Of the 50 percent of organizations that sought to purchase a cyber insurance policy, 28 percent made changes to reduce their premium, while 22 percent had to improve security to be eligible for it.

Netwrix, a cybersecurity vendor, surveyed more than 1,600 IT and security professionals worldwide to find out their organizations’ experience when purchasing a cyber insurance policy.

According to the survey, 44 percent of organizations are insured, with 15 percent planing to purchase a policy within the next 12 months.

Before being offered a policy, organizations typically need to go through a security audit by the prospective insurer.

“The insurer’s audit will highlight security gaps in the IT ecosystem and provide recommendations on how to overcome them. In some cases, implementing additional security controls is mandatory to even qualify for a policy. In addition, some organizations choose to invest in more security measures because it reduces the cost of the insurance policy,” says Dirk Schrader, VP of Security Research at Netwrix.

Some of the requirements needed to qualify for a policy included multi-factor authentication (MFA), named by 63 percent, followed by patch management (55 percent) and regular security training for business users (47 percent).

In addition, 38 percent of those surveyed said they had to meet requirements for identity and access management, while 36 percent revealed they had to implement privileged access management controls.

“When addressing the requirements or recommendations from an insurer, it is vital to assess the dependencies between the requested controls. For example, in order to require MFA for access to particular types of data, it is necessary to know where sensitive and regulated data resides, as well as to have control over user and administrative privileges,” says Ilia Sotnikov, security strategist at Netwrix.