A survey of 300 decision-makers finds investments in cybersecurity are rising because of requirements made by carriers of cybersecurity insurance.
Conducted by Delinea, a provider of an identity management platform, the survey finds a full 95% of respondents report they needed to invest in identity security solutions before obtaining cyber insurance. Top requirements are authorization/access controls (41%), threat detection and resiliency plan (40%), session management and monitoring (38%), credential password management (35%), secure third-party controls (35%), and multifactor authentication (35%).
There was a time when many organizations sought out cybersecurity insurance policies to avoid having to invest in cybersecurity technologies, but in the wake of considerable losses, cybersecurity insurance carriers have learned to require organizations to invest more in cybersecurity before issuing a policy.
Often, that approach has led to claims being denied because, for example, an organization may not have been following data protection best practices. It’s not clear how many claims have been denied, but the number of claims being made has increased. Just under two-thirds of respondents (62%) said their organization has filed an insurance claim because of a cyberattack in the last 12 months, with more than a quarter (27%) having filed multiple claims. The survey also finds more than three-quarters of respondents (77%) work for organizations that have previously filed a cybersecurity insurance claim.
Shifting requirements and costs
A full 42% of organizations noted they were required to purchase security solution/appliance from their insurance provider. Half of respondents (50%) also noted their cybersecurity insurance costs have increased in the last year, mainly because their IT environments have become more complex (48%).
However, 50% said they were able to reduce their insurance rates by implementing additional security controls. An equal percentage said they are implementing artificial intelligence (AI) for threat detection and monitoring to lower cybersecurity insurance premiums.
The primary reasons for applying for cybersecurity insurance are compliance/regulatory requirements (35%), executive/board requirement (37%), recent cyberattack (27%), ransomware incident (26%), and third-party contract requirement (24%), the report noted. More than a third (37%) said their cybersecurity insurance could be voided if the right security controls are not in place. Additionally, 32% said they are required to either first report an incident to the carrier or notify them of an incident within a specific time period.
Coverage includes data backup and recovery (50%), additional security controls (46%), legal fees (44%), ransomware negotiation and payments (41%), incident response services (40%), impact on partners and customers (40%), lost revenue (39%), and regulatory fines (38%), the survey finds.
Overall, the survey finds insurance claims were mainly tied to a third-party vendor or supply chain partner that was at fault for a cyberattack (27%), followed closely by ransomware attacks (26%). Nearly half (47%) of the attacks that led to insurance claims were linked to compromises involving identity (24%) and privileges (22%).
Determining your organization’s needs
Each organization will need to determine what level of cybersecurity insurance makes the most sense for them. The one thing that is clear, however, is the more comprehensive the policy, the more likely it becomes they will need to invest in cybersecurity tools, platforms, and processes to ensure any future claims made are actually honored.