Regulations are reshaping how organizations identify, measure, and mitigate cyber risk, pushing leaders beyond check-box compliance exercises, and toward an environment where they can observe meaningful security outcomes.
That was the consensus on this week’s Women In Cyber episode, where host Caitlin Harris spoke with Sezaneh Seymour, VP & Head of Regulatory Risk and Policy at Coalition, and Courtney Maugé, SVP & Cyber Practice Leader at NFP Insurance.
Compliance Does Not Equal Security
Seymour cautioned that disclosure mandates and incident response paperwork, while necessary, are not sufficient on their own.
“Compliance is not the same thing as security,” she said, before urging firms to formalize who owns security decisions, embed those leaders across procurement and market-expansion planning, and document not just that they complied—but how they complied.
The pair also cautioned against conflating security (technical controls, access, encryption) with privacy (collection limits, user transparency, lawful use), warning that mistakes in one domain can quickly cascade into the other.
Insurance Market Signals: Proactive or Price-Punished
From the underwriting side, Maugé said rising regulatory expectations have flipped buyer behavior. The policy can no longer be “the plan”; insurers now scrutinize whether clients quantify exposure, plan for scenarios, and demonstrate controls—and organizations that can’t do so face higher premiums, lower limits, or exclusions.
Top misconception: “We don’t need cyber insurance because our data is in the cloud.” Maugé stressed that policies backstop the balance sheet when defenses fail—and that vendor and third-party exposure is often underestimated, particularly when it comes to using cloud providers.
The Biggest Blind Spot
Both guests flagged third-party risk as the most common gap that they come across. To close that gap, Maugé called for real-time vendor monitoring, standardized onboarding checklists, and mandatory incident transparency, while Seymour encouraged organizations to “have your receipts in order.” In other words, tier critical suppliers, demand proof (certifications, attestations), and keep auditable records of risk decisions.
Geopolitics And Data Localization
Seymour highlighted growing geopolitical pressure: more state and non-state actors probing for leverage, and a rise in supply-chain compromises with cross-border ripple effects.
On data localization, Seymour warned that the push to keep data within certain regions is nudging firms from cloud to on-prem—even though insurer data suggests cloud is generally lower risk—creating a privacy–security trade-off leaders must manage carefully.
The Human Factor: Shifting The Burden And Providing Resources
Training matters, but Seymour argued that the industry leans too heavily on end users to spot threats. Her research indicates that ~85% of critical issues that Coalition flags to policyholders stem from insecure configurations—choices often shaped by vendor defaults. Pushing secure-by-default design “upstream” could materially reduce ecosystem risk, she explains.
Both Seymour and Maugé pointed to progress in the accessibility of cybersecurity resources, including US federal funding for state and local programs (e.g., SLCGP) and university-backed cyber clinics. Insurers also bundle training and tools that many customers underuse—resources that can improve resilience without new spend.
The Bottom Line
Throughout the conversation, the pair shared their top tips for how business leaders can keep up with cyber regulation, without overwhelming their teams.
- Make security a business function. Define authority, accountability, and cross-functional touchpoints (legal, procurement, expansion).
- Operationalize third-party risk. Tier vendors, require evidence, monitor continuously, and log decisions for audit/enforcement.
- Test, then test again. Run incident tabletop exercises quarterly or biannually with CISOs, legal, and business owners at the table.
- Quantify the knowns, model the unknowns. Put dollars on downtime, contractual liability, and regulatory exposure; use quant tools for ransomware and tail risk.
- Align with the board. Communicate risk in business terms; keep directors engaged as regulations evolve.
- Favor secure defaults. Push vendors toward secure-by-default configs to reduce reliance on end-user vigilance alone.
