Cyberinsurance in the Digital Age: Navigating Risks and Realities

The Reality of Cyberinsurance in 2023

Introduction

The cyberinsurance industry has seen significant growth and maturation in recent years. Initially, insurers accepted cyber risk without much scrutiny, resulting in financial losses. However, insurers have now become more cautious, leading to increased premiums, exclusions, and refusals. This has created a gap between insurers and insureds, causing a conflict between insurance wishes and reality, as well as policy requests and delivery. To understand the impact of this gap, a survey was conducted with over 300 US organizations by Censuswide for Delinea. The survey aimed to explore the nature of this gap and how it can be closed.

Background and Board Support

The survey revealed that there is strong support and desire for cyberinsurance from boards of organizations. Business leaders understand the value of insurance in transferring risk and mitigating catastrophic losses. Boards often require organizations to purchase cyberinsurance or have contractual obligations to do so, and they are generally willing to fund it. However, board budget support has decreased by 13% from 94% to 81% since the previous year. This may be due to current economic uncertainty but could also be attributed to the increased requirements imposed by the cyberinsurance industry.

Complexity of Acquisition and Exclusions

Insurers now demand specific security controls to be in place before providing coverage. These controls, such as IAM, PAM, MFA, and password management, are often required to be purchased if not already implemented. Additionally, insurers may have their own appliances that they want installed in an organization’s IT environment. The complexity extends to policy exclusions, with insurers increasing the number and complexity of situations they do not cover. These exclusions can include lack of security protocols, internal bad actors, certain human errors, failure to follow compliance procedures, acts of terrorism, and failure to report incidents in a timely manner.

Challenges and Court Cases

The survey highlights a potential conflict between compliance requirements and reporting incidents to insurers. Some insurers may refuse to cover costs incurred before an incident is reported. This could lead to court cases, similar to the one Merck faced over the war exclusion clause used to deny its NotPetya claim. Ultimately, courts have the final say in resolving such disputes.

Increased Time and Cost

The complexity and increased requirements in insurance policies have impacts on the time it takes to agree on a policy. The survey found that 45% of respondents expect it will take between one and three months to obtain or renew a policy, down from 60% the previous year. 30% expect it to take between four and six months, and 7% expect it to take more than six months. These delays can create challenges for organizations seeking financial safety nets in the event of cybersecurity incidents.

Importance of Integration and Collaboration

The survey concludes that cyberinsurance cannot be treated as an add-on to cybersecurity. If organizations choose to include cyberinsurance in their risk management strategy, it must be fully integrated with their cybersecurity posture. This integration requires a detailed understanding of risk acceptance, avoidance of factors that can lead to claim denials, and a partnership between the insured and the insurers.

Editorial

The evolving landscape of cyberinsurance poses challenges for organizations navigating the digital age. While cyberinsurance can provide financial protection against cyber risks, the increasing complexity and exclusions complicate the process. Insurers are taking a more cautious approach, necessitating specific security controls and scrutinizing policy exclusions. This elevates the need for organizations to align their cybersecurity posture with their cyberinsurance strategy.

Philosophical Discussion

The insurance industry’s maturation in the cyber domain reflects a deeper understanding of the risks involved and the need to mitigate them. The insurance industry must strike a balance between accommodating the demand for coverage and reducing its own exposure to avoidable and uncontrollable circumstances. However, this balance must not compromise the affordability and accessibility of cyberinsurance for organizations. The philosophical question arises: how can insurers fulfill their role as risk mitigators while ensuring the availability of coverage to those who need it most?

Internet Security

The evolving landscape of cyberinsurance highlights the importance of robust cybersecurity measures. Organizations must prioritize implementing specific security controls demanded by insurers to secure coverage. Additionally, organizations should be aware of policy exclusions and ensure compliance, timely reporting, and adherence to security protocols. Regularly reviewing cyberinsurance policies and assessing whether they align with current needs is also crucial.

Advice

For organizations seeking cyberinsurance, it is essential to approach the process with diligence and a comprehensive understanding of their cybersecurity posture. This includes assessing risk acceptance, complying with security controls, avoiding factors that can lead to claim denials, and maintaining a collaborative partnership with insurers. Moreover, organizations should regularly review their cyberinsurance policies and consult experts to ensure adequate coverage and protection against cyber risks.