The time and effort required to obtain cyber insurance is increasing significantly for US organizations, with the number of companies requiring six months or more rising year over year. That’s according to Delinea’s 2023 State of Cyber Insurance report, based on a survey of more than 300 organizations. The research highlights a significant gap between insurance carriers and businesses that are scrambling to get affordable, comprehensive coverage, while many organizations are continuing to invest in cybersecurity solutions to meet requirements for cyber insurance policies.
Separate Forrester research recently found that while most enterprise security technology decision-makers have some kind of cyber insurance coverage, only 26% have a standalone policy. What’s more, cyber insurance has an impact on service provider selection, with insurance carriers typically maintaining a panel of preferred providers in areas like incident response, ransomware negotiation, and payments. Almost three-quarters (70%) of enterprises with cyber coverage said their insurance carrier required them to select from their panel of providers, according to the research.
The cyber insurance landscape has seen significant change recently. As the frequency and severity of ransomware, phishing, and denial-of-service (DoS) attacks have increased, demand for and conditions relating to coverage have evolved. Policies are becoming more diverse, complex, expensive, and harder to qualify for, presenting CISOs and their organizations with new challenges and considerations for optimal cyber insurance investment.
More time and effort required to get cyber insurance
The time and effort to obtain cyber insurance is increasing for many of the organizations surveyed in Delinea’s report. The percentage of respondents reporting that the process to get cyber insurance took more than six months increased from 0.46% in 2022 to 7% in 2023.
Insurance questionnaires and calls with risk analysts require significant knowledge of IT systems, forcing staff to take time away from keeping systems running and supporting employees/customers to answer them, according to the report. Furthermore, internal-only assessments may not be good enough for insurance companies to take on risks, with many companies also needing external support to obtain cyber insurance. More than half of respondents said that providers require them to conduct an external evaluation, and 55% had to use a provider-approved solution.
Cyber insurance rates increasing, companies still willing to invest
Almost eight out of ten respondents (79%) said their insurance rates increased upon application or renewal, with over two-thirds (67%) reporting that they increased 50% to 100%. Despite increases, boards of directors and executive management teams are mandating that companies obtain cyber insurance, with 81% of respondents allocated additional budget to get cover. A contributing element is the need to invest in cybersecurity solutions to meet increasing requirements for cyber insurance, the report said. Almost all (96%) organizations purchased at least one security solution before their application was approved. About half of respondents reported purchasing identity and access management (IAM), privileged access management (PAM), and multi-factor authentication (MFA) tools, as required by their cyber insurance policies.
Growing list of exclusions could void cover, deny claims
Even if organizations do get or renew cyber insurance policies, there is an increasing list of exclusions that could void coverage or see claims denied/reduced because of the fine print, according to the report. These include lack of security protocols (43%), human error (38%), acts of war (33%), and not following proper compliance procedures (33%). The lack of security protocols is the top reason smaller organizations had claims denied, noted by 40% of respondents, while human error is the top reason larger organizations had claims denied, noted by 48% of respondents.
The report also indicated that cyber insurance may not cover all costs involved in a data breach, with policies least likely to pay for lost revenue, regulatory fines, legal fees, and ransomware payments. Respondents said expenses most likely to be recouped were those spent on data recovery. However, data recovery can mean different things to different insurers and in different situations.