Delinea: Identity Controls Now Shape Cyber Insurance Terms

Identity security controls have become a determining factor in cyber insurance coverage decisions, according to research from Delinea that reveals how insurers are fundamentally reshaping their approach to risk assessment. The findings suggest a transformation in the relationship between security posture and insurability, with nearly all organisations reporting direct impacts on their coverage terms.

The report, based on responses from more than 750 security leaders across the United States and the United Kingdom, found that 97% of organisations say identity-related controls influenced their premium or coverage terms in some way.

Delinea research highlights Privileged Access Management as top coverage factor

Among the identity controls that carry the most weight with underwriters, Privileged Access Management emerged as the primary differentiator, cited by 41% of respondents as influencing how insurers viewed their insurability. Identity Governance and Administration followed at 38%, while third-party and vendor access controls registered at 32%. The hierarchy of these controls reflects insurer priorities when evaluating an organisation’s security infrastructure.

The connection between identity security and actual incidents proves substantial. Among organisations that filed claims, nearly half (46%) reported that the incident triggering their claim was either identity-related or caused by a privileged account compromise. This correlation between identity weaknesses and insurable events helps explain the insurance industry's heightened focus on these controls.

“Insurers are sending a clear message: organisations must demonstrate strong identity security maturity if they want affordable coverage, or any coverage at all,” says Art Gilliland, CEO of Delinea. “We’re seeing a rapid shift from cyber insurance being a financial backstop to an audit of an organisation’s identity and access posture.”

The research documents a year of rising claims and costs across the sector. Some 72% of organisations filed a cyber insurance claim in the past year, representing a 10-point increase from 2024 figures. During the same period, 70% of respondents reported that their insurance costs rose, creating a dual pressure of increased utilisation and higher premiums.

AI adoption creates both premium reductions and coverage exclusions

The role of AI in security controls has introduced complexity to the insurance equation. A significant majority (86%) of respondents indicated their insurers offered premium reductions or credits for using AI in security controls. Among organisations whose overall cyber insurance costs decreased in the past year, 64% identified AI adoption as a contributing factor.

AI-powered threat detection and monitoring emerged as the most cited premium influencer at 63%, with behavioural analytics and auditing close behind at 59%. These technologies appear to signal to insurers that an organisation maintains sophisticated security capabilities worthy of preferential treatment.

However, the same technological advancement brings new limitations. Some 42% of respondents reported that their cyber insurance policies specifically exclude AI misuse or liability from coverage. This creates a scenario where AI simultaneously reduces premiums through improved security whilst introducing potential gaps in protection.

Art continues: “Identity-first security is more than just best practice. It's now an underwriting requirement, especially in the age of AI.”

Insurer scrutiny intensifies as coverage gaps persist

The path to securing cyber insurance has become more demanding. Nearly all respondents underwent security assessments to obtain coverage and more than half (51%) were required to adopt an insurer’s preferred security solution or appliance. This level of prescription represents insurers taking a more active role in dictating security architectures rather than simply assessing existing controls.

Coverage limitations remain widespread despite rising premiums. Only 33% of policies cover lost revenue, whilst 45% cover ransomware negotiations or payment. These gaps leave organisations exposed to significant financial consequences even when they maintain insurance policies. Nearly half (45%) of respondents noted their policy could be voided if required security controls were not in place, adding enforcement mechanisms to the coverage requirements.

The research indicates that cyber insurance has evolved from a risk transfer mechanism to a compliance framework that shapes how organisations structure their security programmes. Insurers now function as de facto security auditors, using coverage terms and premium structures to drive adoption of specific controls and technologies. For organisations navigating this landscape, identity security controls have transitioned from recommended practices to prerequisites for maintaining insurance relationships at viable costs.