Amid a steady rise in costly cybercrime attacks targeting businesses, organizations seeking or renewing cyber insurance policies in 2024 are facing stricter security requirements from insurers looking to reduce risk exposure. According to Netwrix’s 2024 Hybrid Security Trends Report, 30% of insured organizations implemented additional security measures to qualify for a cyber policy this year, up from 22% in 2023.
The report surveyed 1,309 IT and security professionals globally. Nearly half (48%) of organizations with cyber insurance had to enhance security controls to meet insurer mandates. While 18% made changes to reduce policy premiums, down from 28% last year.
Strikingly, 19% of insured organizations filed claims against their cyber policies over the past 12 months, underscoring the risks insurers face from lax security practices.
Some 75% of respondents cited multi-factor authentication as the top required control in 2024, compared to 65% in 2023. Patch management (55%) and employee security training (49%) followed as common requirements.
However, insurers are increasingly mandating advanced privileged access management (PAM) and identity and access management (IAM) solutions. 45% said insurers required IAM, up from 38% last year. And 42% reported PAM requirements versus 36% in 2023.
“Insurance providers understand risk management – motivated attackers will inevitably breach environments,” said Ilia Sotnikov, Netwrix Security Strategist. “PAM prevents attackers from escalating privileges and moving laterally, forcing more noise that allows timely detection and response to limit losses – exactly what insurers want.”
As cyber incidents mount, insurers are raising the security bar for policyholders. Organizations must implement robust access controls and detection capabilities to secure coverage in today’s threat landscape.
Other News: The FTC Amends Data Breach Reporting Rules(Opens in a new browser tab)
It’s great that Carriers are upping their requirements, MFA, PAM, IAM, this has been a slow increase in security for many years. I’ve written Cyber Insurance and lead the charge here in ATL for 15 years. For the past 8 months, I’ve shifted gears to assessing liability and financial risk evaluation for companies, No longer writing insurance. Our company just launched a new program called CARE ( Cyberinsurance Assessment & Risk Evaluation) This is crucial for companies to benchmark their risks in order to set Cyber Insurance limits ( no more guessing). We with be presenting this new process and program at the US Secret Service annual Cyber Fraud meeting on June 10th. If you’d like additional info, feel free to contact me. Ralph Pasquariello, CLCS. The Tech Collective.