Cyber insurance has been around longer than most of us think. When American International Group (AIG) launched the first cyber insurance policy in 1997, it stepped into completely unknown territory to gain market share. Now, 26 years later, cyber insurance has made the transition from an idea pitched to 20 people, to a strategic necessity, largely driven by executive leadership.
Although cyber insurance could still be considered a nascent area of the market, getting a policy is now a priority for many company boards to reduce any financial losses resulting from a security incident and reassure stakeholders and investors.
There’s also clear evidence that companies increasingly rely on their policies. New research from Delinea found that almost half (47%) of businesses used their policy more than once in the last year, with a seven percent increase from 40% the previous year. With the average data breach cost now standing at $4.45 million, insurance can provide crucial support in covering payments for legal services, remediation and investigations.
While insurers are bringing new products to the market, they are increasingly tightening the requirements for prospective and existing policy holders for the cyber risks they underwrite, asking organizations to demonstrate a high level of security preparedness to gain coverage.
In this scenario, thorough planning ahead of the application process ensures that organizations are in the best position to get coverage and reap the benefits of their policy. So, what are the priorities and the key security factors at play to ensure organizations can improve their chances of qualifying?
The dynamic cyber insurance market
While in the UK adoption rates of cyber insurance vary significantly depending on the size of an organization, the US has seen a notable spike in demand across many markets for the past two years, with premiums increasing by 50% in 2022, in large part due to increasing ransomware attacks. And as more organizations seek cyber insurance policies to act as a financial safety net, it has been estimated that the global cyber insurance market could double in value to reach $40.3 billion by 2027.
On one side, these figures indicate that more companies are proactively taking steps to shield their businesses, but on the other they also show that prices are sharply increasing. After initial fierce competition among insurers, vying to offer the most attractive terms to potential clients, providers have been learning from their data and their losses and started to reduce their risk exposure. They are deeply scrutinizing applications and increasing the number of requirements needed to secure a policy at a reasonable premium.
Our own research has shown, the number of organizations requiring six months or more to qualify for cover has been growing steeply, just like the list of exclusions that could make cyber insurance coverage void. This is the case not only for new applicants, but also companies wanting to renew their policies, who should be more aware of the fine print and have clear insight into what they are covered for, and when they can and cannot make a claim.
Ensuring cyber insurance readiness
As underwriters get to grips with the complexity of cybersecurity, comprehensive cyber risk governance from applicants has become a prerequisite for coverage.
Insurers in the US, for example, are increasingly referencing the NIST cybersecurity framework when determining policy requirements. As such, there are several key areas that organizations should focus on to improve their chances of securing a premium.
Businesses must thoroughly understand their specific cyber risks before seeking coverage. This means conducting detailed cybersecurity risk assessments to pinpoint vulnerabilities and determine their organization’s cyber risk tolerance.
Insurers expect organizations to demonstrate robust measures – such as malware defense layers and a clear data security and maintenance strategy – to protect their critical assets. Identity security is particularly important, with just under half (49%) of companies in Delinea’s research reporting that Identity and Access Management (IAM) and Privileged Account Management (PAM) controls were required by their policies.
IAM and PAM give organizations greater visibility and control over how accounts are used and how identities are behaving and accessing systems – a critical capability when so many attacks focus on exploiting identity. Controls such as Multi-Factor Authentication (MFA) should likewise be in place as a standard.
Attack detection and response
Cyber insurers also prioritize an organization’s capability to detect risks and breaches, especially those involving endpoints like laptops and cloud servers. This means that advanced security tools that can deliver timely detection and response to incoming security threats, as well as comprehensive monitoring and alerting systems for potential misuse on workstations and servers, are vital for protecting the company and getting coverage.
Additionally, insurers pay close attention to incident response plans, anticipating a robust strategy that aligns IT, security, and developers for a swift, effective reaction to cyber threats. Devising thorough plans, with role checklists and response measures, and organizing regular simulation exercises will enhance organizations’ incident readiness and show insurers that they are genuinely prepared.
Finally, post-attack recovery plans also play a significant role in coverage viability. Insurers rigorously evaluate how an organization plans to restore operations after a breach, and how they will use the cyber incidents to reassess their strategy and as a learning opportunity for all employees to improve the company’s security posture.
Cyber insurance is becoming an indispensable asset with cyber risk levels showing no sign of abating. However, obtaining this coverage requires more than just filling out an application. Businesses must demonstrate a proactive approach to cybersecurity, aligning with industry best practices and frameworks. As the cyber insurance market evolves, one thing remains clear: thorough preparedness is not just a requirement—it is a necessity.