Cyber-insurance providers appear to be limiting policy coverage due to surging costs from claimants, according to a new study from Delinea.
The security vendor polled 300 US-based IT decision makers to compile its latest report, Cyber-insurance: if you get it be ready to use it.
Although 93% were approved for specialized cyber-insurance cover by their provider, just 30% said their policy covered “critical risks” including ransomware, ransom negotiations and payments.
Around half (48%) said their policy covers data recovery, while just a third indicated it covers incident response, regulatory fines and third-party damages.
That may be because many organizations are regularly being breached and look to their providers for pay-outs, driving up costs for carriers. Some 80% of those surveyed said they’ve had to call on their insurance, and half of these have submitted claims multiple times, the study noted.
As a result, many insurers are demanding that prospective policyholders implement more comprehensive security controls before they’re allowed to sign up.
Half (51%) of respondents said that security awareness training was a requirement, while (47%) said the same about malware protection, AV software, multi-factor authentication (MFA) and data backups.
However, high-level checks may not be enough to protect insurers from surging losses, as they can’t guarantee customers are properly deploying security controls, claimed Avishai Avivi, CISO at SafeBreach.
“Cyber-insurance providers need to start advancing beyond simple checklists for security controls. They must require their customers to validate that their security controls work as designed and expected,” he argued.
“They need their customers to simulate their adversaries to ensure that when they are attacked, the attack will not result in a breach. In fact, we're already starting to see government regulations and guidance that includes adversary simulation as part of their proactive response to threats.”