Delinea’s research reveals a significant cyber insurance gap is emerging as providers evolve to reduce their exposure while organisations ignore the fine print.
The 2023 State of Cyber Insurance report, based on a survey of over 300 organisations in the U.S., found that the time and effort to obtain cyber insurance is increasing significantly, with the number of companies requiring six months or more skyrocketing year over year.
The survey, conducted by Censuswide on behalf of Delinea, looked to uncover new trends and evolving patterns since a similar report last year, which established that the demand for cyber insurance was at a fever pitch.
This year, companies that used their cyber insurance more than once increased to 47%, while 67% of respondents noted that their insurance rates increased 50-100% upon application or renewal.
While only one organisation said it took over six months to obtain or renew cyber insurance in the 2022 report, over 20 respondents indicated it took that long in this year’s survey.
However, the survey found that there is an increasing list of exclusions that could make cyber insurance coverage void, including lack of security protocols in place (43%), human error (38%), acts of war (33%), and not following proper compliance procedures (33%). Even if organisations can get or renew cyber insurance policies they can afford, their claim may get denied or reduced because of the fine print.
Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, says: “Over the past year, it’s become evident that cyber insurers are learning from their data and are now maturing. In the early days of cyber insurance, they were just trying to address a huge demand, but now they realise they must reduce their own exposure to both avoidable and uncontrollable circumstances.”
“Our survey results find that most organisations are not approaching cyber insurance with the same diligence; they are simply looking to get covered. What they’re not checking is whether the policy they had last year is what they need now or if their policy changed at renewal.”
“This ‘cyber insurance gap’ could put a lot of organisations in a tough place when a cybersecurity incident occurs, and they want to utilise this financial safety net,” says Carson.
Wahab Yusoff, Vice President of Asia Pacific & Japan at Delinea, says: “Asia Pacific organisations and Boards should examine the U.S. cyber insurance experience to understand some very worrying trends and act accordingly.”
That said, many organisations continue investing in cybersecurity solutions to protect their organisations and meet increasing requirements for cyber insurance. 96% of organisations purchased at least one security solution before their application was approved.
Furthermore, 81% received the budget they needed to get their desired cyber insurance policy, with 36% of respondents noting that it is now required by Boards of Directors and executive management teams.
Since most cyberattacks involve stolen credentials, insurance providers require related security controls. About half of respondents reported that their cyber insurance policies require Identity and Access Management (51%) and Privileged Access Management (49%) controls.
Again, leadership is making the budget available as 50% purchased IAM solutions, 45% acquired a password vault, and 44% acquired PAM controls needed to secure their coverage.
“If organisations don’t already have these access control solutions, it’s time to implement them before they shop for or try to renew cyber insurance,” says Carson.
“These are essential security controls to add to cybersecurity strategies, along with basics like anti-malware software, data encryption, firewall and intrusion detection, patching, and vulnerability management.”