Cyber-insurance: from risk to resilience

Simon Hughes at Delinea explains how to secure your cyber-insurance coverage

As cyber-insurance has shifted from a "nice to have" to a strategic essential, the market has seen significant fluctuations, with US policy prices soaring by as much as 150% last year alone. 

With growing demand for policies, insurers continue to be selective, heavily scrutinising all aspects of applicants’ cyber-security preparedness before underwriting policies. Business size, industry, risk exposure, and the type of data an organisation handles will all influence premium eligibility and cost.    

As the cyber-insurance market evolves and matures, enterprises must maintain a strong, proven cyber-security posture in order to qualify for coverage. Here, we’ll outline the latest trends in the market and delve into key considerations for achieving comprehensive insurance coverage in the year ahead. 

The biggest cyber-insurance trends this year

Cyber-security is a relatively nascent field of insurance, with the first policy being launched by AIG just 26 years ago. This has naturally led to a more volatile market as providers get to grips with the complex and fast-paced cyber-security industry. 

Insurers must deal with a field where incident costs can be extremely high; the global costs of cyber-crime are expected to rise to an alarming $11 trillion in 2023. As the frequency and scale of cyber-attacks continues to escalate, it’s increasingly likely that applicants will need to make a claim on their policies.

Delinea’s most recent research provides valuable insights into this trend and reveals that 80% of organisations have used their cyber-insurance coverage at least once. This underscores the growing reliance on cyber-insurance as a risk mitigation strategy. 

The market is also becoming increasingly competitive, with insurers vying to offer the most comprehensive and cost-effective policies. However, this competition doesn’t make securing coverage any easier for organisations. Insurers are analysing applicants more rigorously, setting the bar high for cyber-security preparedness.

Further, the requirements are frequently shifting as providers reassess the threat landscape.  Delinea’s report found that the time and effort to obtain cyber-insurance is increasing significantly, with the number of companies requiring 6 months or more skyrocketing year over year. 

A growing list of exclusions 

As more firms turn to cyber-insurance as a financial safety net for cyber-risk, it’s important to understand that not all incidents are covered when making a claim. Insurers may reject a claim if the business is judged not to have adequate security protocols. For instance, if an organisation fails to implement basic security measures like firewalls or antivirus software, its claim may be denied. 

The scope of exclusions is also adding to the complexity as insurers gather more data from which to base their pricing and policies. Our research found that data recovery and additional security controls were two of the areas most likely to be covered, while ransomware and legal and regulatory fines were likely to be excluded. Notably, larger companies were also more likely to have their claims accepted in most fields. Damage relating to acts of cyber-warfare are also frequently excluded – a challenging issue when attribution is often very difficult.

Policies may also be rendered void if providers determine the company lacked proper security protocols or compliance procedures, or if a breach was due to human error. 

This all means that enterprises must be very clear on what their policy will cover to avoid a nasty shock when a breach does occur. 

Cyber-resilience to achieve insurance coverage

Qualifying for cyber-insurance coverage hinges on an organisation’s ability to demonstrate cyber-resilience. One of the key frameworks that insurers often reference is the NIST Cyber-security Framework. Aligning your cyber-security measures with this framework not only enhances your security posture but also maximises your chances of gaining comprehensive insurance coverage.

Risk assessments serve as the cornerstone of any robust cyber-security strategy. Conducting detailed assessments helps organisations identify vulnerabilities and assess their risk tolerance. This data is invaluable when applying for insurance, as it quantifies an organisation’s cyber-risk profile.

Security controls like Multi-Factor Authentication (MFA) and Identity and Access Management (IAM) are no longer optional, they are prerequisites for securing a comprehensive policy. These controls offer greater visibility and control over account behaviour and system access, which is crucial given the increasing sophistication of cyber-threats.

Another pivotal aspect is developing and maintaining a robust incident response plan. Insurers expect a well-defined response to incidents and by conducting regular simulation exercises and assigning role checklists you can demonstrate to insurers that you have stress-tested these processes. 

Lastly, the concept of continuous learning should be embedded into your cyber-security strategy. Learning from past incidents to improve future resilience is not just good practice, it’s often a requirement for maintaining your insurance coverage.

What next for cyber-insurance? 

The cyber-insurance market is evolving at pace, but the core principle remains unchanged: robust cyber-security measures are indispensable for securing adequate coverage.

As the market stabilises, organisations must not become complacent. Instead, they should seize this opportunity to reassess both their cyber-insurance policies and cyber-security measures. 

Organisations can navigate the complexities of today’s insurance market by aligning with industry frameworks like NIST and investing in cyber-resilience. The goal is clear: to achieve comprehensive coverage that serves as a robust safety net in an increasingly unpredictable security landscape. 

Simon Hughes is RVP Sales Engineering International at Delinea 

Main image courtesy of iStockPhoto.com