A survey by Sophos, titled “Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders,” has indicated that 76% of global companies have strengthened their cyber defences to meet the requirements for cyber insurance coverage.
This trend highlights the growing role of cyber insurance in business strategies, as firms seek to mitigate the risks of cyberattacks by ensuring their partners have sufficient coverage.
However, many businesses remain uncertain about the specifics of their insurance policies.
The survey found that 40% of respondents were unsure if their policy covered ransom payments, and 41% were uncertain about coverage for income loss.
The costs of recovering from cyberattacks often surpass the limits of insurance coverage.
Only 1% of claimants reported that their insurer fully compensated their remediation expenses, with most experiencing partial payments due to exceeded policy limits.
Sophos’ “State of Ransomware 2024” survey also revealed that recovery costs have increased by 50% over the past year, averaging US$2.73 million per incident.
Chester Wisniewski, global field CTO at Sophos, said the firm’s Active Adversary report has repeatedly shown that many cyber incidents faced by companies resulted from failure to implement cybersecurity best practices.
“In our most recent report, for example, compromised credentials were the number one root cause of attacks, yet 43% of companies didn’t have multi-factor authentication enabled,” he said, as reported by Security Brief Asia.
He also noted the broader impact of these required upgrades.
“The fact that 76% of companies invested in cyber defences to qualify for cyber insurance shows that insurance is forcing organisations to implement some of these essential security measures,” he said. “It’s making a difference, and it’s having a broader, more positive impact on companies overall. However, while cyber insurance is beneficial for companies, it is just one part of an effective risk mitigation strategy. Companies still need to work on hardening their defences. A cyberattack can have profound impacts for a company from both an operational and a reputational standpoint, and having cyber insurance doesn’t change that.”
Investments in cyber defences for insurance purposes have reportedly led to broader security benefits.
Among the respondents, 99% agreed that their defensive improvements had positive impacts, such as enhanced protection, freed IT resources, and reduced security alerts.
Wisniewski highlighted the additional benefits of cyber defence investments.
“Investments in cyber defences appear to have a ripple effect in terms of benefits, unlocking insurance savings that organisations can divert into other defences to more broadly improve their security posture. As cyber insurance adoption continues, hopefully, companies’ security will continue to improve. Cyber insurance won’t make ransomware attacks disappear, but it could very well be part of the solution,” he said.
The survey gathered responses from 5,000 IT and cybersecurity leaders across 14 countries, including regions in the Americas, EMEA, and Asia Pacific (APAC). The organisations surveyed varied in size, employing between 100 and 5,000 individuals, with revenues ranging from below US$10 million to over US$5 billion.
Early this year, a report revealed a rise in cyber threats across the APAC region, particularly in ransomware attacks. The financial sector ranked as the fourth-highest target of such attacks in the region in 2023.
