Organizations are Embracing Cyber Insurance, But It’s Not Easy: Survey – Source: securityboulevard.com

The growing number and sophistication of cyberattacks and the financial impact such incidents can have a company’s financial picture are driving more organizations to take out cybersecurity insurance, according to a survey from endpoint management firm Recast Software.

However, buying cyber insurance can be a difficult undertaking as businesses try to comply with insurers’ requirements and to get an accurate assessment of their risks and insurance needs, the survey found. As cyber insurance becomes a business necessity, insurers need to do better helping them ensure that their needs are covered.

“We conclude that, according to the research, insurers need to be more proactive in helping organizations understand their cyber risks,” Recast CEO Will Teevan told Security Boulevard. “Currently, they are relying on questionnaires of security policies and practices. A more rigorous assessment could help organizations improve their cybersecurity posture and help prevent cyberattacks.”

Cyberattacks are becoming costly problem for businesses of all sizes and there doesn’t appear to be a slowdown coming anytime soon in either sophistication or number. According to an IBM report last year, the global average cost of a data breach in 2023 was $4.45 million, a 15% jump over three years. Half of organizations plan to spend more on cybersecurity after a breach.

Of the 631 IT and security pros surveyed in Recast’s report, 41% said their organization saw an increase in the number of security incidents in 2023 and 61% said the total cost of the attacks averaged $21 million.

An Insurance Market on the Rise

Given that, it’s not surprising that the cyber insurance space is expected to boom in the coming years. According to analysts with Fortune Business Insights, the global market was $13.33 billion in 2022 and is expected to grow to $84.62 billion by 2030.

Of respondents in Recast’s survey, 76% said their organizations have completed buying insurance, with 24% saying their companies in are in the process.

“The cost of a single data breach, ransomware attack or other security incident can adversely impact the most solid financial balance sheet,” Larry Ponemon, founder and chairman of Ponemon Institute, which conducted the survey for Recast, said in a statement. “The growing threat from sophisticated cybercriminals targeting organizations of all sizes has elevated cybersecurity insurance from an IT security concern to a critical business priority, demanding the attention of senior leadership and boards of directors.”

The survey looked at the security posture of organizations and the benefits and challenges that come with cyber insurance. In all, 75% of respondents expect their organizations’ exposure to attacks will increase (47%) or stay the same (28%), with the growing number of attacks (41%) and concerns about their financial impacts (40%) driving the need for insurance.

Other drivers included experiencing at least one data breach (33%), business partners requiring the insurance (23%), and concerns about their ability to manage a cyberattack (22%).

Assessing the Security Posture

In addition, only 49% said their security posture – being able to mitigate risks, vulnerabilities, and attacks – was very effective, with such issues as ineffective cybersecurity tools, IT complexity, and the inability to patch flaws in a timely manner holding them back.

There also were holes in how these organizations assess their level of risk. Forty percent said they conducted a formal assessment or had a third party do it for them. However, 39% said they either go by their gut feel or don’t do any assessment at all.

Having cyber insurance helped, with 49% saying their security posture improved as a result. That said, 45% noted that the number of attacks has stayed the same while they had cyber insurance, and 44% said their IT security costs remained the same.

Hurdles to Cyber Insurance

Respondents also were asked about challenges to getting insurance. Only half said their insurance company assessed their organizations’ security posture. When they do, the top ways of doing so was ensuring the organization had an adequate cybersecurity budget (65%), seeing evidence of security and training programs (52%), and the effectiveness of the incident response team and ability to detect and prevent attacks (45% for each).

In addition, most insurance companies assess the risk from a distance, with 58% of respondents saying the companies relied on a questionnaire. Only 45% said insurers conducted an on-site assessment.

Another hurdle to getting coverage are the requirements that insurance companies put on organizations, with 50% of respondents saying it was difficult to comply.

“More than half (51 percent) of respondents say the insurance company requires regular scanning for vulnerabilities that need to be patched,” the report’s authors wrote. “Forty-three percent of respondents say they are required to scan more than once per day (13 percent), daily (17 percent) or between 2 and 3 times per week (13 percent).”

Requirements are Tough to Meet

Many insurers require certain security practices and technologies, such as enough staff to support programs and policies (49%) and multifactor authentication (MFA) for remote access (48%). Other requirements include an adequate budget, identity and access management (IAM) and privileged access management (PAM) tools, and backup procedures.

Overall, 50% said it was difficult to comply with the insurers’ requirements and 46% said it was difficult to afford cybersecurity insurance. When they do get insurance, 65% said they buying anywhere from $6 million to more than $100 million, and doing so based on either the maximum available from the insurance market (35%) or an informal or ad hoc risk assessment (31%).

On average, those who bought cyber insurance coverage kept it for two years, “which gives them an understanding of the benefits and effectiveness of cyber insurance,” the report’s authors wrote. However, there were a number of reasons why organizations changed insurers, from the policy being cancelled (25%) and the policy being too expensive (21%) to the organization finding another insurer with better coverage or cost and their current insurer having to many exclusions and restrictions.

The requirements insurance companies have when it comes to cyber insurance aren’t going to lessen and businesses will need to adjust if they want coverage, Recast’s Teevan said.

“Organizations that subscribe to cyber insurance policies need to be better equipped with resources and solutions to be able to meet the growing demands for achieving the minimum security thresholds,” he said.