Cyber liability insurers are no longer passive observers of their policyholders’ security posture. Over the past several renewal cycles, underwriting questionnaires have grown more detailed, technical, and uncompromising. Controls that were once “best practice” are now table stakes. Among them, one theme stands out clearly: traditional VPN-based remote access is no longer enough.
In fact, it is becoming a liability.
The underwriting shift: from perimeter trust to zero trust
Cyber insurers increasingly align their expectations with CISA Zero Trust guidance and modern security frameworks. Multiple industry advisories now explicitly call out Zero Trust Network Access (ZTNA) and tightly controlled remote access architectures as preferred controls.
Advisory sources such as Allcovered and Zero Networks highlight that insurers look for:
- Secure remote access that does not expose the internal network
- Least-privilege access controls
- Strong network segmentation
- Controls that limit lateral movement after compromise
These are not cosmetic checkboxes. They directly address the most common breach paths seen in claims: compromised credentials, exposed VPN gateways, and attackers moving laterally once inside the network.
The uncomfortable truth is that legacy VPN architectures were never designed for today’s threat landscape.
The VPN problem insurers can no longer ignore
Traditional VPNs extend the corporate network to the user. Once authenticated, users often gain broad network-level access. Even with VLANs and firewall rules, many environments still allow more access than necessary for a given role.
From an underwriting perspective, this creates several problems:
Overexposed internal resources
A VPN frequently grants network-level access rather than application-specific access. If credentials are stolen, attackers inherit that same reach.
Lateral movement risk
Flat or semi-flat networks allow adversaries to pivot. Ransomware operators depend on this. Insurers know it. Claims data reflects it.
Publicly exposed VPN gateways
VPN appliances remain a high-value target. Exploitable vulnerabilities and credential stuffing attacks continue to drive incidents.
Inconsistent policy enforcement
Access policies tied to network location are inherently weaker than identity- and context-driven controls.
Insurers are reacting accordingly. Renewal questionnaires now routinely ask:
- Is MFA enforced on remote access?
- Is remote access segmented from the internal network?
- Is access restricted by role?
- Is Zero Trust architecture implemented?
These questions are no longer theoretical. They influence premiums, deductibles, and in some cases, claim outcomes.
ZTNA as a measurable underwriting control
ZTNA fundamentally changes the access model. Instead of extending the network to the user, it connects the user to a specific application, based on identity and policy. There is no implicit trust based on network presence.
From an insurance perspective, ZTNA delivers several tangible underwriting advantages:
- Secure remote access without broad network exposure
- Least-privilege, application-level access
- Built-in segmentation by design
- Reduced lateral movement potential
- Centralized policy enforcement
This architecture aligns directly with the controls insurers scrutinize most.
Remote WorkForce ZTNA, for example, is purpose-built around these principles: secure remote access, tightly scoped permissions, segmentation by default, and architecture that minimizes exposed attack surface. These are not marketing claims; they map directly to underwriting requirements.
The market signal: discounts for Zero Trust
The strongest proof that insurers are taking Zero Trust seriously is not in guidance documents. It is in formal partnerships.
Cloudflare, which offers Cloudflare Access (a ZTNA product), has established documented partnerships with cyber insurers. Eligible customers using Cloudflare’s security suite, including ZTNA, can qualify for premium discounts or enhanced coverage through insurers such as At-Bay, Coalition, and Cowbell Cyber.
This is a concrete market signal: implement Zero Trust, reduce risk, and insurers respond with financial incentives.
It is difficult to imagine similar premium incentives being tied to traditional VPN deployments.
From checkbox compliance to architectural resilience
Cyber insurers are tightening underwriting because claim frequency and severity demand it. They are no longer satisfied with statements like “We use a VPN.” They want to know:
- How is access scoped?
- How is lateral movement prevented?
- How is policy enforced?
- How quickly can a breach be contained?
ZTNA answers those questions at the architectural level.
When access is application-specific and identity-driven, a compromised account does not automatically become a network-wide incident. When segmentation is built in rather than bolted on, containment is faster and more predictable. That changes the risk profile in ways underwriters can understand and quantify.
The future of insurability
As insurers begin bundling cyber protection offerings into policies, the direction is clear. Access architecture is no longer just an IT decision. It is an insurability decision.
Organizations that continue to rely solely on perimeter-based VPN access may find themselves facing higher premiums, stricter exclusions, or more invasive underwriting scrutiny.
Those that adopt Zero Trust architectures are better positioned to:
- Meet evolving insurance requirements
- Reduce the likelihood of denied claims
- Demonstrate measurable risk reduction
- Qualify for potential premium incentives
The VPN problem is not just technical debt. It is underwriting exposure.
Cyber insurers can no longer ignore it. And neither can organizations that depend on them.