Time and effort needed to secure cyber insurance rising in US

The time and effort for US organisations to obtain cyber insurance is increasing significantly, with a number of companies requiring six months or more, according to a survey from Delinea, a cybersecurity solutions provider.

Delinea’s State of Cyber Insurance 2023 report, based on a survey of over 300 organisations in the US, suggests that a significant gap is emerging between evolving cyber insurance providers and organisations who are still scrambling to get affordable, comprehensive coverage.

This year, companies that used their cyber insurance more than once increased to 47%, while 67% of respondents noted that their insurance rates increased 50-100% upon application or renewal.

The survey also found there is an increasing list of exclusions that could make cyber insurance coverage void, including lack of security protocols in place (43%), human error (38%), acts of war (33%), and not following proper compliance procedures (33%).

“Over the past year, it’s become evident that cyber insurers are learning from their data and are now maturing. In the early days of cyber insurance, they were just trying to address a huge demand, but now they realise they must reduce their own exposure to both avoidable and uncontrollable circumstances,” said Joseph Carson, chief security scientist and advisory CISO at Delinea.

He added: “Our survey results find that most organisations are not approaching cyber insurance with the same diligence – they are simply looking to get covered. What they’re not checking is whether the policy they had last year is what they need now, or if their policy changed at renewal. This ‘cyber insurance gap’ could put a lot of organisations in a tough place when a cybersecurity incident occurs, and they want to utilise this financial safety net.”

On the positive side, many organisations are continuing to invest in cybersecurity solutions to protect their organisations and meet increasing requirements for cyber insurance, said Delinea. The survey found that 96% of organisations purchased at least one security solution before their application was approved, while 81% received the budget they needed to get their desired cyber insurance policy, with 36% of respondents noting it is now a requirement from boards of directors and executive management teams.

About half of respondents reported that identity and access management (IAM) (51%) and privileged access management (PAM) (49%) controls are required by their cyber insurance policies. Half of respondents purchased IAM solutions, 45% acquired a password vault, and 44% acquired PAM controls needed to secure their coverage.

“If organisations don’t already have these access control solutions, it’s time to implement them before they shop for or try to renew cyber insurance. These are essential security controls to add to cybersecurity strategies, along with basics like anti-malware software, data encryption, firewall and intrusion detection, patching, and vulnerability management,” said Carson.