When you buy cybersecurity insurance for your organization, do you expect it to fully cover your costs and losses resulting from a cybersecurity incident?
If so, you'd better think again. In a recent survey of 5,000 cybersecurity executives and managers around the world conducted on behalf of Sophos, only 1% of respondents said they had been fully compensated by their carriers if they had filed cyber insurance claims during the previous year.
At the other end of the bell curve, another 1% said they'd received 10% or less of the incurred costs from their insurance companies. The average incident payout amounted to 63% of the costs incurred; only 20% of respondents recouped more than 80%.
Even worse, some 40% of all executives and managers said they weren't quite sure what their cyber insurance policies covered in the first place.
Did it cover ransom payments? How about loss of income? Breach notifications? No matter what kind of common incident cost was mentioned, between 35% and 43% said they thought their policy covered it, but they couldn't be certain.
This kind of a mess isn't what organizations buying cybersecurity insurance expect, and it may leave executives and IT and security teams wondering what exactly they're paying for.
"Dealing with a major cyber incident is a stressful and pressured time for all involved," says the Sophos report on the survey. "To discover in the heat of an attack that expected support is not included in the insurance policy adds further complexity, delay, and cost to remediation."
But there are definite reasons why less-than-optimal payouts occur. There are also simple steps that organizations can take to make sure they get better coverage that pays out more of the costs of a data breach, ransomware attack or other cybersecurity incident.
Reasons your cyber insurance carrier may deny coverage
You hit the ceiling: The leading reason for cyber insurance coverage shortfalls, cited by 63% of the survey respondents who were denied full compensation, is that the filed claims added up to more than the maximum coverage amounts allowed by the policy.
The costs of remediation have skyrocketed. The average amount of time needed to fully recover has also increased, resulting in lost business that's often covered by insurance policies.
For example, the median cost of paying a ransom, according to Sophos' 2024 State of Ransomware report, is now $2 million, five times what it was a year earlier. The average cost of recovering from a ransomware attack without paying a ransom is now $2.7 million and $3 million, 50% more than in the previous year.
That means more for insurance companies to pay out and coverage limits that suddenly aren't enough. Companies that bought coverage based on the remediation estimates from two or three years ago might find that their anticipated fat cushion of coverage is pretty thin indeed.
You went off-road: Fifty-eight percent of respondents who'd been denied full coverage said that their companies had paid for remediation costs that the insurance company hadn't approved.
Some insurers won't cover ransom payments, for example, or may require that a ransomware negotiator be hired to ensure coverage. Others require clients to follow pre-approved playbooks in the wake of an incident.
Your claims fell outside of scope: Forty-five percent of respondents said they had incident costs and losses that weren't covered by their cybersecurity insurance policies.
This may be a question of budgeting, as wider coverage will cost more. But it may also be a result of ignorance, as we saw in the findings above that 40% of cybersecurity leaders didn't know exactly what their policies covered.
You fell out of compliance: A small but significant slice — 14% — of respondents who'd been denied at least some insurance payouts admitted that they had not implemented the cybersecurity measures that were required by their policies.
In other words, they told their insurance carriers that they would improve their cybersecurity postures, and then they didn't.
The reasons behind the reasons, and the potential consequences
Rising premium costs: To keep up with the rapidly increasing costs of remediation, insurance carriers are jacking up rates. Many companies can't afford the same type of coverage they previously had and now must settle for less.
More stringent requirements for coverage: Insurers are also raising the bar on security measures that clients must implement before qualifying. Some organizations that previously had cyber insurance may suddenly find that they no longer can get any coverage.
"Our cyber insurance is up and we're having to jump through more hoops than we've ever had to before," complained a survey respondent in Sophos' 2023 Guide to Cyber Insurance.
Lack of security improvements: Many companies don't implement stronger security measures that would result in smaller premiums and/or better coverage with higher coverage limits. (Here's a list of what insurers want.)
Internal miscommunication: The people in an organization who are involved in buying cyber insurance policies, such the legal, finance and compliance teams, often don't talk to the IT and SOC teams who have to deal with incidents. As a result, the coverage may not reflect what the actual costs incurred, or systems impacted, will likely be.
Having a cybersecurity insurance policy is an accepted, and often necessary, cost of doing business. Sophos found that 90% of organizations with between 100 and 5,000 employees in its survey carried cyber insurance, with rates of coverage varying from 81% in the national-government sector to 97% in the highly regulated energy and utilities sector.
Conversely, not having cyber insurance can cost you, and not just because you're now at higher risk of incurring heavy losses as the result of a breach or attack.
You may lose business: 42% of respondents in the Sophos survey said carrying cybersecurity insurance was required by potential clients or partners. You may also not be able to carry about business at all, as 34% said cyber insurance was a required part of rules and regulations governing their industry.
How to get good cyber insurance coverage
The best way to better your cybersecurity insurance is to implement stronger cybersecurity measures. Yes, you'll be spending more money upfront to pay for those new tools, platforms and processes.
But you'll recoup at least some of the cost in the form of cheaper cyber insurance premiums, wider coverage, or both. Some companies will find it again possible to qualify for any form of cyber insurance.
"By setting minimum security control requirements to attain coverage," says the Sophos cyber insurance survey report, "the insurance industry is effectively forcing many organizations to elevate their cyber defenses."
In the Sophos survey, virtually all (99.6%) said that improving their cybersecurity postures helped improve their insurance positions.
Three-quarters (76%) said the beefed-up security helped them afford better coverage; 67% said it let them get better prices on their existing coverage, such as in the forms of lower deductibles or cheaper premiums; 30% said it let them get better terms, such as higher coverage limits.
Boosting your cybersecurity protections will obviously also leave you at lower risk of a devastating incident and should free up your IT and SOC teams to do more with their time.
Speaking of the IT and SOC teams, another way to make sure you've got the coverage you need is to get all the stakeholders involved, including the people who have to fight the threats, when you're shopping around for a new cyber insurance policy.
"All stakeholders, including the IT/cybersecurity teams that will be at the frontline if an incident occurs," states the Sophos cyber insurance survey report, "should be involved in the insurance policy decisions to ensure that any investment meets the organization's needs."
If you do it that way, in other words, your CISO or IT managers won't be left clueless next time someone asks them what kind of cybersecurity insurance they have.
