Microsoft recently announced a cyber-insurance initiative that will pair its cybersecurity technologies with insurance products, and its first partnership under this initiative: cyber insurer At-Bay.

The move follows a similar collaboration between Google Cloud and insurance firms Allianz Global Corporate and Specialty (AGCS) and Munich Re, announced earlier this year.

“Cybersecurity is always a risk decision and insurance is a risk decision,” said Ann Johnson, who leads Microsoft’s security business, in an interview with SDxCentral. “This really crosses that intersection and will drive conversation internally with customers between our technical folks and the risk folks and get more maturity to that type of conversation so that when the board — security has become a board-level conversation — is looking at [risk], they can look at it more holistically.”

Microsoft plans to add more cyber insurance partners, Johnson added. “At-Bay is just the first,” she said. “I can’t mention the others yet, but you will see others that we are bringing into the ecosystem.”

Johnson is Microsoft’s corporate VP of security, compliance, and identity business development. She says the software giant started developing this cyber-insurance initiative a couple of years ago, long before the White House meeting in August that brought together tech CEOs — including Microsoft’s own Satya Nadella — and insurers to discuss ways to improve the U.S.’ cybersecurity.

“We recognized pretty early that we needed a partnership between customers, cyber insurers, and Microsoft to improve the security posture for our customers but also to make it more transparent to their cyber insurers,” Johnson said. “So for the insurers, it’s not just about reducing the rates, it’s also about the cyber insurers being able to offer them different products and maybe even partnering with them in a more meaningful way to help them be more secure.”

Specifically, the At-Bay partnership looks like this: U.S. businesses that use Microsoft 365 are eligible for savings on their At-Bay cyber-insurance policy premiums, if they implement specific security controls including multi-factor authentication (MFA) and Microsoft Defender for Office 365. Microsoft is also working with At-Bay to identify other ways to improve the digital risk exposure of its customers and proactively address vulnerabilities.

For customers who opt-in, Microsoft will then track their security posture over time to measure improvements using its Secure Score tool.

The move continues Microsoft’s zero-trust security push, which becomes increasingly important in the new “work-from-anywhere” environment, which massively expanded companies’ threat landscape, Johnson added.

“Always, the first thing I say is: Use MFA for 100% of your users, 100% of the time,” she said. “It is the first thing you should be doing for security posture that will help decrease your risk. We’ve done research that over 90% of breaches have some type of password element in them, whether it’s a brute-force attack or a phishing attack. So, we know that multi-factor authentication can help reduce a customer’s exposure.”

Microsoft’s cyber-insurance initiative is similar to Google Cloud’s new Risk Protection Program announced in March. That effort has two parts. First, Google Cloud’s Risk Manager diagnostic tool allows customers to measure and manage their risk on Google Cloud and get a report on their security posture.

Additionally, AGCS and Munich Re developed a new cyber insurance product called Cloud Protection + for Google Cloud customers. Using the Risk Manager tool, customers seeking cyber insurance coverage can send reports to AGCS and Munich Re, which in turn will use the reports to help brokers assess a customer’s security posture and determine eligibility for Cloud Protection + cyber insurance.

“We worked closely with AGCS and Munich Re to co-design the Risk Protection Program to ensure we could bring a differentiated risk management solution to Google Cloud customers to reduce risk, potentially reduce costs, and build further trust in our platform,” wrote Google Cloud CISO Phil Venables and Google Cloud Security VP Sunil Potti in a blog post at the time.

Both cloud giants’ programs come at a time when the nascent cyber insurance industry faces an existential threat from ransomware. Major insurers themselves have suffered losses from ransomware attacks. At the same time, the industry struggles with higher-than-ever insurance payouts to policy holders hit by ransomware and grapples with how to handle this growing risk.

In addition to insurers raising rates and reducing coverage, one firm, AXA France, recently announced that moving forward it won’t reimburse ransomware payments for new policy holders within the country.

“Cyber insurers hit a certain level of early maturity right around the same time ransomware attacks were really starting to be a huge threat,” Johnson said. “If you’d asked me five years ago or seven years ago, my cyber crystal ball wouldn’t have shown what’s happening now” with ransomware attacks.

Insurers probably wouldn’t have predicted what today’s threat landscape would look like either, she added.

This has forced another cybersecurity and cyber insurance growth spurt to keep up with the attackers. Insurers, Johnson said, “are maturing along with the industry, and understanding the different types of controls, like zero trust or MFA, that need to be put in place and also understanding how the threat landscape has really materially changed.”