The landscape of cyber insurance is undergoing a maturation process, marked by a notable shift from its early days of accepting cyber risks with minimal scrutiny. This initial approach resulted in financial losses for insurers. However, the tides have changed, and insurers are now raising pertinent questions, leading to higher premiums, more exclusions, and even policy refusals.

As a consequence, a significant gap has emerged between insurers and those seeking coverage—an abyss between insurance aspirations and the stark realities of the insurance landscape. The chasm between policy requests and their actual implementation has prompted a comprehensive study conducted by Censuswide for Delinea, encompassing more than 300 US organizations. The study delves into the intricacies of this cyber insurance gap and explores avenues to bridge it.

The backdrop to this scenario is the robust backing and fervent desire for cyber insurance emanating from corporate boards. Business magnates grasp the essence of insurance, the art of risk transfer, and the capacity of insurance to mitigate catastrophic losses. Boards, at times, mandate their organizations to procure cyber insurance, and contractual obligations also contribute to its adoption. Moreover, board members are generally inclined to allocate resources to fund this vital safeguard.

Nonetheless, the budgetary backing from boards has dwindled by 13%, dropping from a 94% support rate to 81%, as compared to the previous year. While this trend might be partly attributed to prevailing economic uncertainties, the intensified demands of the cyber insurance industry have likely played a role

The survey reveals that 67% of respondents reported a surge in cyber insurance costs, with figures rising between 50% and 100% in 2023.

The landscape of insurance acquisition has grown more intricate, with insurers mandating specific security measures prior to extending coverage. In cases where these controls are absent, they must be procured. A significant portion of these measures revolves around access management, encompassing IAM, PAM, MFA, and password management. A considerable 55% of respondents indicated that insurers stipulated the use of their pre-approved solutions. Additionally, some insurers furnish their proprietary appliances for installation within an organization’s IT environment.

Exacerbating the complexity are the exclusions imposed by insurers. Experience has led to the expansion of situations not covered by policies. The war exclusion clause, highlighted by the NotPetya/Merck incident, is a prime example. Other exclusions involve the absence of security protocols, internal malefactors, certain human errors, non-compliance, acts of terrorism, and delayed reporting to the insurer. Any of these factors have the potential to void coverage.

The refusal of claims based on policy exclusions could very well trigger legal battles akin to the one Merck undertook against the war exclusion clause that was used to deny its NotPetya claim. Ultimately, the courts will render the final verdict.

The elevation of cost and complexity in insurance policies has repercussions on policy agreement timelines. A substantial 45% of respondents anticipate a one-to-three-month span for policy acquisition or renewal (a decrease from 60% the previous year). Meanwhile, 30% envisage four-to-six-month periods (unchanged from the previous year), and 7% expect policies to take over six months to finalize (a rise from 0.46% the prior year).

Joseph Carson, Delinea’s Chief Security Scientist and Advisory CISO, reflects on this evolution: “Over the past year, it’s become evident that cyber insurers are learning from their data and are now maturing. In the early days of cyber insurance, they were just trying to address a huge demand, but now they realize they must reduce their own exposure to both avoidable and uncontrollable circumstances.”

The survey findings emphasize that the integration of cyber insurance into an organization’s risk management is no longer a mere appendage to cybersecurity. It demands a profound integration into the fabric of an organization’s cybersecurity posture. This necessitates an in-depth comprehension of risk acceptance and a strategic avoidance of scenarios that could trigger claim denials due to intricate exclusions.

Above all, it necessitates a symbiotic partnership between insurers and the insured, wherein the insurer plays the leading role.