Cyber insurance policy rates continue to rise while a growing number of exclusions reduce what is covered under these policies, according to a report released Tuesday by a cybersecurity company.
Nearly four in five (79%) of more than 300 U.S. organizations surveyed by Censuswide for privileged access management provider Delinea have seen their insurance costs increase, while more than two-thirds (67%) have indicated that their cyber insurance premiums had increased. increased by 50% to 100% when they purchased or renewed their policy this year.
“Over the past year, it has become clear that cyber insurers are learning from their data and are now maturing,” said Joseph Carson, chief security scientist and advisory CISO at Delinea, in a communicated.
He explained that in the early days of cyber insurance, insurers were simply trying to meet huge demand, but now realize they need to reduce their exposure to circumstances that are both avoidable and uncontrollable.
“Our survey results reveal that most organizations are not approaching cyber insurance with the same diligence: they are simply looking to be covered,” he continued. “What they don’t check is if the policy they had last year is the one they need now or if their policy changed upon renewal.”
“This ‘cyber insurance gap’ could put many organizations in a difficult situation in the event of a cybersecurity incident, and they want to use this financial safety net,” he added.
Risk assessment and cyber insurance will always be evolving, just as threat vectors evolve, explained Bud Broomhead, CEO of Viakoo, a provider of automated cyber hygiene for IoT in Mountain View. in California.
“Recent changes, such as the shift in malicious actors exploiting vulnerable IoT/OT devices and more open source vulnerabilities, are pushing insurers to adapt their risk models and also impose conditions on policyholders, such as requiring cyber- automated hygiene for non-IT devices and systems,” he told TechNewsWorld.
Explosion of exclusions
Insurers notably reduce their risks when they take out cyber insurance policies by limiting their coverage through exclusions. The Delinea report reveals that the list of exclusions voiding the coverage of a cyber policy is growing.
The top reason respondents gave for excluding coverage from a policy was a lack of security protocols in place (43%), followed by human error (38%), acts of war (33%) and failure to follow appropriate compliance procedures. (33%).
Exclusions can reduce the value of cyber insurance to an organization. “Any exclusion that excludes social engineering scams or human error essentially kills this policy, because most cyberattacks are linked to these two root causes,” said Roger Grimes, a defense evangelist at KnowBe4, a training provider. in Safety Awareness in Clearwater, Florida.
“Seventy to 90 percent of all successful cyberattacks involve social engineering,” he told TechNewsWorld. “Any exclusion that excludes social engineering gives you virtually no chance of getting reimbursed. »
Exclusions reduce the overall value of a policy because they narrow the true scope of coverage, added Jason Dettbarn, founder and CEO of Addigy, maker of an Apple device management platform in Miami.
“More importantly, very few companies meet basic underwriting requirements,” he told TechNewsWorld. “They don’t have the right cyber/IT management tools or processes in place. »
The responsibility lies with the victims
Carson told TechNewsWorld that the growing list of exclusions and limitations means organizations must understand the fine print of policies to ensure their claim will be approved.
“If organizations do not follow the claims procedure, they could end up with some incident or data breach costs that may not be covered as part of the claim. It is therefore essential to know the correct procedure before having to use it in the claim. in the middle of a cyberattack,” he said.
“The big question will be how many of these exclusions hold up in court after the key trial earlier this year, where Merck won, over the ‘hostile/warlike action’ exclusion clause that should not be enforced to a cyberattack against a non-military site. company – even if it comes from a government,” he added.
Darren Williams, CEO and founder of BlackFog, a developer of integrated anti-data exfiltration technology in Cheyenne, Wyoming, said the rising costs of cyber insurance are taking a toll on businesses around the world. entire.
“We’re seeing many small businesses choose to no longer have coverage due to the number of exclusions, but instead invest in preventative cybersecurity solutions,” he told TechNewsWorld.
“As this research indicates,” he said, “human error is inevitable and a leading cause of ransomware attacks, and acts of war can be interpreted very broadly if insurers want it.”
“Additionally,” he continued, “the exclusions combined with recent state announcements banning ransomware payments make the insurance of limited value.”
“Ultimately, the onus is on the victim to prevent data exfiltration and therefore the risk to the business must be carefully weighed,” he added.
However, organizations that avoid cyber insurance do so at their own risk. “Cybersecurity is almost mandatory for any business that holds customer data and is at risk of a data breach or ransomware attack,” Dettbarn observed.
“Today, cyber insurance is highly recommended,” said Theresa Le, claims director at Cowbell, a provider of AI-based cyber insurance for SMBs in Pleasanton, California.
“Even with the best cybersecurity efforts, businesses still face residual cyber risks from system misconfigurations, employee errors, or other unintentional security breaches,” she told TechNewsWorld. “It is increasingly common for cyber coverage to be required in contractual agreements. »
Carson noted that one of the most surprising statistics in the report is the increase in the number of organizations that have used their cybersecurity insurance more than once, from 41% in 2022 to 47% in 2023.
“This shows once again that cyber insurance does not necessarily mean better security, and that it provides a financial safety net when security incidents occur,” he said.
“On the positive side,” he continued, “insurers are evolving with improved data and a better understanding of what is needed to make businesses more resilient to cyberattacks, and their policies now require better practices security on the part of companies before they can even become insurable. .”