suited for the threat posed by digital attacks.[14] Driven by the constant threat of cybercrime and an increasing acceptance that CGL insurance was insufficient for most use-cases, the global cyber insurance market has experienced rapid growth, tripling in volume between 2017 and 2022.[15] U.S. direct written premiums for cyber coverage reached $9.84 billion in 2023, with North America accounting for approximately 56% of the global market that year. In 2024, the U.S. market recorded its first-ever annual decline, contracting 7.11% to approximately $9.14 billion as competitive pricing drove the first quarterly rate decreases following seven consecutive years of premium growth, even as the global market expanded roughly 7% to nearly $15 billion, with growth concentrated outside the United States.[16] Despite that retraction the global cyber insurance market is projected by some forecasts to approach $30 billion by 2027.[17] U.S. businesses account for a significant portion of the market, accounting for 69% of share of global premiums in 2024.[18] Policies now cover a wide range of costs associated with breaches, including notification, forensic investigations, and business interruption. Insurers have additionally clarified policy coverage and exclusions to improving risk management. As a cost of doing business, cybersecurity insurance has grown in importance as businesses face a growing array of cyber threats.[19]

Cyber Insurance and Cybersecurity: Ransomware as a Case Study

The connection between cybercrime, cyber insurance and cybersecurity can be viewed as an evolutionary arms race where new methods of attacking networks through vulnerabilities or social engineering techniques increase the losses of the insurance industry which in turn requires ever more stringent security to obtain coverage. This push-pull relationship is evident in the history of ransomware, which serves as both a loss leader for the industry as well as a catalyst for requiring improved cybersecurity.

While the first documented ransomware attack was distributed via floppy disk and demanded either $189 for a one-year software license, payable by postal mail to a P.O. box in Panama, technological advances such as strong encryption and cryptocurrency later enabled attackers to demand exponentially larger ransoms at a global scale.[20] This rise prompted an attendant increase in cybersecurity premium prices, in some instances by as much as fifty percent.[21] To help stabilize rates and reduce costs, insurers began requiring adoption of cybersecurity technologies such as Multi-factor Authentication (MFA), Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) for those businesses which sought coverage.[22] Insurers additionally began requiring insured entities to complete special ransomware supplemental applications as a condition of coverage.[23] These improvements were able to mitigate the harm of ransomware attacks for companies that put these precautions in place, stabilizing the market, but they did not decrease the number or severity of attacks, which is now higher than ever and continually growing.

The limitations of current cybersecurity measures and the potential harm that ransomware attackers can cause is evident in the February 2024 attack on Change Healthcare, a subsidiary of UnitedHealth Group and one of the largest healthcare claims processors in the United States, which suffered a devastating ransomware attack orchestrated by the BlackCat (ALPHV) group.[24] The attackers exploited a single server which lacked multi-factor authentication, allowing them to move laterally within the network for nine days before deploying ransomware that crippled Change Healthcare’s systems.[25] This attack halted electronic payments and claims processing nationwide, forcing hospitals, pharmacies, and clinics to revert to manual operations and leaving millions of patients unable to access their medications or process insurance claims. As has been seen in several other recent high-profile attacks, the hackers were not satisfied with merely encrypting Change Healthcare’s data, but they also exfiltrated vast amounts of sensitive data, ultimately exposing the protected health information of over 190 million individuals in the largest healthcare data breach in U.S. history.[26]

The financial and systemic impact of the attack was unprecedented. UnitedHealth Group reported direct costs of $2.87 billion in 2024, including a $22 million ransom payment, while also providing over $6 billion in assistance to affected healthcare providers.[27] The attack triggered a surge of cyber insurance claims across the healthcare sector, highlighting gaps in coverage, especially for losses stemming from third-party supply chain attacks. Many organizations discovered their policies did not fully cover business interruption caused by outages at a critical vendor like Change Healthcare, prompting renewed scrutiny of cyber insurance policy language and sublimits. UnitedHealth Group CEO Andrew Witty confirmed before the House Energy and Commerce Committee that the company was entirely self-insured and no cyber insurance policy covered the $22 million ransom payment or the ultimate $2.87 billion in total financial impact, or any portion of the $6.5 billion in emergency advances to affected providers.[28] The entity at the center of the largest healthcare data breach in U.S. history had therefore opted out of the very market mechanism this Article argues should be the primary driver of ZTA adoption, leaving it bearing, without any private risk-transfer, the full financial, operational, and reputational consequences of a control failure that deploying multi-factor authentication, which Witty testified was absent from the compromised Citrix portal, might have prevented.

Understanding Zero Trust Architecture: The NIST 800-207 Framework

The Change Healthcare hack offers a compelling illustration of how Zero Trust Architecture can be used to both prevent and mitigate damage from cyber-attacks, but several key concepts need to be understood to understand its utility, primarily the idea that ZTA is not any one specific technology but is rather a framework which operates on certain key principles and assumptions.

While there are numerous iterations of the framework, the most used was issued by the National Institute of Standards and Technology (NIST) in Special Publication 800-207.[29] Like other Zero Trust models NIST’s is a cybersecurity framework that rejects the notion of implicit trust for any user, device, or application-regardless of whether they are inside or outside the organizational network. NIST’s ZTA model is built on the principle of “never trust, always verify,” meaning every access request must be continuously authenticated, authorized, and validated based on real-time risk assessments. This approach is a direct response to the reality that threats can originate from both external attackers and insiders, and that modern, complex IT environments require more dynamic and granular security controls than perimeter-based models provide.[30] The NIST framework emphasizes seven core tenets for effective Zero Trust implementation.

  1. All data sources and computing services are considered resources. Every device, service, and data source-whether enterprise-owned, personally owned, or cloud-based-should be treated as a potential target and protected accordingly.
  2. Trust is never based solely on network location; all internal and external communications must be encrypted and authenticated to prevent unauthorized access.
  3. Every access request is evaluated individually, with users and devices granted only the minimum privileges needed for each session, and access to one resource does not automatically grant access to others.
  4. Access decisions rely on dynamic, context-aware policies that consider user identity, device health, behavior, and environmental factors, ensuring permissions reflect current risk and business needs.
  5. Continuous monitoring and assessment of all devices and applications ensures that only assets meeting security standards can access resources and compromised or unmanaged devices can be denied access.
  6. Authentication and authorization are continuously validated throughout each session, using tools like multi-factor authentication and real-time monitoring to adapt to changing risk.
  7. Comprehensive data collection and analysis on devices, traffic, and access requests are used to refine security policies and enhance the organization’s ability to detect and respond to threats.

Application of the NIST principles to the facts of the Change Healthcare breach allows us to see what differences ZTA implementation can make.

Principles of Continuous Verification and Secure Communication

Change Health’s failure to assume the server was insecure (and secure it with MFA) violates the first principle’s prohibition of trust, and the fact that a single unauthenticated password was sufficient to allow access to further parts of the system is a violation of the principle of segmentation. The second principle’s requirement that all communication be secured would have likely prevented the compromised password from being stolen in the first place and would have given defenders the opportunity to realize that the hackers using the password were not in the same physical location as the legitimate user and allowed them to deny access.

Principles of Least Privileged Access

The third principle requires that every access request be evaluated individually, with limitations applying to both the time of access and the information being accessed.  Implementation of Zero Trust principles and the use of tools such as data analytics would have allowed Change Healthcare to realize that the attackers were in their system for nine continuous days. Similarly, a ZTA approach would have blocked access to the system, or at the very least sensitive parts of it, especially outside of business hours when most of the data was exfiltrated. This failure also violates the fourth principle’s reliance on dynamic, context aware policies to inform every access decision.

Principles of Continuous Monitoring

The fifth, sixth, and seventh principles highlight both how ZTA differs from traditional cybersecurity in the depth of its defenses. Under traditional cybersecurity practices it is the outside of the system which is protected by firewalls and passwords. With ZTA, the inside of the system is constantly monitored as well. The fifth principle provides that not only users, but also devices and systems are continuously monitored to ensure that valuable assets are not compromised. The sixth principle assists in constant user verification, ensuring not only that users have the correct permissions, but that they are accessing areas to which they have a legitimate reason and permission to access.[31] The seventh principle is additionally invaluable to a long term, mature, cybersecurity stance as detailed records of all movement can both be used to improve cybersecurity in the short term and is critical for digital forensics after a hack and for regulatory compliance.

The Business Case for Mandating ZTA

As the Change Healthcare case study demonstrates, implementation of zero trust architecture significantly reduces cyber risks by limiting the attack surface and preventing lateral movement within a network. While it may take time and resources to implement these changes, the quantitative case for ZTA adoption is compelling as ZTA has been shown to reduce the number of security incidents by 30% and their severity by 40% compared to traditional security models.[32] A compelling business case can also be made for treating ZTA adoption as a cost-neutral investment. Forrester Consulting found that organizations implementing Zero Trust architecture realized a 92% return on investment, attributable primarily to reduced breach risk, the retirement of legacy systems, and gains in operational efficiency.[33]

Adoption of ZTA can additionally reduce an insured’s legal liability, ensure regulatory compliance, and align organizational practices with judicial expectations of reasonable cybersecurity.[34] ZTA’s “assume breach” mindset requires organizations to anticipate and plan for attacks rather than simply react, which demonstrates advanced preparation and due diligence of the kind that is critical in defending against negligence claims, as it evidences that the organization took comprehensive, layered security measures to protect sensitive data and systems.[35] ZTA frameworks such as the CISA Zero Trust Maturity Model and NIST SP 800‑207 provide a clear, structured roadmap for implementing encryption, strong authentication, access minimization, and continuous monitoring, controls that closely track the “reasonable security” obligations emerging under sectoral and state law, including the NAIC Insurance Data Security Model Law.[36] By adopting a recognized ZTA model, an organization can more credibly demonstrate alignment with contemporary industry best practices and regulatory expectations, which can mitigate regulatory risk and strengthen its position in civil litigation. Finally, ZTA’s emphasis on comprehensive audit logging and continuous monitoring creates detailed records of all user actions and system events, which are invaluable in investigations and litigation. These audit trails provide concrete evidence of compliance, support the organization’s duty of care, and help limit legal exposure by accurately tracing the source and scope of any breach.[37]

In addition to savings, ZTA provides insurers with measurable, standardized criteria to assess policyholder risk, enabling more accurate underwriting and pricing.[38] By requiring continuous monitoring, micro-segmentation, and constant and immutable backups insurers gain confidence in an organization’s ability to prevent, detect, and contain breaches which in turn makes it easier for consumers to demonstrate a safer risk posture.[39] This granular risk assessment reduces volatility in the insurance market, as insurers no longer need to increase premiums to account for poorly defended networks.

In sum, ZTA not only strengthens technical defenses but also provides powerful legal and evidentiary tools to mitigate liability in today’s high-risk digital environment.

Difficulties with Adoption of ZTA

Despite the obvious benefits that can be gained by adoption of ZTA, there has been little success with full implementation, with some sources estimating that only 10% of large enterprises will reaching a mature Zero Trust program in place by 2026.[40]

At its core, the question is one of cost.[41] Both adequate cybersecurity and adequate cybersecurity insurance can present a considerable financial challenge, and it is often the requirements of the insurers themselves that dictate the cybersecurity stance an organization adopts. At present, those requirements range, depending on the policy, from basic steps, such as implementing firewalls and antivirus software, to “continuous monitoring and threat detection capabilities that can identify potential attacks before they cause significant damage.”[42] The issue is that despite these requirements, many organizations still experience breaches, highlighting the limitations of traditional security measures. When those breaches exceed the coverage limit, companies can be liable for large losses which may be especially catastrophic for small and medium sized enterprises.[43] If there is a case to be made that adoption of ZTA could further penalize these companies who would be forced to pay more for security, there is an even more compelling argument that under the current system companies, especially small and medium sized enterprises, are not receiving sufficient coverage. In time rising premiums will ensure that cyber insurance is unobtainable for most who need it, and unprofitable for those who would provide it.

How Insurance Companies Could Implement A ZTA Requirement for Cyber Insurance Policies

The fact that insurers require certain specific technologies to receive certain types of coverage is not controversial. Property insurers commonly require businesses to install and maintain fire suppression systems in accordance with safety codes, while homeowners’ insurance policies often mandate the installation of smoke detectors and specific types of locks on doors and windows. Automotive insurers frequently offer discounts or lower premiums to drivers who install anti-theft devices in their vehicles and may also require drivers to maintain valid licenses and clean driving records. These examples illustrate a common practice in the insurance industry where insurers use their leverage to encourage or require behaviors that reduce the likelihood of a claim, aligning the interests of both the insurer and the insured by minimizing potential losses. At present, insurers do offer discounts to companies that adopt ZTA or similar standards, but this practice is not common enough, nor is it enough of an industry standard to effectively move the needle on ZTA adoption.[44] To truly leverage their unique position, insurers need to not only increase discounts, but to also gradually increase the expectation that companies which wish to be insured adopt a fully mature ZTA posture.

This paper proposes a two-step adoption of ZTA requirements by insurers. First, Insurers should leverage premium discounts to incentivize larger enterprises to adopt fully mature ZTA postures with as much alacrity as possible. The money lost through the discounts will be made up for in a reduction of breaches and the mitigation of damages. This market driven solution would also help to strengthen notions of “reasonable” cybersecurity as they will directly echo guidance from NIST and CISA, creating an expectation among consumers and enterprises that a company that is entrusted with sensitive information would have at least some ZTA principles applied, if not all.

The second step of adoption would require balancing the cost implications of zero trust with its benefits for small and medium sized enterprises which may face challenges absorbing the upfront costs, necessitating phased implementation strategies to encourage adoption. Insurers can provide the same financial incentives for compliance as they would for larger entities, but they could do so with set expectations that those organizations will move in time to establish a fully mature ZTA posture. This financial motivation can drive organizations that might otherwise delay or underinvest in security upgrades to prioritize and accelerate their zero trust initiatives. In time the demand for ZTA, combined with defensive technologies powered by AI may additionally create an economy of scale where Cyber Security as a Service (CSaaS) providers can find ways to fill the market need for ZTA solutions at costs which allow SMEs to meet the requirements at reasonable prices.

Insurer-Mandated Zero Trust Architecture: Legal Foundations and Authority

The argument that cybersecurity insurers should require Zero Trust Architecture as a condition of coverage rests on four intersecting bodies of law: the contractual doctrine of conditions precedent as applied in insurance agreements; the existing but fragmented federal cybersecurity regulatory framework; the state insurance regulatory architecture built around the McCarran-Ferguson Act and the NAIC Insurance Data Security Model Law; and the rapidly evolving common law standard of “reasonable cybersecurity” as articulated by courts in data breach litigation. Together, these authorities establish not only that insurer-mandated ZTA requirements are legally permissible, but that the legal infrastructure to support, incentivize, and ultimately normalize such requirements is already largely in place.

The Contractual Basis: Conditions Precedent in Insurance Agreements

The most immediate legal foundation for insurer-mandated ZTA requirements is the well-established doctrine of conditions precedent in insurance contract law. A condition precedent is a contractual term that must be satisfied before an insurer’s duty to provide coverage is triggered.[45] Where a policyholder fails to satisfy a condition precedent, whether or not the provision uses that phrase expressly, the insurer may deny coverage entirely, though in most jurisdictions applying the notice-prejudice rule, the insurer must first demonstrate substantial prejudice from the breach before forfeiture will be enforced with respect to late-notice conditions in occurrence-based policies. This principle is well-settled in American insurance law and forms the doctrinal basis for the security mandates insurers already routinely impose.

The practice of requiring specific security measures as conditions of coverage is neither novel nor legally controversial. Property insurers have long conditioned coverage on the installation of fire suppression systems compliant with applicable underwriting standards; homeowners’ insurers require or incentivize working smoke detectors, typically as a basis for premium reduction; commercial auto insurers condition fleet policies on valid driver licensing and vehicle maintenance standards. In the cyber insurance context, insurers have moved substantially in this direction, requiring policyholders to certify to the presence of multi-factor authentication, endpoint detection and response tools, and ransomware-specific supplemental insurance.

The most theoretically rigorous challenge to this paper’s insurer-mandate proposal comes from Abraham and Schwarcz, who devote specific attention to cyberattacks as a context in which regulatory aspirations for insurance are “over-optimistic.”[46] Drawing on Talesh and Cunningham’s empirical research, they observe that the actual impact of insurer data and technology use on insurer behavior has remained “minimal and is largely symbolic,” and that insurers operating as self-styled compliance managers in the cyber context have generally relied on unconventional, behavioral interventions including coaching, risk-detection scanning services, and training programs that operate outside the underwriting relationship and have failed to produce net-positive effects on loss prevention.[47] These findings, however, describe a market in which those interventions were unconventional by Abraham and Schwarcz’s own taxonomy (operating outside the underwriting relationship and relying on incentive nudges rather than binary coverage conditions). Abraham and Schwarcz themselves acknowledge that coverage restrictions and exclusions represent the category of conventional insurer tools most capable of conveying meaningful loss-prevention information to policyholders, specifically when they lead policyholders to adopt “routinized practices or policies” that reduce loss, and they identify this third pathway as the only one capable of producing a net-positive effect on loss prevention.[48] A requirement that policyholders implement and maintain a NIST SP 800-207 Zero Trust framework as a condition of coverage is precisely this sort of mechanism; a binary, auditable condition that policyholders must satisfy before coverage attaches and maintain to preserve it.

The Federal Regulatory Landscape: Authority, Gaps, and the Insurance Bridge

No comprehensive federal cybersecurity mandate currently governs the private sector as a whole. Federal cybersecurity obligations exist instead in sectoral silos, each administered by a different agency under a different statutory authority, a fragmentation that, as noted above, is itself a driver of inadequate cybersecurity posture and a key reason why private insurance mandates are necessary.

The most relevant federal authority for the insurance-ZTA thesis is the Federal Trade Commission’s Safeguards Rule, promulgated under the Gramm-Leach-Bliley Act.[49] As amended in October 2021 and fully enforceable since June 2023, the Safeguards Rule requires non-bank financial institutions subject to FTC jurisdiction to implement a written information security program incorporating specific technical controls, including multi-factor authentication, encryption of customer data in transit and at rest, ongoing monitoring or testing of safeguard effectiveness, audit logging, and access controls based on the principle of least privilege.[50] These standards are concrete, NIST-aligned controls that overlap substantially with the first three tenets of the NIST SP 800-207 ZTA framework. The Safeguards Rule can theoretically provide both a statutory analogue and a drafting template where insurers can calibrate ZTA compliance requirements to track and exceed existing federal standards, insulating their policy conditions from the criticism that they impose unreasonable or unanticipated burdens.

In July 2023, the Securities and Exchange Commission adopted final rules requiring public companies to disclose material cybersecurity incidents within four business days of determining that a breach is material, and to provide annual disclosures regarding their cybersecurity risk management programs and governance practices.[51] The SEC rules do not mandate any specific security framework, but they effectively raise the cost of inadequate cybersecurity for public companies by making deficiencies publicly visible and potentially material to investors.

HIPAA’s Security Rule, administered by the Department of Health and Human Services, requires covered entities and their business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI), including access controls, audit controls, and transmission security.[52] The Change Healthcare breach, affecting over 190 million individuals and occurring precisely because a Citrix portal lacked multi-factor authentication, exposed the gap between HIPAA’s required safeguards and ZTA’s comprehensive “assume breach” posture. The OCR has initiated enforcement actions based on failures to implement access controls and audit controls of the kind ZTA requires as baseline.[53] Insurer-mandated ZTA requirements in the healthcare sector could therefore function as private-sector surrogates for a stricter HIPAA security standard that Congress has not yet enacted.

State Insurance Regulatory Authority: McCarran-Ferguson and the NAIC Framework

The business of insurance in the United States is primarily regulated by the states. Under the McCarran-Ferguson Act, state law governs insurance to the extent that Congress has not directly regulated the field, and federal antitrust law does not apply to the business of insurance as regulated by state law.[54] The Supreme Court has construed McCarran-Ferguson’s protection narrowly, limiting its scope to practices that transfer or spread policyholder risk, play an integral role in the insurer-insured relationship, and are limited to entities within the insurance industry.[55] Insurer-mandated security requirements, which directly define the terms of risk transfer between insurer and insured, fall comfortably within this core definition of the “business of insurance.” State insurance commissioners therefore retain primary authority over the terms and conditions of cyber insurance policies, and any industry-wide movement toward ZTA requirements must be structured to comply with state-level filing and approval requirements.[56]

The NAIC Insurance Data Security Model Law, adopted by NAIC in 2017 and enacted in some form in twenty-five states as of early 2025, provides the most directly relevant regulatory framework.[57] The Model Law requires insurers themselves to develop, implement, and maintain a comprehensive written information security program; conduct risk assessments; investigate and report cybersecurity events; and oversee the cybersecurity practices of their third-party service providers.[58] Critically, the Model Law’s risk-assessment and vendor-oversight requirements apply to insurer conduct, not policyholder conduct, a gap this Article’s proposal is designed to address by creating reciprocal security incentives on the policyholder side of the insurance relationship. States that have adopted the Model Law have established regulatory infrastructure, including cybersecurity program review capacity at the state insurance department level, that could be adapted to support verification and auditing of policyholder ZTA compliance.

One final statutory scheme worth mentioning is New York’s Department of Financial Services cybersecurity regulation, 23 NYCRR Part 500. Enacted in 2017 and substantially amended in 2023, Part 500 provides perhaps the most detailed existing model for translating ZTA principles into enforceable regulatory requirements.[59] The statute specifically requires covered financial entities, including insurers licensed by DFS, to implement access controls based on least privilege, conduct annual penetration testing and automated vulnerability scanning at frequencies determined by risk assessment, monitor authorized user activity and maintain centralized audit logging, deploy MFA for any individual accessing any information systems (with qualifying small entities required at minimum to apply MFA to remote access and all privileged accounts), and develop third-party service provider security programs.[60]

The Common Law: The Emerging Judicial Standard of Reasonable Cybersecurity

Parallel to the regulatory framework, courts have accelerated the development of a common law negligence standard that rewards organizations implementing recognizable, structured cybersecurity frameworks and penalizes those that fail to do so. This judicial evolution provides the third and perhaps most durable source of legal authority for normalizing ZTA as the industry standard.

The foundational case is Dittman v. UPMC, in which the Supreme Court of Pennsylvania unanimously held that an employer’s affirmative act of collecting and storing employee personal information on an internet-accessible system created a common law duty to exercise reasonable care to protect that data against foreseeable cybercriminal attack.[61] The court rejected the argument that third-party criminal conduct severed the duty, reasoning that UPMC “should have realized that a cybercriminal might take advantage of the vulnerabilities in [its] computer system.”[62] Critically, the plaintiffs alleged specific control failures including inadequate encryption, absent firewalls, and insufficient authentication (protocols that map directly onto the foundational principles of ZTE), with the Pennsylvania Supreme Court accepting this characterization of the risk in sustaining the negligence duty claim.[63]

Dittman is part of a broader judicial trend toward recognizing a tort duty to implement specific, technically concrete cybersecurity controls. In re The Home Depot, Inc. Customer Data Sec. Breach Litig., the Northern District of Georgia permitted negligence claims to proceed based on the defendant’s failure to implement adequate security measures, signaling that common law courts will evaluate specific control choices in assessing the “reasonableness” of an organization’s security posture.[64] The Center for Internet Security has observed that this judicial trend creates both risk and opportunity: organizations without a structured, standards-based cybersecurity framework face escalating liability exposure, while those who can point to compliance with a recognized framework like NIST SP 800-207 possess concrete evidence of due diligence.[65]

The judicial convergence on “reasonable cybersecurity” as an objective, standards-anchored standard is significant for this Article’s insurer-ZTA thesis in two respects. First, it means that insurers who require ZTA compliance as a condition of coverage are not imposing a novel standard but are utilizing the same standard that courts are independently developing as the benchmark for reasonable care. An insured entity that complies with insurer-mandated ZTA requirements and is subsequently breached will be in a substantially stronger position to defend against negligence claims than one operating under traditional perimeter security, because it can demonstrate comprehensive, layered security measures aligned with NIST, CISA, and (now) judicially recognized standards. Second, as the volume of breach litigation grows and courts more frequently evaluate specific control choices against frameworks like NIST SP 800-207, the judicial “reasonable cybersecurity” standard may likely itself pull toward ZTA as the baseline expectation, creating a feedback loop in which insurer mandates, regulatory guidance, and judicial precedent mutually reinforce the normalization of Zero Trust as the minimum acceptable security posture for organizations entrusted with sensitive data.

Conclusion

In conclusion, the growth of the mechanisms by which threat actors can prey on enterprises needs to be met with a concerted effort to enhance cybersecurity postures across the board. Unfortunately, government regulators lack the power to require these changes, and many enterprises are unwilling to expend capital to equip themselves with the tools to thwart or minimize attacks. Insurance companies are in a unique position where they can move the needle to incentivize and then require the adoption of Zero Trust architecture as a condition for cybersecurity insurance. Doing so is a clear business imperative as it will allow insurers to better manage risk while ensuring that policy holders can afford the reasonable premiums required to have a stable cyber insurance market. While challenges to implementation exist, they can and should be addressed through phased implementation and incentives because as cybersecurity attacks escalate, integrating zero trust into insurance frameworks is a critical step towards a more secure digital future.

 

[1] Check Point Team, A Closer Look at Q3 2024: 75% Surge in Cyber Attacks Worldwide, Check Point Blog (Oct. 18, 2024), https://blog.checkpoint.com/research/a-closer-look-at-q3-2024-75-surge-in-cyber-attacks-worldwide/.

[2] Cyber Security Resilience 2024, Allianz Commercial, https://commercial.allianz.com/content/dam/onemarketing/commercial/commercial/reports/cyber-security-trends-2025.pdf (last visited May. 10, 2026).

[3] Jacob Fox, Top 40 AI Cybersecurity Statistics, Cobalt (Oct. 10, 2024), https://www.cobalt.io/blog/top-40-ai-cybersecurity-statistics (“40 percent of all phishing emails targeting businesses are now generated by AI.”).

[4] Ben Corll, Why You Should Embrace a Zero Trust Architecture, Cloud Security Alliance (Aug. 28, 2024), https://cloudsecurityalliance.org/articles/building-a-fortress-of-never-trust-always-verify-the-power-of-zero-trust-architecture (“ZTA can lead to 30% fewer security incidents and 40% less severe breaches compared to traditional security models.”).

[5] Diana Elagina, Zero Trust Strategy Adoption Plans Worldwide 2024, Statista (Mar. 2, 2026), https://www.statista.com/statistics/1228254/zero-trust-strategy-adoption-plans-worldwide/ (“In 2024, over 30 percent of respondents from a global survey reported having already implemented a zero trust strategy, while 27 percent were planning to implement it within the next six months.”).

[6] Internet Crime Complaint Ctr., 2024 Internet Crime Report, Fed. Bureau of Investigation, https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf (last visited May 10, 2026).

[7] Clare Stouffer, What Is a Script Kiddie? Definition +Examples, Norton (June 22, 2023), https://us.norton.com/blog/emerging-threats/script-kiddie.

[8] It should be noted that the role played by government in cybersecurity is beyond the scope of this article, it is an area of great importance and scholarly debate. See, e.g., James R. Langevin et al., CSIS Comm’n on Cybersecurity for the 44th Presidency, (“This is a strategic issue on par with weapons of mass destruction . . . where the federal government bears primary responsibility”); Nathan Alexander Sales, Privatizing Cybersecurity, 65 UCLA L. Rev 620 (2018) (“Private entities are not just good, in absolute terms, at discovering vulnerabilities. They are often better than the government”); Michael Chertoff, The Cybersecurity Challenge, 2 Regul. & Governance 480, 480 (2008) (“Securing cyberspace will require an unprecedented series of partnerships among the public and private sectors, owners and operators of cyber infrastructure, businesses, and even individual users.”).

[9] The Growth and Challenges of Cyber Insurance, Federal Reserve Bank of Chicago (2019)https://www.chicagofed.org/~/media/publications/chicago-fed-letter/2019/cfl426-pdf.pdf.

[10] Id.

[11] History of Cyber Insurance, ProWriters Ins. (Nov. 21, 2022), https://prowritersins.com/cyber-insurance-blog/history-cyber-insurance/.

[12] Id.

[13] Zurich American Ins. v. Sony Corp. of America, No. 651982/2011, 2014 WL 3253541 (N.Y. Sup. Ct. Feb. 24, 2014) (offers a clear example of the need for cyber specific policies. In the wake of a highly publicized 2011 breach of Sony’s Playstation Network that resulted in the unauthorized access of the millions of customer’s personal information, the New York Supreme Court found that Zurich American Insurance and Mitsui Sumitomo Insurance Co. of America were not obligated to indemnify Sony under the provisions of their CGL because the policy’s coverage “personal and advertising injury” coverage was limited to the intentional acts committed by Sony and not by third-parties.).

[14] Daniel Garrie & Michael Mann, Cyber-Security Insurance: Navigating the Landscape of a Growing Field, 31 J. Marshall J. Infor. Tech. & Privacy L. (2014) (“Provisions such as (software/electronic damage exclusion) along with the more general inapplicability of traditional CGL coverage to cyber-security breaches have given rise to a gap in coverage for cyber-risks that is only widening as businesses and individuals increasingly rely on technology.”).

[15] Press Release, Cyber Insurance Market Growing Dramatically, Triple-I Finds, Insurance Information Institute (Feb. 7, 2024), https://www.iii.org/press-release/cyber-insurance-market-growing-dramatically-triple-i-finds-020724.

[16]  Report on the Cybersecurity Insurance Market 1, Nat’l Ass’n of Ins. Comm’rs (Nov. 2025), https://content.naic.org/sites/default/files/inline-files/2025_Cybersecurity_Insurance%20Report.pdf.

[17] Cyber Risk Task Force, An Overview of the Global Cyber (Re)Insurance Market 4, Am. Acad. Of Actuaries (Aug. 2025), https://actuary.org/wp-content/uploads/2025/08/Toolkit-GlobalCyber-8-25.pdf.

[18] Cyber Insurance Premiums Expected to Soar: Report, Carrier (Aug. 11, 2025) https://www.carriermanagement.com/news/2025/04/11/274106.htm.

[19] Cyber Insurance Market Size, Share, Growth, Trends & Demand Report, Fortune Business Insights, https://www.fortunebusinessinsights.com/cyber-insurance-market-106287 (last updated Apr. 20, 2026).

[20] A Brief History of Ransomware, CrowdStrike (Oct. 8, 2022), https://www.crowdstrike.com/en-us/cybersecurity-101/ransomware/history-of-ransomware/.

[21] Marnie Muñoz, Cyber Insurance Premiums Surge by 50% as Ransomware Attacks Increase, Insurance Journal (Jun. 14, 2023), https://www.insurancejournal.com/news/national/2023/06/14/725215.htm.

[22] Cyber Insurance Requirements Changing in 2022, Agile IT (Jun. 21, 2022), https://agileit.com/news/cyber-insurance-requirements-changing-2022/.

[23]Cyber Insurance in the Fight Against Ransomware, Gallagher, https://www.ajg.com/news-and-insights/cyber-insurance-fight-against-ransomware/ (last visited Apr 28, 2025).

[24] Hyperproof Team, Understanding the Change Healthcare Breach and Its Impact on Security Compliance, Hyperproof, https://hyperproof.io/resource/understanding-the-change-healthcare-breach/ (last updated Feb. 24, 2026).

[25] Id.

[26] American Hospital Association, Reports: Change Healthcare Cyberattack Exposed Data of 190 Million People, AHA News (Jan. 27, 2025), https://www.aha.org/news/headline/2025-01-27-reports-change-healthcare-cyberattack-exposed-data-190-million-people.

[27] B. Copeland, FAIR MAM Analysis: UnitedHealth Hack Disclosures May Significantly Under-report Total Impact, FAIR Institute (May 6, 2024), https://www.fairinstitute.org/blog/fair-analysis-unitedhealth-disclosures.

[28] Examining the Change Healthcare Cyberattack: Hearing Before the Subcomm. on Oversight & Investigations of the H. Comm. on Energy & Commerce, 118th Cong. (May 1, 2024) (oral testimony of Andrew Witty, Chief Exec. Officer, UnitedHealth Grp.), https://energycommerce.house.gov/events/oversight-and-investigations-subcommittee-hearing-examining-the-change-healthcare-cyberattack [hereinafter House E&C Hearing]; accord Hacking America’s Health Care: Assessing the Change Healthcare Cyber Attack and What’s Next: Hearing Before the S. Comm. on Finance, 118th Cong. (May 1, 2024) (written statement and oral testimony of Andrew Witty, Chief Exec. Officer, UnitedHealth Grp.), https://www.finance.senate.gov/download/0501-witty-testimony [hereinafter Senate Finance Hearing]. Witty’s admissions regarding self-insurance status and the approximately $300 million annual cybersecurity spend were made in response to direct questioning during both hearings and are not reflected in his prepared written statement; see also Carly Page, Change Healthcare Went Without Cyber Insurance Before Debilitating Ransomware Attack, CSO Online (May 6, 2024), https://www.csoonline.com/article/2098997 (reporting Witty’s oral testimony and subsequent written confirmation by a UnitedHealth spokesperson).

[29]Scott Rose et al., Zero Trust Architecture, NIST Special Publication 800-207, at 4 (2020), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf (“Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.”).

[30] Lauren Koppelman, What is the NIST Zero Trust Architecture?, Fortinet, https://www.nextdlp.com/resources/blog/nist-zero-trust-architecture (last visited Apr 29, 2025).

[31] See Rose supra note 30, p. 7. (“Continual monitoring with possible reauthentication and reauthorization occurs throughout user transactions, as defined and enforced by policy (e.g., time-based, new resource requested, resource modification, anomalous subject activity detected) that strives to achieve a balance of security, availability, usability, and cost-efficiency.”).

[32] Cloud Security Alliance, supra note 4.

[33] Forrester Consulting, The Total Economic Impact of Zero Trust Solutions from Microsoft 3 (Dec. 2021) (commissioned by Microsoft), https://www.scribd.com/document/721482031/Microsoft-Zero-Trust-TEI-Study-1.

[34] Brenda Carter, Meet Regulatory and Compliance Requirements with Zero Trust, Microsoft (2024), https://learn.microsoft.com/en-us/security/zero-trust/adopt/meet-regulatory-compliance-requirements.

[35] Id.; see also In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295, 1325–26 (N.D. Ga. 2019) (measuring the duty of care against the proactive controls the defendant failed to maintain, not merely those it had at inception).

[36] See Carter, supra note 35; NAIC Ins. Data Sec. Model Law § 4(D) (Nat’l Ass’n of Ins. Comm’rs 2017), https://content.naic.org/sites/default/files/model-law-668.pdf.

[37] Vinay Mamidi, Navigating Compliance with Zero Trust Security for GDPR, HIPAA, and PCI DSS, Whiteswan Identity Security (Feb. 7, 2024), https://www.whiteswansecurity.com/zero-trust-security-for-compliance/.

[38] Zscaler, Zero Trust and Cyber Insurance 5, https://www.zscaler.com/resources/white-papers/zero-trust-and-cyber-insurance.pdf, (last visited May 1, 2025) (“Zero trust provides an elevated level of hygiene that can help to mitigate these risks even more effectively and improve underwriting.”).

[39] Id. at 23.

[40] Press Release, Gartner Predicts 10% of Large Enterprises Will Have a Mature and Measurable Zero-Trust Program in Place by 2026, Gartner (Jan. 23, 2023), https://www.gartner.com/en/newsroom/press-releases/2023-01-23-gartner-predicts-10-percent-of-large-enterprises-will-have-a-mature-and-measurable-zero-trust-program-in-place-b.

[41] See Garrie supra note 15, at 385. (“One of the difficulties associated with the high costs of cybersecurity insurance is that it can put companies in a position where they will have to choose between spending money on cyber-security insurance or investing in technology that will improve their cyber-security.”).

[42] Tom Glover, Cyber Insurance in 2025: Why “Good Enough” Is No Longer Good Enough, Responsive Tech. Partners (Jan. 27, 2025), https://www.responsivetechnologypartners.com/2025/01/27/cyber-insurance-in-2025-why-good-enough-is-no-longer-good-enough/.

[43] Cowbell Cyber Finds Small-to-Medium-Sized Enterprises (SMEs) More Likely to Adopt Cyber Insurance, Cowbell Cyber (June 18, 2020), https://cowbell.insure/news-events/pr/cowbell-cyber-finds-small-to-medium-sized-enterprises-smes-more-likely-to-adopt-cyber-insurance/ (“71 percent of SMEs have a cyber coverage limit lower than $1M and lower than total past or estimated future losses and expenses related to a cyberattack.”).

[44] Marianne Kolbasuk McGee, Cyber Insurance: Want a Discount?, InfoRiskToday (Feb. 24, 2016), https://www.inforisktoday.com/cyber-insurance-want-discount-a-8892 (detailing how “Allied World U.S., a unit of Allied World Assurance Co., is offering premium discounts of up to 30% to those healthcare organizations that are certified – or at least have been assessed and scored favorably – as meeting the requirements of the Healthcare Information Trust Alliance’s Common Security Framework, or CSF”, a framework similar to ZTA.).

[45] Restatement (Second) of Contracts § 224 (Am. L. Inst. 1981).

[46] Kenneth S. Abraham & Daniel Schwarcz, The Limits of Regulation by Insurance, 98 Ind. L.J. 215, 217 (2022).

[47] Id. at 231–32; Shauhin Talesh & Bryan Cunningham, The Technologization of Insurance: An Empirical Analysis of Big Data and Artificial Intelligence’s Impact on Cybersecurity and Privacy, 5 Utah L. Rev. 967, 975 (2021).

[48] Abraham & Schwarcz, supra not 47, at 249–50.

[49] Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801–6809 (2018); Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. pt. 314 (2023).

[50] Standards for Safeguarding Customer Information, 16 C.F.R. § 314.4 (2023).

[51] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 88 Fed. Reg. 51,896 (Aug. 4, 2023) (codified at 17 C.F.R. pts. 229, 232, 239, 240, 249.

[52] Security Standards for the Protection of Electronic Protected Health Information (Security Rule), 45 C.F.R. pt. 164, subpt. C (2024) (requiring covered entities and business associates to implement, among other things, access controls (§ 164.312(a)(1)), audit controls (§ 164.312(b)), and transmission security measures (§ 164.312(e)(1)) for systems handling ePHI).

[53] See, e.g., U.S. Dep’t of Health & Hum. Servs., Office for Civil Rights, Resolution Agreement: Lafourche Medical Group, LLC (Dec. 7, 2023), available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lafourche-medical-group/index.html (resolving a $480,000 settlement and corrective action plan following a phishing breach in which OCR found the covered entity had failed to conduct a required risk analysis under § 164.308(a)(1)(ii)(A) and had not implemented procedures for regularly reviewing information system activity under § 164.308(a)(1)(ii)(D)).

[54] McCarran-Ferguson Act § 2(a), 15 U.S.C. § 1012(a) (2018) (“The business of insurance, and every person engaged therein, shall be subject to the laws of the several States which relate to the regulation or taxation of such business.”).

[55] SEC v. Nat’l Sec., Inc., 393 U.S. 453, 460 (1969) (explaining that McCarran-Ferguson “did not purport to make the States supreme in regulating all the activities of insurance companies,” but rather reserved to state law those activities constituting the “business of insurance”); see also Union Labor Life Ins. Co. v. Pireno, 458 U.S. 119, 129 (1982) (establishing the tripartite test for what constitutes the “business of insurance” under McCarran-Ferguson).

[56] SEC v. Nat’l Sec., Inc., 393 U.S. 453, 460 (1969) (explaining that McCarran-Ferguson “did not purport to make the States supreme in regulating all the activities of insurance companies,” but rather reserved to state law those activities constituting the “business of insurance”); see also Union Labor Life Ins. Co. v. Pireno, 458 U.S. 119, 129 (1982) (establishing the tripartite test for what constitutes the “business of insurance” under McCarran-Ferguson).

[57] Nat’l Ass’n of Ins. Comm’rs, Insurance Data Security Model Law (Model #668) (2017); see also NAIC, Insurance Data Security Model Law State Page (Model #668) (Summer 2025 ed.), https://content.naic.org/sites/default/files/model-law-state-page-668.pdf (reflecting twenty-five full or partial state adoptions, including Alabama, Connecticut, Delaware, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Tennessee, Vermont, Virginia, and Wisconsin).

[58] NAIC Model Law, supra note 57, § 4 (requiring a written information security program, risk assessment, and vendor oversight as elements of a compliant insurer cybersecurity posture).

[59] 23 N.Y.C.R.R. pt. 500 (as amended Nov. 1, 2023), https://www.dfs.ny.gov/industry_guidance/cybersecurity.

[60] Id. §§ 500.5, 500.7, 500.12, 500.14 (requiring penetration testing and vulnerability management, access controls, MFA, and monitoring and training respectively).

[61] Dittman v. UPMC, 196 A.3d 1036, 1047 (Pa. 2018) (“In collecting and storing Employees’ data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.”).

[62] Id. at 1048.

[63] Id.

at 1039–40 (recounting employees’ allegation that UPMC stored their information “without the use of adequate security measures, including proper encryption, adequate firewalls, or adequate authentication protocols”); see also id. at 1048 (court crediting the adequacy of the risk allegation in sustaining the duty).

[64] In re The Home Depot, Inc. Customer Data Sec. Breach Litig., 2016 WL 2897520, at *7–9 (N.D. Ga. May 17, 2016) (allowing negligence claims to proceed where plaintiffs alleged that Home Depot failed to implement basic security controls despite known risks)

[65]Reasonable Cybersecurity, Ctr. For internet Sec., https://www.cisecurity.org/topics/reasonable-cybersecurity (last visited Mar. 27, 2026) (“Without a model of what [the] standard of care entails, judges can only rely on their own subjective understanding of cybersecurity, however limited, to rule on each claim. They can’t ground their rulings in an established definition of reasonable cybersecurity from a trusted source.”).