In its latest report, Cyber Insurance and Cyber Defenses in 2024, Sophos provides several key insights into cybersecurity. Based on a survey of 5,000 IT and cybersecurity leaders within 14 nations, the Sophos study highlights cybersecurity insurance's impact on cybersecurity defenses.
Most interesting within this survey is the ubiquity of cybersecurity insurance coverage among 90% of organizations with between 100 and 5,000 staffers. The high levels of coverage, according to the survey, crossed national borders and industries.
What's driving such widespread insurance coverage? Awareness of the business impact of cyber threats such as ransomware tops the list, as it was the reason for cybersecurity insurance cited by 48% of respondents. However, there's more at play here: 42% said they need coverage to work with clients or business partners who require cybersecurity insurance to be in place contractually. This trend toward "insurance as a condition of business" varies significantly by industry but peaks within the energy vertical market at 49%.
Cybersecurity insurance ambiguity
However, the study reveals a concerning knowledge gap: Many organizations are uncertain about their policies. For instance, 40% think their policy covers ransom payments but aren't sure. This ambiguity could lead to nasty surprises during a crisis.
The interplay between insurance and successful cybersecurity defenses is particularly intriguing. A staggering 97% of policy purchasers invested in improving their defenses to optimize their insurance position. And it seems to pay off -- 99.6% reported positive impacts on their insurance terms, with 76% saying it enabled them to qualify for coverage they wouldn't have secured otherwise.
These investments aren't just about insurance; 99% of respondents said they have improved protection and operational efficiencies by gaining cybersecurity insurance.
Regarding claims, the data shows insurers typically cover about 63% of total incident costs. What are the most common reasons for partial coverage? The event costs exceed policy limits, create "unauthorized costs," and other uncovered losses. Organizations must learn the importance of aligning policies with their cybersecurity risks.
The report also offers some intriguing insights into ransomware outcomes. While insurance status doesn't seem to affect the likelihood of being hit, insured organizations report lower average ransom payments but are more likely to pay ransoms to recover data.
Getting the right insurance
Part of the misunderstanding with cybersecurity insurance may be based on an actual misunderstanding over what is typically covered by cybersecurity insurance policies. The increased popularity of cybersecurity insurance may be less about their desire to lower their risks and more about business partners and other third parties requiring cybersecurity insurance in their contracts.
When attaining insurance at a reasonable premium, the first step is to ensure the organization has a reasonably secure environment. An excellent place to look is at what insurance carriers expect. Insurance broker Marsh provides a great starting point.
Marsh has 12 cybersecurity controls they want to see in place:
- Multifactor authentication
- Email filtering
- Web security
- Verifiably secured/encrypted backups
- Privilege access management
- Endpoint detection
- Vulnerability management
- Incident response
- Awareness training
- Hardened systems
- Effective logging and monitoring
- Secure end-of-life processes and supply chain risk management.
It's also crucial to:
- Understand the scope of coverage. Companies often purchase insurance policies that do not adequately cover the full extent of their cybersecurity risks. This is what, most likely, creates the gaps in protection Sophos respondents cite. Organizations seeking cybersecurity insurance should look at the data and systems they're protecting and investing to increase resilience. This strongly indicates what systems are likely to be targeted by ransomware attackers, what systems should be covered, and what downtime costs.
- Organizations must involve the right people to get a policy with the proper scope. This isn't a decision the CISO can make on his or her own. They must include business management, the CIO office, IT leadership, legal, and risk management, among potentially many others depending on the organization.
- Thoroughly understand the policy terms and conditions, including what damages and losses are covered, the maximum coverage limits, deductibles, and exclusions.
- Finally, the policy must be kept up to date with changing risks. The nature of cybersecurity threats, technology risks, and business risks are constantly evolving. As these conditions change, the cybersecurity insurance policy should be updated to reflect these changes.
