According to a cybersecurity company’s report published on Tuesday, rates for cyber insurance policies are rising even as their scope of coverage is being reduced by an increasing number of exclusions.
More than 300 organizations in the United States were polled by Censuswide for the privileged access management company Delinea, and nearly four out of five (79%) reported rising insurance costs. More than two-thirds (67%) reported that when they applied for or renewed their policies this year, their cyber insurance premiums had increased by 50% to 100%.
According to Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, “over the past year, it has become clear that cyber insurers are learning from their data and are now maturing.”
Insurers were merely trying to meet a tremendous demand in the early days of cyber insurance, he said, but now they recognize they need to lessen their exposure to both avoidable and uncontrollable events.
According to the results of our poll, most firms are only interested in becoming insured when it comes to cyber insurance, he said. What they fail to check is whether the coverage they had last year is still appropriate for their current needs or whether it was altered at renewal.
When a cybersecurity event occurs and firms desire to use this financial safety net, he continued, “This ‘cyber insurance gap’ could put many organizations in a difficult position.”
In the same manner that attack vectors change, risk evaluation and cyber insurance will always be in flux, according to Bud Broomhead, CEO of Viakoo, a Mountain View, California-based company that offers automated IoT cyber hygiene.
“Recent changes, such as the shift of threat actors exploiting vulnerable IoT/OT devices and more open source vulnerabilities are driving insurers to adapt their risk models and to also impose conditions on the insured, like requiring automated cyber hygiene for non-IT devices and systems,” he told TechNewsWorld.
Exclusion Explosion
Limiting the coverages of their cyber insurance policies through exclusions is one way insurers are lowering their exposures. According to the Delinea analysis, there are an increasing number of exclusions that render a cyber policy’s coverage worthless.
Lack of security processes was cited as the primary cause for excluding coverage in policies by survey participants (43%), followed by human error (38%), acts of war (33%), and improper compliance procedures (33%).
Exclusions might reduce a company’s perception of the value of having cyber insurance. “Any exclusion that excludes social engineering scams or human error essentially kills that policy, because most cyberattacks are related to those two root causes,” emphasized Roger Grimes, a defense evangelist at KnowBe4, a security awareness training company in Clearwater, Florida.
“Seventy to 90 percent of all successful cyberattacks involve social engineering,” he said to TechNewsWorld. Any exclusion that limits social engineering effectively eliminates your chances of receiving compensation.
According to Jason Dettbarn, founder and CEO of Addigy, a Miami-based company that creates an Apple device management platform, “exclusions lower the overall value of a policy because they narrow the true scope of coverage.”
But more crucially, he told TechNewsWorld, “very few companies meet the core underwriting requirements.” “They don’t internally use the proper cyber/IT management tools or procedures.”
Onus on Victims
According to Carson, businesses must comprehend the policy’s fine print to ensure their claim will be accepted given the growing list of exclusions and limits.
It is crucial to know the proper method before you need to apply it in the middle of a cyberattack, he added, since if firms don’t follow it, they may end up with incident or data breach costs that aren’t covered as part of the claim.
“The big question will be how many of those exclusions will hold up in court after the key court case earlier this year with Merck winning regarding the ‘hostile/warlike action’ exclusion clause shouldn’t be applied to a cyberattack on a non-military company — even if it originated from a government,” he continued.
The rising costs of cyber insurance, according to Darren Williams, CEO and founder of Cheyenne, Wyoming-based BlackFog, a company that creates on-device, anti-data exfiltration technology.
Due to the numerous exclusions, he told TechNewsWorld, “we are seeing many small businesses choose to forego coverage altogether and instead invest in proactive cybersecurity solutions.”
According to this research, human error is inevitable and one of the main reasons for ransomware attacks, and acts of war can be broadly construed if insurers so choose.
He stated, “In addition, exclusions paired with recent pronouncements from jurisdictions barring ransomware payouts make insurance of minimal use.
The burden of preventing data exfiltration ultimately rests with the victim, thus the risk to the business must be carefully considered, he continued.
Operational Necessity
However, businesses who forgo cyber insurance do so at their own risk. Dettbarn noted that “cybersecurity is almost a requirement for any business that holds customer data and is susceptible to a data breach or ransomware attack.”
Theresa Le, chief claims officer at Cowbell, a Pleasanton, California-based provider of AI-powered cyber insurance for SMBs, stated that “today, cyber insurance is highly recommended.”
Businesses still face lingering cyber threats because of system misconfigurations, personnel mistakes, or other unintended security breaches, she said in an interview with TechNewsWorld. “It is becoming more and more common for contractual agreements to require cyber coverage.”
One of the report’s most startling facts, according to Carson, is the rise in the percentage of businesses who used their cybersecurity insurance more than once, from 41% in 2022 to 47% in 2023.
This once again demonstrates that having cyber insurance does not guarantee improved security; rather, it serves as a safety net for money in the event that security disasters do happen, he said.
On the plus side, he continued, “insurance companies are developing with better data and insights into what is necessary to make businesses more resilient against cyberattacks, and their policies are now requiring better security best practices from businesses before they can even become insurable.
