Last year, 79% of companies said their cyber insurance costs had increased since their latest application or renewal. In our most recent survey of 300 cyber insurance customers, that percentage dropped significantly. This year, only 50% of respondents said they experienced higher costs, while 45% said cyber insurance costs stayed the same and 5% said they decreased.
This finding reflects trends reported by Moody's, the debt rating agency, and Munich Re, a major reinsurer. Cyber insurance prices that in some cases doubled in 2021 and 2022 have been declining for a year. Price corrections and policy customization are markers of an industry that is rapidly maturing.
In the current environment, what makes the difference between companies that must find additional budget for cyber insurance and the lucky ones that can direct the savings to other initiatives?
In this blog, we’ll share the experiences of survey respondents, explore the potential factors that influence cyber insurance costs, and provide recommendations for lowering your own.
The insurance market has become more competitive in the past year, with new entrants and variations in policies, endorsements, and exclusions. Underwriting appetite has expanded as the market has matured. Notably, multiple insurance providers have acquired consulting practices and increased their in-house cyber risk assessment expertise.
It’s important to note that insurers tend to restrict coverage for specific events or conditions, which means that lower prices may in fact mean less coverage. Some companies have multiple cyber insurance policies to cover different types of cyber risks and threats.
Not everyone gets the same insurance rate. Your rate is determined based on how risky the insurance company views you — your risk profile. In the case of cyber insurance, your risk is influenced by factors such as your technology stack, security controls, and history.
When insurance companies see that you’ve established best practices and implemented proven security solutions, they lower your risk profile. To reduce identity-related risk, authentication, authorization, and governance are key. If you can demonstrate visibility over your entire identity attack surface and prove that identity-related security controls are working as expected, you may be able to successfully lower your rates, while also maintaining or even increasing your coverage.
So, why might costs rise?
Rising costs could mean that policyholders are requesting higher limits of coverage due to an increased risk profile. They recognize the business impact they’ll need to shoulder if they experience a cyberattack and want to transfer that risk. Based on IT complexity and risk profile, insurance companies may be raising prices for all policyholders to ensure sufficient liquidity in case a number of claims come in at once.
The survey results show that forward-thinking companies are reaping the benefits of AI to negotiate lower cyber insurance rates. Others are focusing on adopting and implementing the fundamentals of strong identity security.
The survey found that half of companies are using AI-supported threat detection and monitoring to reduce their cyber insurance premiums. Companies are adopting AI to ensure cybersecurity solutions and policies are working as expected and to contain incidents in progress so that they can reduce the dwell time of threat agents and blast radius of attacks.
While most of the recommendations included in the report focus on reducing your payments to insurance companies or brokers, it’s also important to consider the cost of internal resources you allocate to the process.
For example, you’ll need to dedicate resources to complete insurance assessments and demonstrate evidence of effective cybersecurity. Complexity in the IT environment makes assessments harder to complete, with disjointed audit and reporting solutions extending the time and manual work to aggregate information and put together a full picture of risk. As the number of identities operating in your environment increases, more resources are required to accomplish these tasks.
Cybersecurity solutions that quickly and comprehensively assess a complex IT environment can deliver risk-based reports to share with insurance providers. This makes your processes more efficient and can significantly lower your cyber insurance costs.
To help you prepare, Delinea has aggregated questionnaires from leading insurance companies and highlights frequent questions they ask as part of their risk management submission process. This guide—Insights into Enhanced Cybersecurity Insurance Requirements—examines increasingly stringent insurer requirements for identity security, including Multi-Factor Authentication (MFA), password management, access control, privilege elevation, session management, least privilege, and zero trust policies.
Learn more about how companies are addressing these challenges to obtain and maintain cyber insurance. What you learn will help you prepare for your next security assessment and lower your costs.