Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders – Sophos
Cyber risk is inevitable. In today’s business environment, the goal should not be to eradicate risk, but rather to manage it as efficiently as possible. Two primary approaches are treatment by deploying cyber controls and changing user behaviors, and transfer through cyber insurance. These approaches are interconnected: strong controls lower risk which facilitates access to coverage, while weak controls increase risk, making affordable policies harder to obtain.
Today we have published a new report that explores this relationship in depth. Based on an independent survey of 5,000 IT leaders it looks at cyber insurance adoption among mid-market organizations, highlighting purchase drivers, the impact of defense investments on insurability, and reasons why cyber incidents costs are not always covered in full.
In the face of inevitable cyberattacks, adopting a holistic approach to cyber risk management that takes advantage of the interplay between cyber defenses and cyber insurance will enable organizations to lower their overall total cost of ownership (TCO) of cyber risk management while reducing their likelihood of experiencing a major incident.
The research also reveals that investing in cyber defenses not only makes getting insurance easier and cheaper but also improves protection and reduces IT workload. This finding further emphasizes the importance of considering cyber risk investments holistically, rather than as individual components.
One area of concern highlighted by the survey is the potential for policy purchases to be misaligned to business needs. Cyber insurance is an investment, so policies must cover the right risks. All stakeholders, especially IT and cybersecurity teams, should be involved in choosing policies to ensure they meet the organization’s needs.
The survey confirms that adoption of cyber insurance is widespread among organizations with 100-5,000 employees, with 90% of organizations having some form of cyber coverage. 50% have a standalone policy while 40% have cyber as part of a wider business insurance policy, such as a general liability policy. Adoption levels are high across all 14 countries surveyed, with Singapore reporting the highest propensity to have coverage.
Organizations adopt cyber insurance for multiple and various reasons, with nearly half (48%) citing awareness of the business impact of cyberattacks as the primary motivator. 45% reported it was part of their cyber risk mitigation strategy and 42% said that they need cyber insurance to work with clients or partners who require it.
97% of organizations that purchased cyber insurance last year improved their defenses to optimize their insurance position. Nearly two-thirds (63%) made major investments, while 34% made minor ones.
These security investments are paying off, as the survey found that nearly every company that invested in improving their cyber defenses said it had a positive impact on their cyber insurance position (99.6%, 4,351 of 4,370 respondents).
Cyber insurance requirements are driving organizations to elevate their defenses (the “stick”), with 76% of respondents saying their investments secured coverage they couldn’t otherwise obtain. The “carrot” is that two-thirds (67%) were able to get better-priced coverage, and 30% received improved terms thanks to their improved protection (e.g., higher coverage limits).
Furthermore, organizations investing in security enjoyed benefits beyond just insurance. 99% reported wider benefits such as improved protection, fewer alerts and reduced IT workload.
Organizations that have invested in a cyber policy will be encouraged to learn that insurers almost always pay out in some capacity on a claim, with only one respondent saying their claim was fully rejected.
At the same time, in 99% of claims insurers did not cover the full incident cost. Overall, insurers typically paid 63% of the total incident cost, with the modal payout rate coming in at 71-80%.
The survey also revealed that recovery costs from cyberattacks are outpacing insurance coverage. The most common reason (63%) for the recovery bill not being paid in full was total costs exceeded policy limits. According to Sophos’ The State of Ransomware 2024 survey, recovery costs following a ransomware incident increased by 50% over the last year, likely resulting in misalignment between policies and expenses.
Many cybersecurity/IT leaders are unsure about what their policy covers in the event of an incident. Among those with a policy, 40% think it covers ransom payments, and 41% think it covers income loss, but are not certain. These findings are cause for concern on several fronts:
The lack of visibility into policy coverage likely results, at least in part, from a disconnect between those purchasing the policy and those on the frontline should a major incident occur.
For more detailed insights including a look at the impact of cyber insurance coverage on ransomware outcomes, and many other areas, download the full report.
The report is based on the findings of an independent, vendor-agnostic survey commissioned by Sophos of 5,000 IT/cybersecurity leaders across 14 countries in the Americas, EMEA, and Asia Pacific. All respondents represent organizations with between 100 and 5,000 employees. The survey was conducted by research specialist Vanson Bourne between January and February 2024, and participants were asked to respond based on their experiences over the previous year.
As Senior Director, Marketing, Sally is responsible for many of Sophos’ external research-based reports and educational resources. With over 15 years’ experience in cybersecurity, Sally combines deep knowledge of both adversary trends and Sophos technologies to help organizations optimize their protection.
Your email address will not be published. Required fields are marked *
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
Today we have published a new report that explores this relationship in depth. Based on an independent survey of 5,000 IT leaders it looks at cyber insurance adoption among mid-market organizations, highlighting purchase drivers, the impact of defense investments on insurability, and reasons why cyber incidents costs are not always covered in full.
In the face of inevitable cyberattacks, adopting a holistic approach to cyber risk management that takes advantage of the interplay between cyber defenses and cyber insurance will enable organizations to lower their overall total cost of ownership (TCO) of cyber risk management while reducing their likelihood of experiencing a major incident.
The research also reveals that investing in cyber defenses not only makes getting insurance easier and cheaper but also improves protection and reduces IT workload. This finding further emphasizes the importance of considering cyber risk investments holistically, rather than as individual components.
One area of concern highlighted by the survey is the potential for policy purchases to be misaligned to business needs. Cyber insurance is an investment, so policies must cover the right risks. All stakeholders, especially IT and cybersecurity teams, should be involved in choosing policies to ensure they meet the organization’s needs.
The survey confirms that adoption of cyber insurance is widespread among organizations with 100-5,000 employees, with 90% of organizations having some form of cyber coverage. 50% have a standalone policy while 40% have cyber as part of a wider business insurance policy, such as a general liability policy. Adoption levels are high across all 14 countries surveyed, with Singapore reporting the highest propensity to have coverage.
Organizations adopt cyber insurance for multiple and various reasons, with nearly half (48%) citing awareness of the business impact of cyberattacks as the primary motivator. 45% reported it was part of their cyber risk mitigation strategy and 42% said that they need cyber insurance to work with clients or partners who require it.
97% of organizations that purchased cyber insurance last year improved their defenses to optimize their insurance position. Nearly two-thirds (63%) made major investments, while 34% made minor ones.
These security investments are paying off, as the survey found that nearly every company that invested in improving their cyber defenses said it had a positive impact on their cyber insurance position (99.6%, 4,351 of 4,370 respondents).
Cyber insurance requirements are driving organizations to elevate their defenses (the “stick”), with 76% of respondents saying their investments secured coverage they couldn’t otherwise obtain. The “carrot” is that two-thirds (67%) were able to get better-priced coverage, and 30% received improved terms thanks to their improved protection (e.g., higher coverage limits).
Furthermore, organizations investing in security enjoyed benefits beyond just insurance. 99% reported wider benefits such as improved protection, fewer alerts and reduced IT workload.
Organizations that have invested in a cyber policy will be encouraged to learn that insurers almost always pay out in some capacity on a claim, with only one respondent saying their claim was fully rejected.
At the same time, in 99% of claims insurers did not cover the full incident cost. Overall, insurers typically paid 63% of the total incident cost, with the modal payout rate coming in at 71-80%.
The survey also revealed that recovery costs from cyberattacks are outpacing insurance coverage. The most common reason (63%) for the recovery bill not being paid in full was total costs exceeded policy limits. According to Sophos’ The State of Ransomware 2024 survey, recovery costs following a ransomware incident increased by 50% over the last year, likely resulting in misalignment between policies and expenses.
Many cybersecurity/IT leaders are unsure about what their policy covers in the event of an incident. Among those with a policy, 40% think it covers ransom payments, and 41% think it covers income loss, but are not certain. These findings are cause for concern on several fronts:
The lack of visibility into policy coverage likely results, at least in part, from a disconnect between those purchasing the policy and those on the frontline should a major incident occur.
For more detailed insights including a look at the impact of cyber insurance coverage on ransomware outcomes, and many other areas, download the full report.
The report is based on the findings of an independent, vendor-agnostic survey commissioned by Sophos of 5,000 IT/cybersecurity leaders across 14 countries in the Americas, EMEA, and Asia Pacific. All respondents represent organizations with between 100 and 5,000 employees. The survey was conducted by research specialist Vanson Bourne between January and February 2024, and participants were asked to respond based on their experiences over the previous year.
As Senior Director, Marketing, Sally is responsible for many of Sophos’ external research-based reports and educational resources. With over 15 years’ experience in cybersecurity, Sally combines deep knowledge of both adversary trends and Sophos technologies to help organizations optimize their protection.
Your email address will not be published. Required fields are marked *
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
