Cyber insurance alone is not enough

A study shows: Company management and boards are increasingly urging companies to take out cyber insurance and are allocating corresponding budgets. But this covers critical risks less and less.

According to a Bitkom study, 90 percent of all companies in Germany have already been victims of data theft, espionage or sabotage. The annual damage from this exceeds 200 billion euros. Cybercrime in particular is on the rise. So it’s no wonder that companies are looking for ways to protect themselves.

Cyber insurance is the trend

Executives and board members in particular see cyber insurance as a good way to reduce costs associated with potential security breaches. Delinea, a provider of IT security solutions, found in a survey that nearly 70 percent of companies surveyed had applied for cyber insurance, which was approved in 93 percent of cases.

The deciding factor in favor of cyber insurance for 40 percent of IT managers was a desire for general risk mitigation. 25 percent specifically cited recent ransomware incidents as the main reason. 33 percent said they sought insurance at the behest of senior management or the board.

93 percent of IT professionals got the budget they needed to purchase a cyber policy, although premiums have increased in 75 percent of cases since the last renewal.

Cyber insurers cut benefits

Nearly 80 percent of companies that have purchased cyber insurance would have already filed claims with their insurer, more than half of them multiple times.

As a result, insurance companies are cutting benefits and increasingly pulling back from covering critical risks. For example, damage caused by ransomware or costs for data recovery are no longer covered by the policy for around 50 percent of the companies surveyed.
Insurance alone is not enough

The survey makes clear that insurers are increasingly requiring companies to implement a broader range of security controls. This is intended to reduce the number of customers making claims.

Fifty-one percent of respondents cited conducting cybersecurity training and 47 percent cited implementing or enforcing malware protection, antivirus software, multi-factor authentication (MFA), and a data backup as requirements for obtaining cyber insurance.

When asked how they meet or have met insurers’ privileged access management requirements, 43 percent said they already had appropriate solutions in place, but 42 percent had to upgrade when it came to PAM.

Premium subscribers to the Bank Blog have direct access to the reference information on studies and white papers free of charge.