A new Delinea survey shows high usage of cyber insurance is prompting cyber insurers to continue reducing the scope of their coverage.

The survey, conducted among 300 U.S.-based IT decision-makers by Censuswide, shows nearly 80% of companies have had to use their cyber insurance. In addition, more than half of those have used it multiple times.

As a result, insurers are pulling back on covering what is most needed. Only about 30% of organizations said their policy covers critical risks. Those include ransomware, ransom negotiation, and a decision on ransom payment.

Delinea’s Joseph Carson

Joseph Carson is chief security scientist and advisory CISO at Delinea. He said insurers are putting hard limitations on financial payouts for cyber incidents such as ransomware attacks.

“The shock from this latest research is how so many organizations who have obtained cyber insurance have need to use it and again half of those multiple times,” he said. “It is almost like continuously crashing your car and not learning from the first one on how you are going to change prioritizing prevention.”

High Cyber Insurance Approval Rate

According to the survey, nearly 70% of organizations have applied for cyber insurance. Of those, 93% were approved when they applied, and 65% claimed the process took less than three months. Risk reduction is the main reason for applying. However, one-third of respondents said it was also due to requirements from executive management and boards of directors. Furthermore, 25% cited recent ransomware incidents as a primary decision driver.

Given the pressure coming from the top, it’s no surprise 93% received the budget required to purchase their cyber insurance. That’s even as 75% of respondents said premiums increased in their last renewal.

Other main reasons cited for applying for cyber insurance were business contract requirements (24%) and recent data breaches (17%). The largest number of respondents said their policy covers data recovery, while roughly a third indicated it covers incident response, regulatory fines and third-party damages.

To qualify for cyber insurance, a majority of respondents confirmed that cybersecurity awareness training was a requirement. Less than half were required to have malware protection, antivirus software, multi-factor authentication (MFA), and backup data.

When asked how they met insurers’ privileged access management (PAM) requirements, a similar percentage said they had suitable existing solutions (43%) as those who had to acquire additional solutions (42%).

It’s not becoming more difficult to obtain cyber insurance, Carson said. However, it is becoming much more expensive. Furthermore, financial limitations are being enforced to reduce the risk exposure from insurers.

Cyber Insurance Not An Alternative to Security Solutions

“My concern is that organizations are investing in cyber insurance as an alternative to security solutions as a way to reduce risk whereas cyber insurance policies should be requiring security best practices to be in place and enforced,” Carson said.

MSSPs and cybersecurity providers can help ensure organizations have a basic level of cybersecurity in place before getting insurance as a way to show that cyber insurance is the last resort and not the only protection, he said.