Delinea: Cyber Insurers Make Identity Security Mandatory

Identity security controls have emerged as a critical determinant in cyber insurance coverage decisions, with new research from Delinea revealing how insurers could be fundamentally reshaping their approach to risk assessment. The findings suggest a potential transformation in the relationship between security posture and insurability, with nearly all organisations reporting direct impacts on their coverage terms.

According to the report, which drew on responses from over 750 security leaders across the United States and the United Kingdom, 97% of organisations said identity-related controls influenced their premium or coverage terms in some way.

Privileged Access Management drives coverage

Among the identity controls that carry the most weight with underwriters, Privileged Access Management emerged as the primary differentiator, cited by 41% of respondents as influencing how insurers viewed their insurability. Identity Governance and Administration followed at 38%, while third-party and vendor access controls registered at 32%. The hierarchy of these controls could reflect insurer priorities when evaluating an organisation's security infrastructure.

The connection between identity security and actual incidents proves substantial. Among organisations that filed claims, nearly half (46%) reported that the incident triggering their claim was either identity-related or caused by a privileged account compromise. This correlation between identity weaknesses and insurable events could help explain the insurance industry's heightened focus on these controls.

Art Gilliland, CEO of Delinea, said: "Insurers are sending a clear message: organisations must demonstrate strong identity security maturity if they want affordable coverage, or any coverage at all.

"We're seeing a shift from cyber insurance being a financial backstop to an audit of an organisation's identity and access posture."

Rising claims pressure industry

The research documents a year of rising claims and costs across the sector. Some 72% of organisations filed a cyber insurance claim in the past year, representing a 10-point increase from 2024 figures. During the same period, 70% of respondents reported that their insurance costs rose, creating a dual pressure of increased utilisation and higher premiums.

The role of AI in security controls has introduced complexity to the insurance equation. A majority (86%) of respondents indicated their insurers offered premium reductions or credits for using AI in security controls. Among organisations whose overall cyber insurance costs decreased in the past year, 64% identified AI adoption as a contributing factor.

AI-powered threat detection and monitoring emerged as the most cited premium influencer at 63%, with behavioural analytics and auditing close behind at 59%. These technologies appear to signal to insurers that an organisation maintains sophisticated security capabilities worthy of preferential treatment.

However, the same technological advancement brings new limitations. Some 42% of respondents reported that their cyber insurance policies specifically exclude AI misuse or liability from coverage. This creates a scenario where AI simultaneously reduces premiums through improved security while introducing potential gaps in protection.

"Identity-first security is more than just best practice. It's now an underwriting requirement, especially in the age of AI," Art says.

Insurer requirements become prescriptive

The path to securing cyber insurance has become more demanding. Nearly all respondents underwent security assessments to obtain coverage and more than half (51%) were required to adopt an insurer's preferred security solution or appliance. This level of prescription could represent insurers taking a more active role in dictating security architectures rather than simply assessing existing controls.

Coverage limitations remain widespread despite rising premiums. Only 33% of policies cover lost revenue, while 45% cover ransomware negotiations or payment. These gaps leave organisations exposed to potential financial consequences even when they maintain insurance policies. Nearly half (45%) of respondents noted their policy could be voided if required security controls were not in place, adding enforcement mechanisms to the coverage requirements.

The research indicates that cyber insurance has evolved from a risk transfer mechanism to a compliance framework that could shape how organisations structure their security programmes. Insurers now function as de facto security auditors, using coverage terms and premium structures to drive adoption of specific controls and technologies. For organisations navigating this landscape, identity security controls have transitioned from recommended practices to prerequisites for maintaining insurance relationships at viable costs.