New data on the state of cyber insurance shows that it’s becoming more difficult to get a policy, and the organizations obtaining one share that circumstances could cause denial of claims.
It seems that every organization is either obtaining or seeking cyber insurance as another required part of their cybersecurity strategy. As the insurers continue to learn from the claims stemming from their issued policies, there are some new trends emerging. According to cybersecurity vendor Delinea’s 2023 State of Cyber Insurance report, cyber insurance is creating a gap that may make the case that tighter security controls may end up being a better answer.
Let’s start with the obtaining of a policy. It’s not as simple as getting, say, car insurance:
- 28% of organizations with less than 250 employees who applied were denied coverage
- 63% of larger organizations had to use insurance-provided solutions/appliances
- 67% of organizations say it took 4 months or longer to obtain a policy
- 69% of organizations have experienced an increase in cyber insurance premiums of 50% to above 100%
And once organizations had the policy, it isn’t as easy as placing a claim and it’s covered. According to the report, 79% of organizations have needed to place a claim with their cyber insurer and yet the following were some of the reasons claims were denied:
- Lack of security protocols in place (experienced by 43% of organizations)
- Human error (38%)
- Not following compliance procedures (33%)
- Not reporting to the insurer first (31%)
The gap created is the idea of costs (both in terms of premiums and additional required solutions) going up and the increased denial of claims . In essence, it feels like we’re paying more for a service we’re not going to be able to take advantage of. What’s also interesting is the increasing requirement for additional security solutions – and yet, it’s people-related mistakes (as denoted by three of the four bullet points) that are the reasons for denials.
It’s the human element that we can speak to – by educating your users through new-school security awareness training. It is designed to increase their vigilance when it comes to interacting with malicious content in email and on the web, organizations can reduce the risk of a successful attack in the first place, and in turn negating the need to place an insurance claim at all.