Think your company can't afford to get better cybersecurity insurance coverage and beef up its cybersecurity posture at the same time? Congratulations! You may be wrong.
Optimizing your cybersecurity posture by implementing several frequently recommended security measures might end up costing you less in cyber insurance premiums — with a net cost close to zero.
Additionally, the enhanced protections may let your organization raise its coverage limits. That's an important bonus now that the average cost of recovering from a ransomware attack is nearing $3 million.
These findings are part of a recent report entitled "Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders," based on a survey, commissioned by Sophos, of 5,000 information-security executive and managers in mid-sized organizations across the world.
"Strong, effective cyber controls reduce cyber risk, making it easier to access lower priced coverage," says the report. "Conversely, organizations with weak risk treatment often struggle to get the policy they need at a price they can afford."
A good insurance policy is hard to find
Whether your organization needs cybersecurity insurance is no longer much of a question. According to the Sophos survey, 90% of organizations with between 100 and 5,000 employees carry cyber insurance, either as a standalone policy or as part of a wider business-insurance policy.
Even among different industries, the adoption rate of cybersecurity insurance doesn't vary greatly. The energy and utilities sector has the highest rate at 97%, while the lowest is 81% for both the central-government sector and (surprisingly) the technology and telecommunications sector.
There's an even smaller spread among the 14 countries surveyed. Singapore has the highest cybersecurity adoption rate at 96%, and Brazil brings up the rear with a healthy 83%.
Economic-development status doesn't seem to matter. The U.S. cybersecurity adoption rate is 94%, identical to South Africa's, and India and Germany are tied at 93%. Meanwhile, Austria and Switzerland, two of the world's richest countries, barely register above Brazil, with 85% each.
However, just because you might have cybersecurity insurance doesn't guarantee that it's good insurance. Forty percent of the respondents to the Sophos survey weren't certain whether their policies covered ransomware payments; 41% weren't sure if their coverage included loss of income. (Ten percent knew their policies didn't cover one or the other.)
The report speculates that these knowledge gaps may exist because the people in an organization who buy insurance don't always talk to the people who deal with cyberattacks.
"Organizations should be sure to involve all stakeholders in the purchase decision," the report notes, "and to ensure that all parties are aware of what the policy does and does not cover."
Unrecovered losses
Such lack of understanding might end up costing you. Among the nearly 4,000 survey respondents who said they'd filed a cyber insurance claim in the preceding year, only 1% said the payout fully covered their losses and expenses. At the other end of the curve, another 1% said they weren't reimbursed at all.
On average, the survey found, cyber insurance carriers paid out just 63% of the total cost of an incident. The highest share of respondents — 20% — said they'd got back between 71% and 80% of the filed claim amounts.
Why the shortfall? Well, 63% of respondents said the total cost of the incident for which they filed a claim was greater than the maximum their policy would pay out.
That's probably because incident recovery costs are skyrocketing. Sophos' own 2024 State of Ransomware report finds that the median ransomware demand, and the median ransomware payment, are now both about $2 million.
The average overall recovery cost from a ransomware incident, excluding any ransom payment, is about $2.73 million, up from $1.82 million in the previous year. (This report was also based on a survey of 5,000 IT and information-security managers in mid-sized organizations across the world.)
It's also taking longer for organizations to recover from ransomware attacks, racking up additional costs in downtime. Only 35% of respondents in the 2024 report said they'd fully bounced back within a week, down from 52% in 2022. One-third of respondents said it had taken them more than a month to recover, up from one-fifth in 2022.
There are other reasons cyber insurance policies don't pay out as much as they should. Fifty-eight percent of respondents in the Sophos survey said that "costs were incurred without the insurer's permission," implying that many organizations didn't follow the incident-response procedures spelled out in their insurance policies.
Costs and losses that fell outside of the scope of the policy were cited by 45%, demonstrating the importance of making sure that your coverage is as comprehensive as possible.
Not quite up to snuff
There's one more significant factor, even though only 14% of respondents cited it: "My organization did not have the required cyber defenses for the claim to be honored."
In other words, the insurers had demanded that the organization implement certain cybersecurity measures, but those requirements weren't complied with. We'll return to that topic in a moment.
It's also become difficult to afford good cybersecurity insurance. Since the market "hardened" in 2021 in reaction to payouts rapidly rising, insurers have been charging more, providing less coverage, and raising the requirements to qualify for a policy, per Sophos' own Guide to Cyber Insurance.
"Where [insurers] used to offer $10 million in limit, it's now $5 million," Jack Kudale, CEO of cybersecurity insurance carrier Cowbell Cyber, said in the report.
Ninety-four percent of the organizations surveyed for Sophos' 2022 State of Ransomware report said that it was harder to get coverage than in the previous year. About half (47%) said the policies were more complex; one-third (34%) said it was more expensive; forty percent said fewer carriers offered cyber insurance.
The top reason, cited by 54%, brings us back to the point of this report: the level of cybersecurity protections required by potential insurance carriers was higher than the year before.
"Our cyber insurance is up and we're having to jump through more hoops than we've ever had to before," said an unnamed respondent in the 2022 survey.
Protections that pay for themselves
The good news is that, per the Sophos reports, spending more to boost your organization's cybersecurity protections will likely result in a corresponding large reduction in your cyber insurance premiums. In other words, the more you give, the more you'll get back.
"Just as an alarm and window locks reduce your home insurance premiums, having advanced cyber defenses helps reduce your cyber insurance costs," states the Sophos Guide to Cyber Insurance. "From facilitating access to coverage, to lowering premiums, and enabling higher limits, strong cyber defenses deliver multiple insurance advantages."
In the survey of cyber insurance customers, a whopping 99.6% said that beefing up their cybersecurity defenses had improved their ability to get cybersecurity insurance. Sixty-seven percent said it let them get lower premium rates; 30% said it got them higher coverage limits.
Most importantly, 76% said it let them qualify for coverage in the first place. In other words, three-quarters of respondents said they needed to improve their cybersecurity protections to get coverage at all.
We can get a taste of what the insurance companies ask for by listening to survey respondents.
"I was told that if we don't get MFA [multi-factor authentication] within a year, our cyber insurance will be dropped," a respondent in the healthcare industry said.
"Legal wants to get ransomware insurance and [managed detection and response] is the step we need to get it done," said an IT technology provider.
A respondent in the web-hosting business said that "because we didn't have EDR [endpoint detection and response] installed on 100% of our appliances, the insurance [costs] doubled."
As a result of higher requirements, the Sophos Guide to Cyber Insurance reported that 97% of survey respondents said they had made changes to their cybersecurity defenses. Sixty-four percent had added new technologies, tools or services; 56% had ramped up staff training or education; 52% had changed processes, policies or behaviors.
What cyber insurance companies want from you
Because insurance companies are cagey about how they calculate the cost of premiums, it's not possible to get hard numbers that show by how much a policy's rates can drop, or coverage can improve, if a specific cybersecurity improvement is made.
One insurance provider did say that "customers who have implemented Sophos MDR or Sophos Endpoint products can reduce their cyber insurance premium by as much as 25%."
That's a hypothetical number. But we do have a pretty good idea of which cybersecurity measures insurance providers want their clients to take. Here's a list of five things you can implement.
Multi-factor authentication for privileged user accounts. Not having MFA on privileged or admin accounts is almost a deal-breaker these days. Good luck getting cyber insurance without it. Conversely, if you implement MFA for all users, not just privileged ones, you'll likely get better rate quotes.
Endpoint detection and response (EDR) or extended detection and response (XDR). Installing antivirus software on all your PCs won't work outside the home. EDR platforms spot, block, investigate and respond to suspicious activity on endpoints; XDR extends those protections to servers, cloud assets, mobile devices and the network itself.
Incident response plans. A prepared company knows what to do if there's a cybersecurity incident. Draw up individual response plans for the most likely scenarios. Set aside a couple of days every quarter for tabletop exercises so that your security operations team will gain muscle memory. You may have to share your incident response plans with your insurance provider, and it may ask you to make additions or changes.
Vulnerability management and proper patching. It's staggering how many companies lag on keeping their software and systems up to date. Sophos' 2024 State of Ransomware report found that exploited vulnerabilities were behind 36% of ransomware attacks; compromised credentials were behind 29%. (Some attacks involve more than one root cause.)
Managed detection and response. Your SOC team probably has a skeleton crew, or maybe no one at all, working nights, weekends and holidays. Yet it's during those periods of weakness that ransomware attackers and other miscreants are most likely to strike. Fill in the gaps in your defenses by hiring an external MDR to keep watch over your systems and respond to any cybersecurity incident while you're otherwise engaged.
In a later piece, we'll have an expanded list of must-have security features to qualify for better, cheaper cyber insurance coverage.
