Delinea: Companies Using Cyber Insurance Policies Multiple Times

A new Delinea report shows an increasing number of organizations have used their cyber insurance policies more than once this year while rates continue increasing.

The report is based on a survey by Censuswide of over 300 organizations in the United States. It found that the time and effort to obtain cyber insurance is increasing significantly, with the number of companies requiring six months or more skyrocketing year over year.

Delinea’s Joseph Carson

Joseph Carson, chief security scientist and advisory CISO at Delinea, said the most shocking statistic in the report’s findings is the number of companies using their cyber insurance policy not just once, but multiple times has increased, “which again shows that cyber insurance does not necessarily mean better security and it is a financial safety net when security incidents do occur.”

“The positive news is that insurance providers are maturing with improved data and insights into what is required to make businesses more resilient against cyberattacks, and their policies are now requiring better security best practices from businesses before they can even become insurable,” he said.

Growing List of Cyber Insurance Exclusions, Limitations

Among the cyber insurance report’s findings:

“The increasing list of exclusions and limitations mean organizations must understand the fine print within the policies to ensure their claim would be approved,” Carson said. “If organizations don’t follow the policy claim procedure, they could find themselves with certain incident or data breach costs that might not get covered as part of the claim, so it is critical to know the correct procedure before you need to use it in the middle of a cyberattack. The big question will be how many of those exclusions will hold up in court after the key court case earlier this year with Merck winning regarding the ‘hostile/warlike action’ exclusion clause shouldn’t be applied to a cyberattack on a non-military company, even if it originated from a government.”

While only one organization said it took longer than six months to obtain or renew cyber insurance in the 2022 report, over 20 respondents indicated it took that long in this year’s survey.

Increasing Investment in Cybersecurity

Many organizations are continuing to invest in cybersecurity solutions to protect their organizations and meet increasing requirements for cyber insurance, according to Delinea. Ninety-six percent of organizations purchased at least one security solution before their application was approved.

Further, 81% received the budget they needed to get their desired cyber insurance policy, with 36% of respondents noting that it is now a requirement from boards of directors and executive management teams.

Considering most cyberattacks involve stolen credentials, it’s no surprise that cyber insurance providers require related security controls, including identity and access management (IAM) and privileged access management (PAM), according to Delinea. Leadership is making budget available as 50% purchased IAM solutions, 45% acquired a password vault, and 44% acquired PAM controls needed to secure their coverage.

“If cyber insurance is too expensive or out of reach, then organizations must make sure that they have a strong backup and recovery strategy as that can really make the difference during a cyberattack, especially ransomware,” Carson said. “In addition to a strong backup and recovery strategy, then security best practices should also be in place to reduce or minimize the possibility of a successful attack, such as deploying strong multifactor authentication (MFA), PMA, cyber awareness training and phishing protection.”