According to a recent report from Delinea, a full four out of five companies have filed at least one cyber insurance claim; half have filed more than one. In a market that has already been hiking premiums and cutting ransomware-related coverage for over a year due to insurer costs, the next move appears to be more stringent and thorough security controls as a standard term of obtaining a policy.
Want cyber insurance? Be prepared to have industry-standard security controls in place
300 senior IT staff from United States companies were surveyed, and the vast majority report having needed to file a cyber insurance claim. About half have filed at least two at this point. Insurers have been footing the bill for much of the wave of cyber crime of the past two and a half years, and policy terms are continuing to become more stringent in response.
For the most part, cyber insurance policies currently require that applicants have a checklist of fairly standard security controls in place. But given that cyber crime is not slowing down, particularly the heavy costs of ransomware, there is little reason to believe that these requirements will not escalate in the near future. For certain high-risk markets, some insurers are already requiring that clients undergo scheduled penetration tests that simulate real world attacks as a term of coverage.
Gone are the days when companies could rely on some combination of a stock cyber insurance policy and government assistance to weather the damage of ransomware or data theft. Organizations should expect to be required to demonstrate that their security controls, response plan and offline backups are all in good working order. At the very least, this should be expected as the means by which to get the most favorable prices and policy terms.
Cyber insurance only becoming more expensive, tough to obtain
Cyber insurance is experiencing an extended (and sometimes dramatic) readjustment due to cyber crime, with no real reason to believe that the tide will turn back in favor of consumers any time soon.
Some businesses are simply not carrying enough coverage, either because they cannot afford it or cannot get approved for it. The survey finds that under 33% say that they are covered for critical risks such as ransomware damage and payment of demands. It is no longer all that uncommon for insurers to simply drop ransomware coverage altogether, but under 50% also say that they are not insured for data recovery.
The issue appears to either be cost or that these particular elements are being dropped from policies, as nearly all of the Delinea respondents said that they were approved for cyber insurance on their initial application. 70% said that they have applied for some type of coverage and 65% of those said that approval took no longer than three months. 40% said that they applied to obtain new coverage; 33% said that they were directed to improve coverage from the executive ranks of the company.
Policyholders are in a “more for less” situation, as terms become tighter even as 75% say their premiums have already increased. In terms of how common it has become to require security controls, a little over half said that they were asked to have cybersecurity awareness training in place, and a little under half said that they were subject to more extensive measures such as use of multi-factor authentication and offline backups.