According to the Sophos report, nearly all businesses with cyber policies (97%) are investing in improving their defenses to help with insurance.
Of these companies, 76% said they qualified for coverage due to improved protection, 67% because of better pricing, and 30% because of improved insurance terms.
They are based on a vendor-neutral survey of 5,000 cybersecurity/IT leaders conducted between January and February 2024. Respondents were based in 14 countries across the Americas, Europe, the Middle East, Africa and Asia Pacific.
The survey also found that the costs of recovering from a cyberattack are exceeding what insurance can cover: only 1% of those who filed a claim said their insurer covered 100% of the costs incurred while remediating the incident. The most common reason insurance did not pay the full costs was because the total claim amount exceeded the policy limits.
According to the State of Ransomware 2024 study, recovery costs after a ransomware incident have increased 50% since last year, reaching an average of $2.73 million.
“Sophos’ Active Adversary reports repeatedly show that many of the cyber incidents businesses face are the result of failing to implement basic cybersecurity best practices, such as timely patching. For example, in our most recent report, compromised credentials were the number one root cause of attacks, yet 43% of businesses did not have multi-factor authentication enabled,” said Chester Wisniewski, director, Global Field CTO.
Wisniewski said the numbers show that insurers are forcing organizations to implement some of these required security measures, which is creating change and having a broader, more positive impact across the enterprise.
“However, while cyber insurance can be beneficial to businesses, it is only one part of an effective risk mitigation strategy – businesses must continue to work to strengthen their defenses,” he said. “A cyber attack can have a significant impact on a business, both operationally and reputationally, and having cyber insurance does not change that.”
Of 5,000 IT and cybersecurity leaders surveyed, 99% of companies that have strengthened their defenses for insurance purposes said their investments also delivered broader security benefits beyond insurance coverage, including increased protection, freeing up IT resources and reducing alerts.
“Investments in cyber defense appear to have a ripple effect in terms of benefits, with savings on insurance premiums that organizations can allocate towards other defenses and improve their security posture more broadly. As cyber insurance adoption increases, we expect businesses to continue to become more secure. Cyber insurance will not eliminate ransomware attacks, but it may well be part of the solution,” said Wisniewski.