Delinea’s annual State of Cyber Insurance report is out, and in a nutshell: cyber insurance is still expensive, harder than ever to get, and the situation will probably not change for at least a couple of years.
The market is particularly hard on small businesses, who are increasingly being left with inadequate coverage options. New security requirements are a particularly big barrier, and policies are now all but guaranteed to have at least one major exclusion that will have to be budgeted for in some other way.
Cyber insurance demand continues to outstrip coverage offerings
Organizations are both seeking and using cyber insurance at higher rates than ever, with instances of multiple insurance claims by one organization increasing in the past year from 41% to 47%. Small businesses that do have coverage use it at even higher rates.
Organizations are having the greatest degree of trouble obtaining coverage for regulatory fines, legal fees and lost revenue. Ransomware also remains a thorn in everyone’s side, but what individual insurers offer can vary greatly. A business might be asked to meet some stringent security requirements to qualify for coverage, might be told that ransomware payments must be pre-authorized by the insurer or that they are entirely forbidden, or they might not be able to get any ransomware coverage whatsoever.
Budget increases to cover cyber insurance and costs are common, but not as common as they were last year. 81% of survey respondents said that their budget for cyber insurance was increased, but 94% saw a budget increase the prior year.
Market correction continues to torment cyber insurance buyers
The cyber insurance market is experiencing a necessary correction given the recent changes in the threat landscape, particularly the acceleration of ransomware and data theft caused by the Covid-19 pandemic. That is small comfort to those that need coverage, however. The average data breach cost continues to rise into the multiple millions of dollars throughout much of the world, meaning that going without coverage is not really a viable option.
Even large businesses able to qualify for (and afford) their desired level of coverage are being hit with mandatory exceptions that could prove quite expensive. The more than 300 organizations that responded to this year’s Delinea survey all said that they are subject to at least one exclusion that can void coverage, and are dealing with at least one related expense that is not covered by their insurer.
Costs are up for most, and well over half are paying a much steeper price than in the past. 79% of the respondents said that their rates had gone up since last year, and 67% reported that increase being anywhere from 50% to 100%. This is after a likely added cost for security technology investments to meet new requirements for insurer approval (all but 4% said they had to purchase something new in this area to qualify).
The struggle is toughest for small businesses. 28% had an application denied in the previous year, with large businesses experiencing a much higher rate of success. When small businesses are denied, just under half of the time it is for not having the security solutions that the insurer now requires.