Delinea on Thursday reported that nearly 80% of companies surveyed have had to use their cyber insurance — and more than half have used it multiple times.
The result: insurers are pulling back on covering what’s most needed and today, only about 30% of respondents say their cyber insurance policies cover critical incidents such as ransomware, ransom negotiation, and decisions on ransom payments.
While 40% cited risk reduction for making an application for cyber insurance, 33% claimed it was also because of requirements from top management — and another 25% cited ransomware incidents as a primary driver.
Given the pressure coming from top management and corporate boards, Delinea researchers noted that it follows that 93% of respondents received the budget required to purchase cyber insurance even as 75% noted that premiums increased during the last renewal period.
“Organizations must be cautious and not rely solely on their cyber insurance policies as a silver bullet to reduce risk,” said Tony Goulding, senior director and cybersecurity evangelist at Delinea. “The fact that companies are using their policies more than once is alarming and tells us that organizations aren’t exactly prioritizing their actual cybersecurity strategies and solutions. Similarly, it also tells us that cyber insurers may not be doing enough when it comes to requiring security best practices to be in place and enforced beforehand.”
Think of it this way, said Avishai Avivi, chief information security officer at SafeBreach: if a car insurance company knew that there was an 80% chance that the driver they’re insuring will be in a serious accident, or an 80% chance that the car would be stolen, would it still make sense to offer the coverage?
“More and more cyber insurance companies are requiring their customers to implement specific security controls,” said Avivi. “The challenge is that this doesn’t necessarily guarantee that their customers are properly using these controls.”
Avivi added that cyber insurance providers need to start advancing beyond simple checklists for security controls.They must require their customers to validate that their security controls work as designed and expected. And, Avivi said they need their customers to simulate their adversaries to ensure that when they are attacked, the attack will not result in a breach.
“We're already starting to see government regulations and guidance that includes adversary simulation as part of their proactive response to threats,” Avivi said. “As this trend continues, we foresee that cyber insurance companies will mandate or incentivize companies seeking coverage to implement security validation and adversary simulation as part of their ongoing security program. This will be especially true for customers in regulated industries or with very high-risk digital assets, such as personal data records."