Assured Reacts: Delinea Report Claims Cyber Insurance Premiums Soar and Controls Tighten

Assured reacts:

When we read the IT Brief article and then the full Delinea whitepaper, we were staggered by how few of the findings resonated with our own experience as cyber insurance specialists. Of course, we’re on the other side of the ocean. Even considering that, we’re still very shocked by the vast difference between our lived experience and the data presented in the report. The IT Brief article actually references UK-specific findings, but we’re not sure why, as Delinea has confirmed to us that it’s a US-derived report with interviews in both the US and UK (we are awaiting their confirmation on the geographical breakdown).

Our broking team have delved into the statistics presented and compared them to our own data. We have amalgamated their responses to each of the report’s findings.

1: Report Claim: “Insurability is now measured by control maturity”

From the Report: “Our survey demonstrates that insurability is now measured by control maturity. A near-unanimous 99.5% of respondents stated that at least some level of security controls, activities, or processes had to be in place to secure coverage. More than half of respondents said their cyber insurance policy required a threat detection and incident response/resilience plan as well as authorisation/ access controls.”

Assured broking team reacts:

We’ve never come across an uninsurable company. Controls always matter, and many basic controls enable fair pricing, including MFA for email/remote access/privilege users, backups that are offline and immutable, encryption, and network segmentation.

You can have very poor controls but still get cover, but that cover won’t be gold standard. We’ve worked with two businesses recently that other brokers would deem uninsurable because they’re lacking so many core controls including MFA, EDR and offline backups. However, we’ve managed to lean into their improvement roadmaps and worked with the more security-focused insurers to secure them coverage that is limited in parts but dynamic in that as soon as they implement these core controls, the coverage will automatically improve and limits will be removed.

2: Report Claim: Cyber insurance claims are on the rise, and so is insurer pricing and scrutiny

From the Report: “Overwhelmingly, 70% of respondents reported that costs have risen since they applied for or renewed their cyber insurance policy. The number of respondents who reported they’d filed a claim in the last 12 months rose to 72% this year, compared to 62% last year.

Organisations that have filed multiple claims in the previous year are also on the rise — 37% this year compared to last year’s 27%.

In addition to spending more on the policies themselves, almost all organisations have had to step up their investment in new or updated security tooling to obtain or renew their policies. Less than 5% of organisations reported not needing to purchase additional tools for their latest coverage.”

Assured broking team reacts:

To date, we have seen no signs of premiums going up. Our team of six brokers have been having conversations with underwriters about pricing all day, every day, and there has been no evidence of these increases mentioned in the report.

We’re currently firmly in the buyer comfort of a soft market, meaning rates are flat/down (risk dependent) and coverage is broadening as insurers compete fiercely for new business. These conditions are unsustainable and from experience we know that widespread incidents and coverage creep (when insurers broaden coverage terms to win business) will likely trigger a hardening of the market.

3: Report Claim: CISOs can’t assume “coverage safety” just because they have a policy – gaps must be identified and managed

From the Report: “Cyber insurers are managing their costs by constantly tightening policy language for when and how much certain losses are covered. Plus, they are raising prices and barriers to entry for issuing new policies and renewals.”

Assured reacts:

As mentioned above, in our experience, the opposite of this finding is true. In this soft market, we are witnessing ‘coverage creep’ as insurers compete to win business. We work with over 40 insurers and have not encountered any barriers to new business or renewal.

We do agree that policies should be watertight. A specialist cyber insurance broker will ensure that policies are fully encompassing.

4: Report Claim: Identity security-first controls are the new requirement that insurers demand

From the Report: “When asked whether identity-related controls influenced their premium or coverage terms at renewal, 41% of respondents most commonly cited PAM as the top difference maker for how the underwriters viewed their insurability.”

Assured reacts:

There have been no new requirements around identity or access control. Every attack is hitting the AD at some point in the kill chain, and that’s been the way for several years. As a result, insurers have been stringent in their IAM requirements for a number of renewals. They have always been a factor, and that hasn’t changed. That’s not to say a PAM solution isn’t important to insurers (for entities of a certain size), it absolutely is, but it’s not the be-all and end-all for businesses particularly if they are focused on spreading their privileged accounts as thin as possible, with regular auditing and monitoring of any privileged access.

5: Report Claim: AI offers rewards and risks for insurability

From the Report: “Cyber risk professionals say that AI-related vulnerabilities across the enterprise are driving new policy exclusions and coverage complications. Respondents reported that AI-powered defence tools are earning organisations premium reductions.”

Assured reacts:

The report says that 42% of organisations state their policy excludes liabilities associated with AI misuse. We’d be really interested to see examples of this, because in our experience, we haven’t seen it. The reality is quite the opposite.

Insurers are starting to add endorsements using affirmative language to cover AI-generated risks such as deepfakes. The language in every cyber insurance policy we’ve seen covers AI-generated risks. The language for the trigger for each policy is deliberately worded in such a broad way that every attack vector doesn’t need to be named: e.g., a security failure is the trigger, which is usually defined as an electronic attack, unauthorised access to any system, malware, or a DDoS attack. ‘Unauthorised access’ encompasses most AI-based threats.

In response to the claim that AI-powered defence tools are earning organisations premium reductions, we feel this is just an unnecessary use of a buzzword. All cybersecurity tooling has been using AI or some sort of machine learning for at least a decade, most notably in EDR and SIEM tools.

Our final note

Of course, it’s probably worth keeping in mind that Delinea is a cybersecurity company specialising in identity and access management security. Their finding that insurers are “increasingly basing policy terms and pricing on how robustly organisations secure their logins and manage access” is not lost on us. We’ll let you reach your own conclusion on that.