Rates for cyber insurance policies continue to rise while a growing number of exclusions are shrinking what’s covered by them, according to a report released Tuesday by a cybersecurity company.
Nearly four out of five (79%) of the more than 300 organizations in the United States surveyed by Censuswide for privileged access management provider Delinea saw their insurance costs increase, while more than two-thirds (67%) noted their cyber insurance premiums had increased 50% to 100% when they applied for or renewed their policies this year.
“Over the past year, it’s become evident that cyber insurers are learning from their data and are now maturing,” Delinea Chief Security Scientist and Advisory CISO Joseph Carson said in a statement.
He explained that in the early days of cyber insurance, insurers were just trying to address a huge demand, but now they realize they must reduce their exposure to both avoidable and uncontrollable circumstances.
“Our survey results find that most organizations are not approaching cyber insurance with the same diligence — they are simply looking to get covered,” he continued. “What they’re not checking is whether the policy they had last year is what they need now or if their policy changed at renewal.”
“This ‘cyber insurance gap’ could put a lot of organizations in a tough place when a cybersecurity incident occurs, and they want to utilize this financial safety net,” he added.
Risk assessment and cyber insurance will always be in flux, the same way threat vectors evolve, explained Bud Broomhead, CEO of Viakoo, a provider of automated IoT cyber hygiene in Mountain View, Calif.
“Recent changes such as the shift of threat actors exploiting vulnerable IoT/OT devices and more open source vulnerabilities are driving insurers to adapt their risk models and to also impose conditions on the insured, such as requiring automated cyber hygiene for non-IT devices and systems,” he told TechNewsWorld.
Exclusion Explosion
One way that insurers are reducing their exposures when writing cyber insurance policies is by limiting their coverages through exclusions. The Delinea report found that the list of exclusions voiding coverage in a cyber policy is growing.
The top reason given by the survey’s respondents for excluding coverage in a policy was a lack of security protocols in place (43%), followed by human error (38%), acts of war (33%), and not following proper compliance procedures (33%).
Exclusions can lower the worth of having cyber insurance in the eyes of an organization. “Any exclusion that excludes social engineering scams or human error essentially kills that policy, because most cyberattacks are related to those two root causes,” maintained Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla.
“Seventy to 90 percent of all successful cyberattacks involve social engineering,” he told TechNewsWorld. “Any exclusion that excludes social engineering is essentially giving you almost no chance of getting reimbursed.”
Exclusions reduce the overall value of a policy because they reduce the true scope of coverage, added Jason Dettbarn, founder and CEO of Addigy, maker of an Apple device management platform in Miami.”
“More importantly, though, very few companies meet the core underwriting requirements,” he told TechNewsWorld. “They don’t have the right cyber/IT management tools or processes in place internally.”
Onus on Victims
Carson told TechNewsWorld that the increasing list of exclusions and limitations means organizations must understand the fine print within the policies to ensure their claim will be approved.
“If organizations don’t follow the policy claim procedure, they could find themselves with certain incident or data breach costs that might not get covered as part of the claim, so it is critical to know the correct procedure before you need to use it in the middle of a cyberattack,” he said.
“The big question will be how many of those exclusions will hold up in court after the key court case earlier this year with Merck winning regarding the ‘hostile/warlike action’ exclusion clause shouldn’t be applied to a cyberattack on a non-military company — even if it originated from a government,” he added.
Darren Williams, CEO and founder of BlackFog, a developer of an on-device, anti-data exfiltration technology in Cheyenne, Wyo., asserted that the escalating costs of cyber insurance are taking its toll on all businesses globally.
“We are seeing many small businesses choose to no longer have any coverage due to the number of exclusions, but rather invest in preventative cybersecurity solutions,” he told TechNewsWorld.
“As indicated by this research,” he said, “human error is unavoidable and one of the leading causes of ransomware attacks, and acts of war can be interpreted very broadly if desired by insurers.”
“In addition,” he continued, “exclusions combined with recent announcements from states banning ransomware payments make insurance of limited value.”
“Ultimately, the onus is on the victim to prevent data exfiltration, and therefore, the risk to the business needs to be carefully weighed,” he added.
Operational Necessity
Nevertheless, organizations that eschew cyber insurance do so at their own peril. “Cybersecurity is near mandatory for any business that holds customer data and is at risk of a data breach or ransomware attack,” Dettbarn observed.
“Today, cyber insurance is highly recommended,” said Theresa Le, chief claims officer at Cowbell, a provider of AI-powered cyber insurance for SMBs in Pleasanton, Calif.
“Even with the best cybersecurity efforts, businesses still face residual cyber risks due to system misconfigurations, employee errors, or other unintentional security gaps,” she told TechNewsWorld. “It is increasingly common for cyber coverage to be required in contractual agreements.”
Carson noted that one of the most surprising statistics from the report is the increase in organizations that used their cybersecurity insurance more than once, from 41% in 2022 to 47% in 2023.
“This once again shows that cyber insurance does not necessarily mean better security, and it is a financial safety net when security incidents do occur,” he said.
“On the positive side,” he continued, “insurance providers are maturing with improved data and insights into what is required to make businesses more resilient against cyberattacks, and their policies are now requiring better security best practices from businesses before they can even become insurable.”