A recent study conducted by Sophos revealed key insights into the intersection of cyber insurance and cybersecurity practices among businesses. Titled “Cyber Insurance and Cyber Defense 2024: Lessons from IT and Cybersecurity Leaders,” the study found that 97% of organizations with cyber insurance are investing in strengthening their cybersecurity defenses to meet insurance requirements.
According to the report, 76% of respondents said these investments helped them qualify for cyber insurance coverage, 67% said they led to lower prices, and 30% reported they were able to secure improved insurance terms. But despite these improvements, the cost of recovering from a cyber attack still exceeds the amount of insurance coverage.
According to the survey, only 1% of those who filed claims received a full reimbursement from their insurance company, and the main reason for the lack of compensation was that the total costs exceeded the insurance limits. According to a related survey, “The State of Ransomware 2024,” the cost of recovery after a ransomware incident soared by 50% last year, reaching an average of $2.73 million.
Chester Wisniewski, Global Field CTO at Sophos, commented on the survey findings, highlighting common root causes of cyber incidents: “Sophos’ Active Adversary reports repeatedly show that many of the cyber incidents faced by businesses are the result of failing to implement basic cybersecurity best practices, such as timely patching. For example, in our most recent report, compromised credentials were the number one root cause of attacks, yet 43% of businesses did not have multi-factor authentication enabled,” he said.
Wisniewski highlighted the role of cyber insurance in driving improvements, but warned that insurance alone is not enough. “The fact that 76% of businesses have invested in cyber defenses to qualify for cyber insurance shows that insurance is forcing organizations to implement some of these essential security measures – it’s making a difference and having a broader, more positive impact across the business. But cyber insurance, while beneficial to businesses, is only one part of an effective risk mitigation strategy – businesses must continue to work to shore up their defenses. Cyber attacks can have a significant impact on businesses from both an operational and reputational perspective, and having cyber insurance doesn’t change that,” he added.
The survey involved 5,000 IT and cybersecurity leaders from 14 countries across the Americas, EMEA and Asia Pacific. Organizations surveyed ranged in size from 100 to 5,000 employees, with revenues ranging from less than $10 million to more than $5 billion.
A key finding from the survey is that 99% of businesses that increased their defenses for insurance purposes also reported broader security benefits, including increased protection, freed up IT resources and fewer security alerts, suggesting that investments in cybersecurity are having a broader positive impact beyond simply being insured.
Wisniewski concluded by discussing the potential long-term benefits of adopting cyber insurance, saying, “Investing in cyber defense has a ripple effect in terms of benefits, unlocking savings on insurance premiums that organizations can redirect towards other defenses and improve their security posture more broadly. As cyber insurance adoption increases, we expect businesses to continue to become more secure. Cyber insurance will not eliminate ransomware attacks, but it could very well be part of the solution.”
Data for the “Cyber Insurance and Cyber Defense 2024: Lessons from IT and Cybersecurity Leaders” report was collected through a vendor-neutral survey conducted between January and February 2024. The comprehensive report features global findings and sector-specific data and is available on the Sophos website.
