The cyberinsurance industry is maturing. In its early days, it simply accepted cyber risk with few questions asked. It lost money. Insurers are asking more questions and have increased premiums, exclusions, and refusals.
This has created a gap between insurers and insureds – a gap between insurance wishes and insurance reality, and a gap between policy requests and policy delivery. A survey of more than 300 US organizations, conducted by Censuswide for Delinea, seeks to understand the nature and effect of this cyberinsurance gap, and how it may be closed.
The background is strong support and desire for cyberinsurance from the board. Businessmen understand the nature of insurance, the nature of risk transfer, and the ability of insurance to ameliorate catastrophic loss. Boards sometimes require their organizations to purchase cyberinsurance, sometimes are contractually required to have cyberinsurance, and are largely willing to fund it.
That said, board budget support has dropped by 13% from 94% to 81% since last year. This may partly be due to current economic uncertainty, but may also be due to the increased requirements of the cyberinsurance industry.
Sixty-seven percent of respondents reported that their cyberinsurance costs increased by between 50% and 100% in 2023.
Complexity of acquisition: insurers are now requiring specific security controls be in place before providing cover. If not installed, they must be purchased. Many of these revolve around access management, including IAM, PAM, MFA, and password management. Fifty-five percent of respondents said they were required to use an insurer-approved solution, while some insurers have their own appliances they wish to be installed in a company’s IT environment.
Complexity of exclusions: experience is causing insurers to increase the number and complexity of the situations they will not cover. The best known is the war exclusion clause highlighted by the NotPetya/Merck incident – but others include lack of security protocols in place, internal bad actor, certain human errors, failure to follow compliance procedures, acts of terrorism, and failure of timely reporting to the insurance company. All of these have the potential to void any cover.
Failing to report an incident to the insurer first is an interesting one, since it may conflict with some compliance requirements. “I’ve had discussions with a lot of insurers into how that might apply,” Delinea’s chief security scientist and advisory CISO, Joseph Carson, told SecurityWeek. “What they’re saying is that if you incur costs before you notify the insurer of a claim, then those costs that you incur prior to that may not be covered by an insurance claim.”
The refusal of a claim based on exclusions within a policy is likely to lead to court cases in the same way that Merck fought the war exclusion clause used to deny its NotPetya claim. In the end, the court is always the final arbiter.
The increase in cost and complexity in insurance policies has a knock-on effect on the time it takes to agree the policy. Forty-five percent of respondents expect it will take between one and three months to get or renew a policy (down from 60%) last year; 30% expect it to take between four and six months (the same as last year); while 7% expect it to take more than six months (up from 0.46% last year).
“Over the past year, it’s become evident that cyber insurers are learning from their data and are now maturing. In the early days of cyber insurance, they were just trying to address a huge demand, but now they realize they must reduce their own exposure to both avoidable and uncontrollable circumstances,” says Carson.
“Our survey (PDF) results find that most organizations are not approaching cyber insurance with the same diligence – they are simply looking to get covered. What they’re not checking is whether the policy they had last year is what they need now, or if their policy changed at renewal. This ‘cyber insurance gap’ could put a lot of organizations in a tough place when a cybersecurity incident occurs, and they want to utilize this financial safety net.”
The overall message from this survey is that cyberinsurance is no longer something that can simply be tacked onto cybersecurity. If an organization decides to include cyberinsurance within its total cyber risk management posture, that cyberinsurance must be fully integrated with the organization’s cybersecurity posture. This will involve a detailed understanding of risk acceptance (deductibles), and the avoidance of anything that can lead to claim denials based on fine print exclusions. Above all, it will require a partnership between the insured and the insurers – but one in which the insurer is the leading partner.
Related: UK Think Tank Proposes Greater Ransomware Reporting From Cyberinsurance to Government
Related: Cyberinsurance Backstop: Can the Industry Survive Without One?
Related: Talking Cyberinsurance With Munich Re
Related: What is Cyberwar?
