Connect with us

Hi, what are you looking for?


Cyber Insurance

The Reality of Cyberinsurance in 2023

If an organization decides to include cyberinsurance within its total cyber risk management posture, that cyberinsurance must be fully integrated with the organization’s cybersecurity posture.

The cyberinsurance industry

The cyberinsurance industry is maturing. In its early days, it simply accepted cyber risk with few questions asked. It lost money. Insurers are asking more questions and have increased premiums, exclusions, and refusals.

This has created a gap between insurers and insureds – a gap between insurance wishes and insurance reality, and a gap between policy requests and policy delivery. A survey of more than 300 US organizations, conducted by Censuswide for Delinea, seeks to understand the nature and effect of this cyberinsurance gap, and how it may be closed.

The background is strong support and desire for cyberinsurance from the board. Businessmen understand the nature of insurance, the nature of risk transfer, and the ability of insurance to ameliorate catastrophic loss. Boards sometimes require their organizations to purchase cyberinsurance, sometimes are contractually required to have cyberinsurance, and are largely willing to fund it.

That said, board budget support has dropped by 13% from 94% to 81% since last year. This may partly be due to current economic uncertainty, but may also be due to the increased requirements of the cyberinsurance industry. 

Sixty-seven percent of respondents reported that their cyberinsurance costs increased by between 50% and 100% in 2023. 

Complexity of acquisition: insurers are now requiring specific security controls be in place before providing cover. If not installed, they must be purchased. Many of these revolve around access management, including IAM, PAM, MFA, and password management. Fifty-five percent of respondents said they were required to use an insurer-approved solution, while some insurers have their own appliances they wish to be installed in a company’s IT environment.

Complexity of exclusions: experience is causing insurers to increase the number and complexity of the situations they will not cover. The best known is the war exclusion clause highlighted by the NotPetya/Merck incident – but others include lack of security protocols in place, internal bad actor, certain human errors, failure to follow compliance procedures, acts of terrorism, and failure of timely reporting to the insurance company. All of these have the potential to void any cover.

Advertisement. Scroll to continue reading.

Failing to report an incident to the insurer first is an interesting one, since it may conflict with some compliance requirements. “I’ve had discussions with a lot of insurers into how that might apply,” Delinea’s chief security scientist and advisory CISO, Joseph Carson, told SecurityWeek. “What they’re saying is that if you incur costs before you notify the insurer of a claim, then those costs that you incur prior to that may not be covered by an insurance claim.”

The refusal of a claim based on exclusions within a policy is likely to lead to court cases in the same way that Merck fought the war exclusion clause used to deny its NotPetya claim. In the end, the court is always the final arbiter.

The increase in cost and complexity in insurance policies has a knock-on effect on the time it takes to agree the policy. Forty-five percent of respondents expect it will take between one and three months to get or renew a policy (down from 60%) last year; 30% expect it to take between four and six months (the same as last year); while 7% expect it to take more than six months (up from 0.46% last year).

“Over the past year, it’s become evident that cyber insurers are learning from their data and are now maturing. In the early days of cyber insurance, they were just trying to address a huge demand,  but now they realize they must reduce their own exposure to both avoidable and uncontrollable circumstances,” says Carson. 

“Our survey (PDF) results find that most organizations are not approaching cyber insurance with the same diligence – they are simply looking to get covered. What they’re not checking is whether the policy they had last year is what they need now, or if their policy changed at renewal. This ‘cyber insurance gap’ could put a lot of organizations in a tough place when a cybersecurity incident occurs, and they want to utilize this financial safety net.”

The overall message from this survey is that cyberinsurance is no longer something that can simply be tacked onto cybersecurity. If an organization decides to include cyberinsurance within its total cyber risk management posture, that cyberinsurance must be fully integrated with the organization’s cybersecurity posture. This will involve a detailed understanding of risk acceptance (deductibles), and the avoidance of anything that can lead to claim denials based on fine print exclusions. Above all, it will require a partnership between the insured and the insurers – but one in which the insurer is the leading partner.

Related: UK Think Tank Proposes Greater Ransomware Reporting From Cyberinsurance to Government

Related: Cyberinsurance Backstop: Can the Industry Survive Without One?

Related: Talking Cyberinsurance With Munich Re

Related: What is Cyberwar?

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

CISO Strategy

The question for 2023 and beyond is whether the cyberinsurance industry can make a profit without destroying its market.

Cyber Insurance

Court says insurers must pay Merck for losses related to the Russia-linked NotPetya cyberattack.

Cyber Insurance

SecurityWeek spoke to Chris Storer, head of the cyber center of excellence at reinsurance giant Munich Re, for the cyber insurers’ view of cyberinsurance.

Cyber Insurance

All-in-one cybersecurity platform Guardz today emerged from stealth mode with $10 million in seed funding.

Cyber Insurance

Third-party administrator of insurance products Bay Bridge Administrators (BBA) is informing roughly 250,000 individuals that their personal information might have been compromised in a...