451 Research: Cyber Insurance Highlights from Voice of the Enterprise

Download a PDF copy of the whitepaper

451 Research Market Insight Report Reprint

Cyber insurance requirements are influencing security product procurement – Highlights from VotE: Information Security

by Daniel Kennedy

Our Voice of the Enterprise: Information Security, Cyber Insurance 2023 study explores the usage of cybersecurity insurance policies as a method of risk transfer for enterprise security programs, including the rise in premiums, the coverage offered and the relative difficulty of coverage requirements. This report, licensed to Blumira, developed and as provided by S&P Global Market Intelligence (S&P), was published as part of S&P’s syndicated market insight subscription service. It shall be owned in its entirety by S&P. This report is solely intended for use by the recipient and may not be reproduced or re-posted, in whole or in part, by the recipient without express permission from S&P.Market Insight Report Reprint

Introduction

The Voice of the Enterprise: Information Security, Cyber Insurance 2023 study explores the usage of cybersecurity insurance policies as a method of risk transfer for enterprise security programs, including the rise in premiums, the coverage offered, and the relative difficulty of coverage requirements.

THE TAKE

Cyber insurance remains a sought after risk transference strategy for enterprise security leaders, but the market for acquiring insurance remains complex to navigate. Most of that complexity is due to the shift and growth in ransomware, from the opportunistic encryption of data and demands for payment for a decryption key, to focused multi-strategy monetized intrusions demanding eye-popping payments. The rise in such payments and related damages has led some insurance providers to decline to cover ransomware attacks, require specific attribution or declare certain attacks “acts of war” and thus outside coverage, or become increasingly specific about what’s covered. Some of these coverage issues will have to work their way through the courts as well, and that will take time. As an example, pharmaceutical company Merck only settled with insurance providers in 2023 regarding coverage for damages caused by the 2017 NotPetya attack.

Summary of findings

Forty-three percent of survey respondents representing the security organization within their enterprises report that cyber insurance is in place. Another 13% are in a discovery phase, while a further 13% intend to implement it within the next 12 months, so planned growth remains robust despite the reported challenges. Only 16% report that their organization has no plans regarding cyber insurance.

The majority (53%) of cyber insurance policyholders report that it is more difficult to meet the requirements of their policies than it was 12 months ago, and 15% say it is significantly more difficult. Only 6% say it has gotten easier to meet policy requirements. More than three-fourths (77%) of respondents note their policies require the implementation of specific information security tools. Policy premiums are also up for 78% of respondents, with an average 22% reported increase in premium. Only 13% of respondents kept their premiums flat year over year; CISOs who do so are starting to cite this as a professional competency. Methods that respondents employed to limit premium increases include implementing insurer-recommended security technologies (75%), providing more comprehensive answers to insurance questionnaires (38%), and allowing their IT provider to report directly to their insurance provider (25%). In fact, insurance requirements are directly affecting security vendor tool procurement: 15% of respondents say they already partner with a security product or service vendor that offers discounted third-party cyber insurance, while 77% say they would be somewhat likely (37%) or very likely (40%) to choose such a vendor.

Questionnaires (59%) remain the most widely used tool to report cybersecurity posture to insurance providers. However, directly leveraging security telemetry is becoming more common, including data reported directly from a third-party technology provider (39%) or a security tool (34%).

Within the past year, about 15% of respondents submitted at least one claim against their cyber insurance, with mixed results. Among those who submitted claims, 54% say they fully recovered their damages on a claim, and 31% received partial coverage. Nearly a third (31%) report that a submitted claim was rejected because some aspect of the security incident did not fall under coverage parameters, and 23% had a claim rejected because the organization failed to meet a coverage requirement. Fifteen percent of respondents who filed claims found that a policy they thought would cover a cyber incident did not have such coverage — a warning to enterprise security managers to validate and ensure they understand the limits of current coverage before relying on insurance as a method of risk transfer.Market Insight Report Reprint

Figure 1: Primary ways enterprises report security posture to cyber insurance providers

Source: 451 Research’s Voice of the Enterprise: Information Security, Cyber-insurance 2023.
Q. What are some of the top ways your organization provides security posture information to its cyber insurance provider? Please select all that apply.
Base: Respondents whose organization has a cyber-insurance policy in use, in discovery/poc or plan to implement in next 24 months, abbreviated fielding (n=95).

Copyright © 2024 by S&P Global Market Intelligence, a division of S&P Global Inc. All rights reserved.

These materials have been prepared solely for information purposes based upon information generally available to the public and from sources believed to be reliable. No content (including index data, ratings, credit-related analyses and data, research, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of S&P Global Market Intelligence or its affiliates (collectively, S&P Global). The Content shall not be used for any unlawful or unauthorized purposes. S&P Global and any third-party providers, (collectively S&P Global Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Global Parties are not responsible for any errors or omissions, regardless of the cause, for the results obtained from the use of the Content. THE CONTENT IS PROVIDED ON “AS IS” BASIS. S&P GLOBAL PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Global Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

S&P Global Market Intelligence’s opinions, quotes and credit-related and other analyses are statements of opinion as of the date they are expressed and not statements of fact or recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P Global Market Intelligence may provide index data. Direct investment in an index is not possible. Exposure to an asset class represented by an index is available through investable instruments based on that index. S&P Global Market Intelligence assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P Global Market Intelligence does not endorse companies, technologies, products, services, or solutions.

S&P Global keeps certain activities of its divisions separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain divisions of S&P Global may have information that is not available to other S&P Global divisions. S&P Global has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.

S&P Global may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P Global reserves the right to disseminate its opinions and analyses. S&P Global’s public ratings and analyses are made available on its websites, www.standardandpoors.com (free of charge) and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P Global publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.