Cyberinsurance Requirements Get Tougher, Premiums Skyrocket
A survey found that while cyberinsurance is still readily accessible, 75% of respondents said premiums have increased. Nearly two-thirds of respondents (65%) said premiums increased anywhere from 50 to 100%, the survey finds. The survey polled 300 IT decision-makers in the U.S. and was conducted by Censuswide on behalf of Delinea, a provider of a platform for managing privileged access.
Nearly 80% of respondents also noted they have used their cyberinsurance policy, with 41% of those respondents reporting they have used it multiple times.
Requirements for qualifying for cyberinsurance policies are also becoming stricter. More than half of respondents (51%) confirmed that cybersecurity awareness training was a requirement to take out a policy, while just under half (47%) said they were required to have malware protection, antivirus software, multi-factor authentication (MFA) and data backup in place.
However, only about 30% of respondents said their policy covers critical risks such as ransomware, ransom negotiation and decision assistance on ransom payment. Less than 50% of respondents said their current cyberinsurance policies cover data recovery, while 60% or more are not covered for victim identity theft and credit monitoring, costs, incident response, hardware and software replacement, regulatory fines and third-party damage. Only 27% are covered for profit loss, the survey also found.
Joe Carson, chief security scientist and advisory CISO for Delinea, said that while it is clear senior business leaders have concluded they can’t rely solely on cybersecurity investments to protect their business, the providers and carriers are not making it as easy as it once was to take out a cyberinsurance policy.
In some cases, where policies that cover ransomware are provided, the carrier is now becoming more assertive. In addition to hiring third-party specialists to assess an organization’s level of cybersecurity, they are also requiring clients to defer to them to manage ransomware attacks, including determining whether to negotiate with ransomware gangs, said Carson.
In fact, Carson said some policies now require organizations to inform the carrier of a ransomware attack before anyone else, including law enforcement agencies.
Overall, the survey found nearly 70% of respondents worked for organizations that have applied for cyberinsurance, with 93% being approved. Just under one-third said the process took less than three months. The main reasons for applying were risk reduction (40%), followed by a requirement set forth by executive management or the board of directors (33%), the current level of ransomware attacks (25%), business contract requirements (24%) and recent data breaches (17%).
It’s not clear just how much influence and control cyberinsurance providers will have over cybersecurity investments in the months and years ahead. On the plus side, the bar for attaining cyberinsurance is rising to a point that is forcing more investments in cybersecurity. However, it’s also apparent that cyberinsurance organizations are trying to limit their liability by providing less coverage, so it’s not clear just how much value cyberinsurance will have in the event of an actual security breach.
