The annual Delinea State of Cyber Insurance Report is out, and what it portrays is most definitely a seller’s market. This should be no surprise for those who paid attention to the prior reports of the past two or three years, or simply those that have had to shop for business ransomware coverage recently.
But the report provides firm data, and what it shows is that coverage continues to become harder to obtain even as demand and prices continue to increase. For some small businesses, even a meaningful level of partial coverage might be out of reach at this point.
Cyber insurance contraction continues after years of record ransomware payouts
The current state of the cyber insurance market can be traced directly to the strong resurgence of ransomware since the mid-late 2010s, but particularly the free-for-all that took place during the early part of the Covid-19 pandemic. Average costs of data breaches have only continued to climb since then, now sitting at about $4 million, and it has simply become unsustainable for even the largest insurers to offer full and easy coverage to all comers.
A correction was clearly necessary, but the pendulum has now swung very hard in the other direction. The “new normal” for most companies is cyber insurance exclusions that will void coverage, expenses that are not covered, and security requirements to obtain coverage.
The Delinea survey incorporates responses from over 300 US-based organizations in security, IT, legal and compliance fields. Of these, every single respondent said that they now have at least one exclusion that can void their coverage, and at least one attack-related expense that they simply cannot include in their policy.
In addition to having to budget extra for attack costs, organizations are facing nearly universal policy cost increases. 79% of respondents said their cyber insurance rates had gone up in the past year, and 67% said that increase was between 50% and 100%. Those seeking a new policy are also looking at increased investment in cybersecurity solutions as a prerequisite for being approved; 96% said they had to purchase at least one new security solution as a condition of their policy.
And the smaller a company is, the longer they should expect it to take to get cyber insurance in place. 21 times as many companies are now taking over six months to find a policy in just the space of one year; 28% of small businesses say they have had applications denied (as compared to 8% of large businesses). And when larger businesses are denied, nearly half of the time it is due to correctable human error; 40% of small businesses are denied for not having the required security solutions in place.
Cyber insurance more expensive, more necessary than ever
The number of organizations that have made use of their cyber insurance multiple times increased from 41% to 47% since last year, and a little over half of small companies are in this boat despite their increased difficulties in obtaining proper coverage.
What expenses are organizations being forced to come out of pocket for? “Data recovery” is the element that is most commonly covered, but what constitutes “recovery” varies by insurer. Some now require that they make the decision on whether or not a ransomware payment can be made, and some are simply forbidding payments or even dropping ransomware coverage entirely. Organizations are most likely to be on the hook for legal fees, fines and lost revenue. And though larger companies face greater costs in the wake of an incident, they are still much more likely to have comprehensive cyber insurance than small businesses.
Despite the rise in costs, 81% of organizations reported a budget bump to cover cyber insurance. However, that is down from 94% in 2022. Support from boards of directors remains strong across the board, as executives worry about stakeholder confidence and company reputation in a very adverse threat landscape.