Demand has jumped for cyber insurance recently, and companies appear to be quick to make use of it. A new report from cybersecurity firm Delinea finds that nearly 80% of companies that have coverage have used it, and 50% have used it more than once. Yet only 30% are carrying policies that cover critical risks pertaining to ransomware attacks. As a result, requirements by insurers to implement security controls are already on the rise: over half say they are required to perform cybersecurity awareness training, and just under half are required to implement measures such as MFA and regular data backups.
The Covid-19 pandemic period prompted an unprecedented wave of cyber crime, particularly ransomware, and that in turn has sent demand for cyber insurance through the roof. Insurers have already been paring back coverage and increasing premiums in response, but based on continuing use patterns it is likely that the market re-adjustment is still not over.
Businesses have been struggling to obtain adequate cyber coverage in the past year, with other recent studies revealing that the majority do not carry enough to offset the expenses of a ransomware attack. The Delinea findings support this trend, with just under one out of three respondents saying that they are covered for critical risks including ransomware, ransom negotiation, and decisions on ransom payments. Just under half say that they are covered for data recovery costs.
This is in spite of 93% of respondents saying that their applications for cyber insurance were approved on the first try, and the same amount also saying that their companies provide an adequate budget with which to purchase policies. Overall, 70% say that they have applied for cyber insurance and 65% of those report the approval process taking fewer than three months.
40% of the respondents applied for new coverage due to general risk reduction policy, and 25% said that news about recent ransomware incidents were a primary factor in this decision. 33% said that the order to obtain more or better coverage came directly from executive management or a Board of Directors.
The first expected response to the widespread use of coverage would be an increase in premium amounts, and 75% of respondents say that has happened to them already. And 65% of these respondents said that the premium went up by at least 50%, and in some cases went as high as a 100% increase. But insurers are not stopping short at increasing costs; they’re also requiring new and stronger security controls to reduce the chance of a data breach that leads to a claim. 51% of respondents say that cybersecurity awareness training is now mandatory to keep coverage, and 47% say they must implement anti-virus and anti-malware solutions, MFA and regular data backups as well. When insurers set Privileged Access Management requirements, 43% of respondents say that they already had suitable elements in place, and 42% said that they had to acquire new solutions to meet the criteria.
Having 80% of policyholders filing claims, particularly in such a short period of time, does not appear to be a sustainable business model at a glance. By comparison, some estimates put the amount of car insurance holders filing claims each year at around 6%. There is only so much give in terms of increasing costs and limiting circumstances of coverage, so mandatory security controls are the natural next area for insurers to expand into.
At the moment, insurers tend to be simply providing policyholders with checklists of minimum security controls to have in place. This does not necessarily mean that they will be monitored or used properly, however. A likely next development, possibly coming very soon for the highest-risk sectors, is an industry standard requirement to actually demonstrate the effectiveness of defensive posture in a simulated attack.
Another development that is already being documented is insurers simply fleeing from ransomware coverage, and telling policyholders that they are on their own in this particular area. Ransomware is on average the most damaging segment of cyber crime, with the global average demand now pushing a quarter of a million USD (and rising to over $1 million in some countries such as the US). Cleanup costs are also additionally at least a few times larger than whatever the demand was.
At minimum, those seeking new or improved cyber insurance coverage should expect that showing intent to rely on the policy (or government aid) to get out of trouble will no longer be acceptable in the present environment. A change to insurance policies is now an ideal opportunity to review security controls, mitigation strategies and data backup systems.
Avishai Avivi, CISO at SafeBreach, advises companies that had been relying entirely on insurance as their plan for dealing with data breaches to immediately review their approach: “Cyber insurance helps cybersecurity professionals manage risk by transferring the cost of a data breach. However, if 80% of companies with cyber insurance are actually using it, insurance providers will soon have to start adjusting their calculations.”
“To this end, more and more cyber insurance companies are requiring their customers to implement specific security controls before offering coverage. The challenge is that this doesn’t necessarily guarantee that their customers are properly using these controls,” added Avivi. “As this trend continues, we foresee that cyber insurance companies will mandate or incentivize companies seeking coverage to implement security validation and adversary simulation as part of their ongoing security program. This will be especially true for customers in regulated industries or with very high-risk digital assets, such as personal data records.”