Survey shows 76% of firms boost cyber defences for insurance

In findings released by Sophos, the survey "Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders" sheds light on evolving business attitudes towards cyber insurance policies. The report highlights a global trend where 76% of companies have enhanced their cyber defences to qualify for cyber insurance coverage.

Cyber insurance is becoming a prerequisite in business operations as organisations seek to mitigate cyber attack risks by ensuring commercial partners have adequate insurance coverage. However, corporate confidence in the extent of such coverage appears mixed. Notably, 40% of respondents with a cyber insurance policy were unsure if it covered ransom payments, and 41% were uncertain if their policy included income loss coverage.

Recovery costs from cyberattacks are increasingly surpassing insurance coverage limits. Merely one percent of the claimants said their insurer fully compensated the remediating expenses. Most commonly, policy limits were exceeded, leading to partial payments. According to parallel research from Sophos’ "State of Ransomware 2024" survey, recovery costs surged by 50% over the last year, averaging USD $2.73 million per incident.

Chester Wisniewski, Global Field CTO at Sophos, remarked, “The Sophos Active Adversary report has repeatedly shown that many of the cyber incidents companies face are the result of a failure to implement basic cybersecurity best practices, such as patching in a timely manner. In our most recent report, for example, compromised credentials were the number one root cause of attacks, yet 43% of companies didn’t have multi-factor authentication enabled.”

Wisniewski further noted the positive externalities of these necessary upgrades, driven by insurance requirements. “The fact that 76% of companies invested in cyber defenses to qualify for cyber insurance shows that insurance is forcing organizations to implement some of these essential security measures. It’s making a difference, and it’s having a broader, more positive impact on companies overall. However, while cyber insurance is beneficial for companies, it is just one part of an effective risk mitigation strategy. Companies still need to work on hardening their defenses. A cyberattack can have profound impacts for a company from both an operational and a reputational standpoint, and having cyber insurance doesn’t change that.”

The survey encompassed responses from 5,000 IT and cybersecurity leaders across 14 countries, spanning the Americas, EMEA, and Asia Pacific. The surveyed organisations varied in size, employing between 100 and 5,000 individuals and recording revenues ranging from below USD $10 million to over USD $5 billion.

Investments in cyber defences for insurance purposes have reportedly yielded broader security advantages. Among the respondents, 99% concurred that their defensive improvements had broader positive impacts, such as improved protection, more freed IT resources, and a decrease in security alerts.

Wisniewski emphasised the compounding benefits of cyber defence investments, stating, “Investments in cyber defenses appear to have a ripple effect in terms of benefits, unlocking insurance savings that organisations can divert into other defenses to more broadly improve their security posture. As cyber insurance adoption continues, hopefully, companies’ security will continue to improve. Cyber insurance won’t make ransomware attacks disappear, but it could very well be part of the solution.”

The "Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders" report provides detailed global findings and sector-specific data.