In a recent report by cybersecurity solutions provider Sophos, 97% of companies with cyber insurance policies have invested in improving their security defenses, driven largely by the requirements to qualify for coverage.
The “Cyber Insurance and Cyber Defenses 2024” report surveyed 5,000 IT and cybersecurity leaders globally and revealed that 76% of respondents enhanced their defenses to qualify for insurance, 67% to secure better pricing, and 30% to obtain improved policy terms.
However, the report also underscores a significant challenge: recovery costs from cyberattacks are outpacing the coverage provided by insurance policies. Only 1% of claimants reported that their insurance fully covered the costs of remediating a cyber incident. The predominant reason for this shortfall was that the total recovery costs exceeded the policy limits. According to the “State of Ransomware 2024” survey, the average recovery cost after a ransomware attack has surged by 50% over the past year, now averaging $2.73 million.
“The Sophos Active Adversary report has repeatedly shown that many cyber incidents are due to neglecting basic cybersecurity measures, such as timely patching,” said Chester Wisniewski, global field CTO, Sophos. “Our latest findings indicate that compromised credentials are the leading cause of attacks, yet 43% of companies still haven’t implemented multi-factor authentication.”
Wisniewski highlighted the positive impact of cyber insurance on security practices.
Better security practices
“The fact that 76% of companies invested in cyber defenses to qualify for insurance shows that these policies are pushing organizations toward better security practices,” Wisniewski said. “This is making a tangible difference, enhancing overall security beyond just meeting insurance requirements.”
However, Wisniewski noted that cyber insurance is only a part of a comprehensive risk mitigation strategy. Companies must continue to strengthen their defenses, as a cyberattack can have severe operational and reputational consequences, irrespective of having insurance.
The survey further revealed that 99% of companies who improved their defenses for insurance purposes also reported broader security benefits. These include enhanced protection, reduced IT burden, and fewer security alerts.
“Investments in cyber defenses create a ripple effect of benefits, including savings on insurance that can be reinvested into further improving security. While cyber insurance alone won’t eliminate ransomware threats, it is an integral component of a holistic defense strategy,” Wisniewski said.
The report draws on data collected from a vendor-neutral survey conducted in early 2024. Participants included IT and cybersecurity leaders from organizations with 100 to 5,000 employees and revenues ranging from under $10 million to over $5 billion, spanning 14 countries across the Americas, EMEA, and Asia Pacific.