80% of US firms have claimed on cyber-insurance, says study

Four in five organizations in the US have already called in their cyber-insurance policies to mitigate an attack or related incident and half have done so multiple times, according to research by Delinea.

The company surveyed around 300 IT professionals in American businesses to get the results, and found that insurance firms are jacking up their rates by as much as 300% to reflect the increasing risks of covering beleaguered businesses struggling to cope with cyberattacks.

“Demand for cyber-insurance continues to increase as more companies try to offset their risk,” said Delinea. “Meanwhile, insurers are recoiling from overexposure – it’s been widely reported that carriers are raising rates and requirements.”

“Cyber insurance has become ubiquitous, driven by requirements from the Board of Directors,” it added, with seven in ten such decision-making bodies investing.

Intriguely, 93% have their applications accepted, suggesting that insurers aren’t too worried about any potential big payouts on future claims. That said, they are nevertheless insisting that policy holders have their cybersecurity basics down.

“To contain risk, insurers are mandating that policy holders have core security tools and practices in place,” said Delinea.

Which begs the research company’s next question – why are nearly 80% of organizations still suffering breaches that oblige them to claim on their insurance?

Delinea pointed to other research data showing the average cost of a breach had risen to $4.35 million this year, a 12.7% rise from $3.86 million in 2020.

Insurers are getting tougher

And while those who seek cyber-insurance generally get it, there are signs that the rising trend in ransomware attacks and the like is prompting insurers to think twice.

“Carriers are raising premiums – some by 300% at renewal – and lowering coverage, particularly for sectors often targets for ransomware, such as education, public and government, healthcare, construction, and manufacturing,” said Delinea, citing another report by market research firm RPS.

That may not deter organizations from seeking peace of mind: Delinea found that 95% manage to secure the budget they need to obtain cyber-insurance.

But it warns companies that an insurance policy is no substitute for good cyber-hygiene, and also cautions them to read the small print as these can vary widely from one provider to another.

“It’s clear that having a cyber-insurance policy in place may not be sufficient to meet your need for cyber-resilience and business continuity,” it said. “Not all cyber-insurance practices are equal. Some require a simple self-assessment approach. Others require an in-depth assessment to confirm that security tools and practices are indeed in place and functioning as intended.”

Delinea urges organizations to avoid taking a simplistic “check-the-box” approach to cybersecurity and focus instead on making sure they have the right tools and measures in place for their specific industry.

“Filling out an insurance checklist is not the goal, it’s one step toward securing the future of your organization,” it said. “Also make sure you’re choosing security tools wisely and using them to the fullest. Monitor and audit your security controls to be sure they’re working as you expect. Reduce your risk as much as possible and prepare your organization to respond before an attack becomes a cyber-catastrophe.”