Residual Risk Is Why Insurance Exists

There is a concept that sits at the exact intersection of cybersecurity and insurance. It explains why the two disciplines need each other, why their practitioners talk past each other, and why the cyber insurance market is simultaneously growing and struggling.

That concept is residual risk — the risk that remains after all controls are applied.

It is, by definition, the reason insurance exists. And it’s the least discussed concept in either field.

The Risk Reduction Illusion

Security teams live in the reduction business. Every control, every policy, every tool is designed to reduce risk:

• Firewalls reduce the attack surface
• MFA reduces the probability of credential-based intrusion
• EDR reduces dwell time after compromise
• Backup reduces the impact of ransomware

Collectively, these controls reduce what security professionals call inherent risk — the total risk exposure before any mitigation. The result is residual risk — what’s left.

The formula is simple:

Residual Risk = Inherent Risk − Risk Reduction from Controls

But here’s what security professionals don’t always acknowledge, and what underwriters know implicitly: residual risk is never zero.

No combination of controls eliminates all risk. There is always a gap between full protection and what’s achievable. That gap — the irreducible remainder — is where insurance operates.

Why Security and Insurance Talk Past Each Other

The communication failure between security teams and underwriters is fundamentally a disagreement about residual risk:

Perspective	Security Team	Underwriter
Focus	Risk reduction	Risk transfer
Question	How much can we reduce?	What remains after reduction?
Metric	Controls implemented, threats blocked	Loss expectation, VaR
Assumption	More controls = less risk	More controls = lower residual risk, but never zero
Language	Threats, vulnerabilities, controls	Premium, deductible, exposure, limit

Security teams present controls as evidence that risk is managed. Underwriters hear that and ask: “Managed, yes. But what’s left?” The security team says “we have MFA, EDR, and SIEM.” The underwriter translates that to “controls reduce LEF by approximately 30-60% depending on implementation quality” — and then calculates the remaining exposure.

Neither side is wrong. They’re looking at the same risk from opposite ends of the equation.

The Quantification Problem

The core issue is that most organizations can’t quantify their residual risk. They know their controls. They know their inherent risk (roughly). But they can’t express the difference in financial terms.

Here’s what that looks like in practice:

Scenario: A 500-employee manufacturing company asks: “How much cyber risk do we actually carry after our controls?”

Typical answer: “We’ve implemented NIST CSF, have SOC 2 Type II, and use managed detection and response. We’re well-protected.”

Useful answer: “Our inherent risk from ransomware is LEF 0.20–1.00, loss magnitude €200K–€5M. Our controls (MFA, EDR, offline backups, incident response plan) reduce LEF by approximately 60% and loss magnitude by 40%. Residual LEF: 0.08–0.40. Residual loss magnitude: €120K–€3M. Annualized residual risk exposure at VaR 95: €870K.”

The second answer tells an underwriter something they can use. The first tells them nothing.

FAIR quantification makes residual risk visible. Without it, you’re negotiating premium and deductible in the dark.

Residual Risk as an Underwriting Input

For underwriters, residual risk is the actual insurable quantity. Here’s how it maps to policy terms:

Policy Element	Residual Risk Connection
Premium	Proportional to annualized loss expectation (ALE) from residual risk
Deductible	Calibrated to absorb low-severity residual risk events the insured should retain
Sublimits	Applied where residual risk concentrations are high (e.g., supply chain, AI)
Exclusions	Applied where residual risk is unquantifiable or infinite (e.g., war, intentional acts)

Every pricing decision an underwriter makes is implicitly a decision about residual risk. The question is whether that decision is informed by quantified analysis or by qualitative judgment.

When residual risk is quantified:

• Dynamic pricing models can replace flat premiums with risk-adjusted rates that reflect actual exposure
• AI risk loading of 10-15% can be replaced with risk-specific sublimits tied to modelled AI exposure
• The underwriting visibility gap narrows — because quantified residual risk provides the data point that application forms miss

The NIS2 and DORA Connection

Regulatory frameworks are increasingly requiring organizations to acknowledge and manage residual risk — even if they don’t use that term.

• NIS2 Article 21 requires “appropriate and proportionate” security measures. Proportionality implies a risk-based approach: more risk → more measures. But the regulation also implicitly acknowledges that measures have limits — Article 20 holds management personally liable for inadequate risk management, not for eliminating risk entirely. The standard is reasonableness, not perfection.

• DORA Article 11 requires financial institutions to define “risk tolerances” for ICT risk. A risk tolerance is, in plain language, a statement of acceptable residual risk — the level at which an organization says “we accept this remaining exposure.”

• GDPR Article 32 requires “appropriate technical and organisational measures” considering “the risk.” Not eliminating the risk. Managing it to an acceptable level — which means acknowledging what remains.

The regulatory trajectory is toward explicit residual risk management. Organizations that can quantify it will be better positioned for compliance, for insurance placement, and for board-level risk conversations.

Closing the Loop

Residual risk connects security and insurance in a feedback loop:

1. Security reduces inherent risk through controls → produces residual risk
2. Insurance transfers residual risk via premium and deductible → financial protection for what remains
3. Claims data feeds back to recalibrate residual risk estimates → improved quantification
4. Improved quantification enables better security investment decisions → more efficient risk reduction

When this loop operates, both functions improve. Security teams invest in controls that reduce the highest-LEF, highest-magnitude risks. Underwriters price based on measured residual exposure rather than industry averages.

When it doesn’t operate — when security and insurance work in isolation — both functions deteriorate. Security teams over-invest in low-impact controls. Underwriters over-price for unquantified uncertainty. The market becomes less efficient, and the organizations that need coverage most struggle to get it.

The Takeaway

Next time you’re evaluating a cyber risk — as a security professional or an underwriter — ask three questions:

1. What is the inherent risk? (Before controls)
2. How much do controls reduce it? (Quantified, not assumed)
3. What remains? (Residual risk — the part that matters)

If you can answer question 3 in euros, you have something both security and insurance can work with. If you can’t, you’re both guessing.

That’s what the risk register is for — making residual risk visible, quantified, and actionable. Not as an audit artifact, but as the fundamental input to every risk decision an organization makes.

Insurance doesn’t exist to cover inherent risk. That’s what security is for. Insurance exists to cover what’s left.

---

Michael Guiao is the Founder of Resiliently.ai and the author of Resiliently. He holds CISM, CCSP, CISA, and DPO (TÜV) certifications and has 8+ years of experience across insurance, auditing, and consulting at firms including AXA, Xella Group, and PwC.