By Steve Doyle, Chief Information Officer, Zywave
Full disclosure: I wasn’t at Gotham Hall on June 11. Prior family commitments had the calendar first, and I keep the commitments I make. Especially family commitments.
The 13th annual Zywave Cyber Risk Awards, the one the industry has taken to calling “Cyber Prom,” went off without me. About 450 cyber insurance professionals dressed in their best formal attire, filled one of New York City’s most storied event spaces, and celebrated 20 categories of winners voted on by their own peers. I followed the recap from the comfort of my inbox, living vicariously through photos of colleagues who were in attendance, and who just might have been having more fun at that moment than I was.
I’m not complaining. The people who go to Cyber Prom are the right people for Cyber Prom. Brokers who’ve worked claims at 2 a.m., underwriters who can spot a weak risk profile through an application, and cyber professionals who’ve sat in the war room when things go sideways (I feel for you!). These professionals have earned a night to celebrate.
One thing that struck me as I read through the list of winners: every individual and company we honored this year operates from the same starting assumption, and it’s something we’ve all said time and again. A breach isn’t hypothetical. It’s on a clock. The only real variable is how prepared you are when it arrives.
The “Not If, But When” Reality of Risk
This isn’t just a story headline or a feature snippet from the people in roles like mine… It’s the reality of what’s happening in the industry. According to the 2025 IBM Cost of a Data Breach Report, US companies experienced the highest average breach cost in the world for the 15th year running, estimated at $10.22 million per incident, 40% higher than any other country. This hefty cost isn’t because attackers have suddenly grown more sophisticated, but because the attack surface keeps expanding alongside the data we all hold.
AI is changing the math, and this is where sophistication becomes an interesting variable. Truth is, AI is already lowering the barrier to entry for attackers, accelerating the pace of phishing campaigns, and enabling faster reconnaissance against targets. The “when” in “not if, but when” has always been a moving target but we must recognize that AI is moving it even faster, compressing those critical timelines. Organizations that were comfortable with their preparedness a year ago should be asking themselves whether that posture still holds.
For our customers and colleagues in the cyber insurance community specifically, this applies to you also! Brokers and carriers sit on concentrations of sensitive data, including policyholder information, financials, and claims histories, all of which makes them attractive targets.
The professionals honored last week understand that dynamic better than most. They don’t just advise clients on cyber risk; they operate inside it. What tends to separate organizations that come through incidents reasonably intact from those that don’t isn’t luck or budget; it’s preparation (but with extra credit for luck and budget).
What Smart Risk Preparation Looks Like: 6 Practical Tips
I’m fortunate to lead a technology organization with a dedicated information security team. They carry a lot of the operational weight here. Many of our customers don’t have that same bench. But what I’ve come to believe, after 30 years in this space, is that the fundamentals hold true regardless of org size. You don’t need a full security department to make sensible decisions about risk, you just need to make them intentionally and consistently.
Here’s some practical advice to help guide your risk preparedness measures:
- Know your plan before you need it. Whether it’s a full incident response runbook or a one-page decision tree, having something written down, with defined roles and a clear escalation path, beats improvising. Keep it somewhere you can reach it even if your systems aren’t cooperating.
- Line up your outside help in advance. Forensics support, legal counsel, crisis communications: the time to identify those relationships is when nothing is wrong. You don’t want to be making introductory calls during an incident.
- Practice with the whole leadership team. Cyber incidents aren’t just a technology problem. Legal, finance, communications, and the CEO all have decisions to make. Running through a scenario together, even a simple tabletop, surfaces gaps and builds confidence before the pressure is real. One caveat: many teams limit their tabletop exercises to the technical staff, but that leaves out the people who end up making the hardest calls. Executive leadership participation is critical. If coordinating a single session across both groups is tough, consider running two, one for the technical teams and one for the executives. The first time your CFO weighs in on a ransom question should not be when a crisis is actively occurring.
- Draft your communications before you need them. Employee messaging, customer notifications, and regulatory language are hard to write clearly when you’re in the middle of something. Rough drafts, reviewed and approved in advance, are worth far more than starting from a blank page under pressure.
- Know where your data lives. This sounds obvious, but it’s easy to lose track of, especially as vendor relationships and cloud usage grows. Your exposure includes anywhere your data sits, not just the systems you manage directly.
- Treat access controls as a starting point, not a finish line. I follow the infosec space as closely as you do, and we all know that a huge percentage of breaches start with a compromised credential, not a sophisticated attack. Don’t become a statistic. Multi-factor authentication is table-stakes, and passkeys are better still, since there’s no shared secret for an attacker to phish or steal. Access should not be set-and-forget: know who can reach what and revoke it the moment someone no longer needs it.
Don’t take my word for it – everything I mentioned, and more is referenced in this new Ransomware Preparedness publication from the National Institute of Standards and Technology (NIST).
None of these steps require a large security team to act on. They require intention and follow-through, and the awareness that the bar keeps moving. As I said earlier, AI is handing attackers cheaper and faster tools by the month, so if you thought you were in a good place a year ago, that is exactly the reason to revisit it now.
What the People We Honored Have in Common
Looking at this year’s Cyber Prom winners, from Cyber Underwriting Team of the Year to Incident Response Firm of the Year and across the brokers, claims professionals, and counsel in between, a common thread runs through all of them. They don’t work in cyber insurance hoping incidents won’t happen. They prepare as though they will.
That’s the takeaway I carry from Cyber Prom, even secondhand. Cyber readiness has moved well beyond the IT department. It shows up in how organizations structure vendor relationships, how frequently leadership teams run through scenarios, and how clearly the board understands the organization’s actual risk posture. The honorees this year embody that kind of institutional discipline. The rest of us are working toward it, at whatever scale we’re operating.
A Close and an Invitation
Congratulations to every individual and organization recognized at the 13th annual Cyber Risk Awards. The work you do helping clients understand, quantify, and manage cyber risk matters.
At Zywave, we remain committed to the security of the platforms our clients depend on and to being a useful voice in conversations like this one.
If you want to continue the conversation in person, mark your calendar for Cyber Risk Insights New York City on Thursday, October 29, 2026. It’s a good room — full of people who think about this for a living.
