A new report released today by privileged access management company Delinea Inc. has found an increased gap in cyber insurance coverage as providers reduce their exposure and organizations ignore the fine print of cyber insurance policies.

The 2023 State of Cyber Insurance report, based on a survey of organizations in the U.S., found that along with the increasing gap in cyber insurance policies, the time and effort to obtain cyber insurance is also increasing significantly, with the number of companies requiring six months or more to get cyber insurance skyrocketing from a year ago.

The increasing difficulty in obtaining cyber insurance is being driven by increasing cyberattacks, with a remarkable 47% of companies polled for the report saying that they made claims on their cyber insurance more than once in the last year. More companies making claims means that the cost of insurance has also increased, with 67% of respondents saying that their cyber insurance rates increased 50% to 100% upon application or renewal in the last 12 months.

For companies fortunate enough to obtain and afford cyber insurance, their ability to claim on their insurance policies is also falling as insurance companies increase their list of exclusions. The exclusions that make cyber insurance coverage void include a lack of security protocols in place in 43% of policies, human error in 38% of them, acts of war in a third of them 33%, and not following proper compliance procedures also in a third.

Many organizations were also found to be hiking their spending on cybersecurity solutions to protect their organizations to meet the increasing requirements for cyber insurance. Nearly all organizations were found to have purchased at least one security solution before their application was approved, 81% received the budget they needed to get their desired cyber insurance policy, and 36% of respondents noted that it’s now a requirement that their company has cyber insurance.

The report notes that given the majority of cyberattacks involve stolen credentials, it comes as no surprise that insurance providers are also now requiring related security controls. Around half of all respondents said that identity and access management, or IAM, and privileged access management controls are required by their cyber insurance policies.

“If organizations don’t already have these access control solutions, it’s time to implement them before they shop for or try to renew cyber insurance,” Joseph Carson, chief security scientist and advisory chief information security officer at Delinea, said ahead of the report’s release. “These are essential security controls to add to cybersecurity strategies, along with basics like anti-malware software, data encryption, firewall and intrusion detection, patching and vulnerability management.”

Theresa Le, chief claims officer at cybersecurity insurance provider Cowbell Cyber Inc., told SiliconANGLE that it’s time that enterprises take a business-focused approach to security.

“Those organizations that take the time to prepare and run risk assessment as part of the cyber insurance process are one step ahead,” Le explains. “When a cyber incident occurs, it is of lesser severity because they are prepared and engage immediately with the resources provided by cyber insurance.”

Businesses should opt for insurers that include a risk assessment of the organization with the goal to remediate identified security weaknesses prior to quoting, Le added. “A thorough process should include industry-specific evaluations such as the use and protection of an operational-technology network in manufacturing or the volume of regulated records — personally identifiable information, protected health information and the like — processed by the organizations in sectors such as healthcare or financial services.

Image: Bing Image Creator