The time and effort required to obtain cyber insurance is increasing significantly for US organizations, with the number of companies requiring six months or more rising year over year. That’s according to Delinea’s 2023 State of Cyber Insurance report, based on a survey of more than 300 organizations. The research highlights a significant gap between insurance carriers and businesses that are scrambling to get affordable, comprehensive coverage, while many organizations are continuing to invest in cybersecurity solutions to meet requirements for cyber insurance policies.
Separate Forrester research recently found that while most enterprise security technology decision-makers have some kind of cyber insurance coverage, only 26% have a standalone policy. What’s more, cyber insurance has an impact on service provider selection, with insurance carriers typically maintaining a panel of preferred providers in areas like incident response, ransomware negotiation, and payments. Almost three-quarters (70%) of enterprises with cyber coverage said their insurance carrier required them to select from their panel of providers, according to the research.
The cyber insurance landscape has seen significant change recently. As the frequency and severity of ransomware, phishing, and denial-of-service (DoS) attacks have increased, demand for and conditions relating to coverage have evolved. Policies are becoming more diverse, complex, expensive, and harder to qualify for, presenting CISOs and their organizations with new challenges and considerations for optimal cyber insurance investment.
More time and effort required to get cyber insurance
The time and effort to obtain cyber insurance is increasing for many of the organizations surveyed in Delinea’s report. The percentage of respondents reporting that the process to get cyber insurance took more than six months increased from 0.46% in 2022 to 7% in 2023.
Insurance questionnaires and calls with risk analysts require significant knowledge of IT systems, forcing staff to take time away from keeping systems running and supporting employees/customers to answer them, according to the report. Furthermore, internal-only assessments may not be good enough for insurance companies to take on risks, with many companies also needing external support to obtain cyber insurance. More than half of respondents said that providers require them to conduct an external evaluation, and 55% had to use a provider-approved solution.
Cyber insurance rates increasing, companies still willing to invest
Almost eight out of ten respondents (79%) said their insurance rates increased upon application or renewal, with over two-thirds (67%) reporting that they increased 50% to 100%. Despite increases, boards of directors and executive management teams are mandating that companies obtain cyber insurance, with 81% of respondents allocated additional budget to get cover. A contributing element is the need to invest in cybersecurity solutions to meet increasing requirements for cyber insurance, the report said. Almost all (96%) organizations purchased at least one security solution before their application was approved. About half of respondents reported purchasing identity and access management (IAM), privileged access management (PAM), and multi-factor authentication (MFA) tools, as required by their cyber insurance policies.