Delinea: Companies Using Cyber Insurance Policies Multiple Times
Organizations must understand the fine print within the policies to ensure their claim would be approved.
A new Delinea report shows an increasing number of organizations have used their cyber insurance policies more than once this year while rates continue increasing.
The report is based on a survey by Censuswide of over 300 organizations in the United States. It found that the time and effort to obtain cyber insurance is increasing significantly, with the number of companies requiring six months or more skyrocketing year over year.
Delinea’s Joseph Carson
Joseph Carson, chief security scientist and advisory CISO at Delinea, said the most shocking statistic in the report’s findings is the number of companies using their cyber insurance policy not just once, but multiple times has increased, “which again shows that cyber insurance does not necessarily mean better security and it is a financial safety net when security incidents do occur.”
“The positive news is that insurance providers are maturing with improved data and insights into what is required to make businesses more resilient against cyberattacks, and their policies are now requiring better security best practices from businesses before they can even become insurable,” he said.
Growing List of Cyber Insurance Exclusions, Limitations
Among the cyber insurance report’s findings:
Forty-seven percent of companies used their cyber insurance policies more than once this year,
Sixty-seven percent noted their insurance rates increased 50%-100% upon application or renewal.
An increasing list of exclusions that make cyber insurance coverage void, including lack of security protocols in place (43%), human error (38%), acts of war (33%) and not following proper compliance procedures (33%). Even if organizations are able to get or renew cyber insurance policies they can afford, their claim may get denied or reduced because of the fine print.
“The increasing list of exclusions and limitations mean organizations must understand the fine print within the policies to ensure their claim would be approved,” Carson said. “If organizations don’t follow the policy claim procedure, they could find themselves with certain incident or data breach costs that might not get covered as part of the claim, so it is critical to know the correct procedure before you need to use it in the middle of a cyberattack. The big question will be how many of those exclusions will hold up in court after the key court case earlier this year with Merck winning regarding the ‘hostile/warlike action’ exclusion clause shouldn’t be applied to a cyberattack on a non-military company, even if it originated from a government.”
While only one organization said it took longer than six months to obtain or renew cyber insurance in the 2022 report, over 20 respondents indicated it took that long in this year’s survey.
Increasing Investment in Cybersecurity
Many organizations are continuing to invest in cybersecurity solutions to protect their organizations and meet increasing requirements for cyber insurance, according to Delinea. Ninety-six percent of organizations purchased at least one security solution before their application was approved.
Further, 81% received the budget they needed to get their desired cyber insurance policy, with 36% of respondents noting that it is now a requirement from boards of directors and executive management teams.
Considering most cyberattacks involve stolen credentials, it’s no surprise that cyber insurance providers require related security controls, including identity and access management (IAM) and privileged access management (PAM), according to Delinea. Leadership is making budget available as 50% purchased IAM solutions, 45% acquired a password vault, and 44% acquired PAM controls needed to secure their coverage.
“If cyber insurance is too expensive or out of reach, then organizations must make sure that they have a strong backup and recovery strategy as that can really make the difference during a cyberattack, especially ransomware, ” Carson said. “In addition to a strong backup and recovery strategy, then security best practices should also be in place to reduce or minimize the possibility of a successful attack, such as deploying strong multifactor authentication (MFA), PMA, cyber awareness training and phishing protection.”
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author
You May Also Like