Almost every organisation that has a cybersecurity policy has invested in improving their defences to help with insurance, with 76% saying it enabled them to qualify for coverage, 67% to get better pricing and 30% to secure improved policy terms. But the cost of recovery is outpacing the cover that insurance companies are willing to provide, leaving businesses exposed to potential losses.
► Three quarters of firms are investing in more cybersecurity to qualify for insurance
► Cost of recovery continues to outstrip compensation received
According to the Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders survey, published by Sophos, 97% of those with a policy in place have improved their security posture to help reduce insurance costs. But just 1% of respondents that made a claim said that their insurer funded 100% of the costs incurred while remediating the incident.
The most common reason for the policy not paying for the costs in full was because the total bill exceeded the policy limit. According to Sophos’s The State of Ransomware 2024 survey, recovery costs following a ransomware incident increased by 50% over the last year, reaching $2.73 million on average.
Many of the incidents result from a failure to implement basic cybersecurity best practices, such as patching in a timely manner. Compromised credentials are the number-one root cause of attacks according to Sophos, yet 43% of companies didn’t have multi-factor authentication enabled.
Sophos noted that with 76% of companies investing simply to qualify for coverage, there is clear evidence that insurance firms are compelling organisations to implement essential security measures. This is making a difference and having a broader and more positive impact overall. But the firm also pointed out that this can only ever be one part of an effective risk mitigation strategy and businesses still need to work on hardening their protection.
‘A cyberattack can have profound impacts for a company from both an operational and a reputational standpoint, and having cyber insurance doesn’t change that’ said Chester Wisniewski, director, global Field CTO.
Across the 5,000 IT and cybersecurity leaders surveyed, 99% of companies that improved their defences for insurance purposes said they had also gained broader security benefits beyond insurance coverage due to their investments, including improved protection, freed IT resources and fewer alerts.