Cyberinsurance Takes Longer to Obtain, Costs More
Organizations are spending more time and exerting more effort to get cyberinsurance—it takes at least six months to obtain new insurance or renew an existing policy and premium costs are rising, according to a new report.
The number of companies that said it took longer than six months to secure a policy has increased twentyfold since last year, according to a survey of 300 U.S. organizations from Delinea.
Unfortunately, the delays and resultant price increases—an uptick of 50%-100% for 67% of respondents—come as organizations are making full use of their policies—nearly half of those surveyed (47%) say they used their cyberinsurance multiple times in the last year.
“The most surprising statistic from the report findings is that the number of companies using their cyberinsurance policy not just once, but multiple times has increased,” said Joseph Carson, chief security scientist and advisory CISO at Delinea. “This once again shows that cyberinsurance does not necessarily mean better security, and it is a financial safety net when security incidents do occur.”
The biggest change is that cyber insurance will be harder to get and with lower coverage amounts, said Bud Broomhead, CEO at Viakoo. “This will only change as insurers have more assurance that their risk assessments and financial models are correct. Until then, organizations will need to look at other ways to manage this risk, such as through self-insurance or multiple layers of cyberinsurance.”
The cyberinsurance market has matured over the last few years—after considerable growing pains—and customers are feeling the burn from that maturity. Insurers accumulated historical incident and breach data over the years so that they could better quantify risk and gain a deeper, more accurate understanding of which factors increase organizations’ risk exposure.
“Three key factors are driving the growth of the cyberinsurance market. These include the expanding liabilities from cybersecurity breaches, boards and senior management holding more responsibility for breaches and the ‘forcing function’ that cyberinsurance provides to maintain their cybersecurity posture,” said Broomhead.
Insurers are using those valuable insights to shape the way they assess risk, craft policies and determine prices. As expected, they’re tightening guidance and requirements and becoming more prescriptive regarding the security controls that must be in place before they will agree to cover an organization. Delinea found that exclusions that would void insurance coverage include a lack of security protocols in place (43%), human error (38%), acts of war (33%) and not following proper compliance procedures (33%).
“These factors have changed over time and will continue to for a few more years,” Broomhead said. “Unlike any other form of insurance, the ability to predict the extent of damages from a cybersecurity incident is very limited compared to automotive or homeowner insurance where there is a lot of data to suggest the possible payout amounts. Cyberinsurance is still grappling with what potential payouts might be,” he added. “For example, insurers are just starting to do risk assessment on IoT/OT systems which have the potential for loss of life, physical damage and much more reputational damage than losses from data exfiltration.”
But “the increasing list of exclusions and limitations means organizations must understand the fine print within the policies to ensure their claim would be approved,” said Carson. “If organizations don’t follow the policy claim procedure, they could find themselves with certain incident or data breach costs that might not get covered as part of the claim. It is critical to know the correct procedure before you need to use it in the middle of a cyberattack.”
Still, Carson is not convinced that those restrictions will hold up legally. “The big question will be how many of those exclusions will hold up in court after the key court case earlier this year with Merck winning a ‘hostile/warlike action exclusion clause’ case in which that clause shouldn’t be applied to a cyberattack on a non-military company—even if it originated from a government,” he said.
There is some good news, though. “On the positive side, insurance providers are maturing with improved data and insights into what is required to make businesses more resilient against cyberattacks and their policies are now requiring better security best practices from businesses before they can even become insurable,” said Carson.
“Enterprises have started to take a more business-focused approach to security. Those organizations that take the time to prepare and run risk assessments as part of the cyberinsurance process are one step ahead. When a cybersecurity incident occurs, it is of lesser severity because they are prepared and engage immediately with the resources provided by cyberinsurance,” said Theresa Le, chief claims officer at Cowbell.
Of course, considering the increased frequency of cyberattacks and the potential for costly damage, cyberinsurance is becoming a must-have. “Even with the best cybersecurity efforts, businesses still face residual cybersecurity risks due to system misconfigurations, employee errors or other unintentional security gaps,” said Le. “It is increasingly common for cyberinsurance coverage to be required in contractual agreements.”
She encourages businesses to “opt for insurers that include a risk assessment of the organization with the goal to remediate identified security weaknesses prior to quoting.”
A thorough process, she explained, “should include industry-specific evaluations such as the use and protection of an OT network in manufacturing or the volume of regulated records (PII, PHI or other) processed by the organizations in sectors such as health care or financial services.”
