Almost all businesses need cybersecurity insurance to manage their digital risk, but not all realize that there are ways to reduce their insurance premiums by implementing certain protections.
For example, most cybersecurity insurance carriers prefer that their customers implement multi-factor authentication (MFA) on user accounts. Some even require their clients to put MFA on privileged or administrative accounts to qualify for coverage.
A robust vulnerability-management program, accompanied by timely software patching, is another protection that insurance carriers like to see. Other protections favored by insurance companies include endpoint detection and response (EDR) or extended detection and response (XDR), automated platforms that detect and automatically respond to suspicious activity.
They're also keen on incident-response plans that lay out how a company's security team handles specific kinds of attacks, ideally accompanied by training exercises that run through attack scenarios.
Deploying such measures often requires enlarging the cybersecurity budget, but that increase can be offset by the potential savings that come with discounted insurance premiums. Alternately, some organizations might use that windfall to raise their coverage limits.
That's especially important because cybersecurity insurance carriers have been hiking their rates, lowering their coverage limits and adding to their protection requirements as ransomware payments and recovery costs skyrocket.
"Because we didn't have EDR installed on 100% of our appliances, the insurance [costs] doubled," said an executive at a web-hosting company quoted in the Guide to Cyber Insurance issued by cybersecurity firm Sophos.
Sophos' 2024 State of Ransomware report found that the average recovery cost from a ransomware attack, excluding the ransom payment, is now about $2.73 million, up from $1.82 million in 2023.
"Where [insurers] used to offer $10 million in limit, it's now $5 million," Jack Kudale, CEO of cybersecurity insurance carrier Cowbell Cyber, said in the guide.
How MDR can reduce your insurance premiums
One way that's almost guaranteed to reduce the cost of yearly premiums is to sign up for a managed detection and response (MDR) service.
Provided by an external cybersecurity firm, MDR can augment your organization's in-house security staff, especially during off hours such as nights, weekends, and holidays, when the majority of ransomware attacks occur.
The MDR team can not only detect intrusions, data loss and other suspicious behavior, but also respond to it, taking the first steps to counter attacks before your in-house team can respond.
The staffers at the MDR provider focus on hunting down the latest threats and patching the latest attack vectors, bringing experience and knowledge that often outstrips those of overworked in-house teams.
"If you think about why organizations choose an MDR service, it's first and foremost resource constraints," says Paul Murray, Senior Director of Cybersecurity Products and Services at Sophos. "Many organizations don't have the people, or if they have the people, they don't necessarily have the skills to monitor and respond to threats."
MDR services can also respond to routine problems like suspicious emails and false-positive alerts, giving valuable time back to in-house teams that can then focus on more important issues.
"MDR can take care of 99% of the crap that's at the bottom that just is constantly hitting you every single day, that just needs to be dealt with proactively from both the detection and the response side of things," says John Shier, Field Chief Technology Officer at Sophos.
MDR has proven to be such a risk reducer that some insurance carriers promise to slash their premium rates if their clients sign up for it. Sophos has partnerships with insurance companies in Australia, the United Kingdom and the United States that offer rate reductions of up to 33% for clients of Sophos' MDR offerings. Other MDR providers have similar partnerships with insurance carriers.
"MDR and cyber insurance are two complementary ways to manage cyber risk," writes Raja Patel, Chief Product Officer at Sophos, in a company blog post. "With MDR you reduce your risk by elevating your defenses; with insurance you transfer the risk to a third party."
Two case studies
Patel offers a pair of case studies, one from the U.S. and one from the U.K., to illustrate how using MDR can drastically cut insurance costs.
The American study involves a non-profit organization in North Carolina with a staff of about 350 and annual revenue of less than $50 million. Its annual cybersecurity insurance premiums were $18,000, but signing up for Sophos MDR got the organization's yearly rates down to $10,000 through Sophos partner Cysurance.
With that savings of $8,000, the North Carolina non-profit was able to nearly fully fund its Sophos MDR service, which cost less than $8,500 annually. The net result: The organization was able to dramatically boost its cybersecurity protections for the price of two nights in a big-city hotel room.
Cysurance offers a flat rate for U.S. organizations with up to $100 million annual revenue that sign up with Sophos MDR, and a one-third discount for Australian companies that do.
The British case has to do with a well-known, nationwide retailer that had recently suffered a severe ransomware incident. Consequently, the retailer was being quoted annual cybersecurity insurance premiums of about £1 million (about $US 1.25 million).
But by taking on Sophos MDR, the company got what Patel called "a six-digit reduction" in its premiums through Sophos partner Cowbell. That's in line with the 12% standard discount that Cowbell offers Sophos MDR users.
"Cyber defenses and cyber insurance are two sides of the same coin, with both enabling organizations to manage and reduce their cyber risk," writes Patel. "By switching to a risk-led approach you can bring together all your resources — human and financial — under a shared goal, facilitating delivery of superior business outcomes."
