Cyber risk is inevitable. In today’s business environment, the goal should not be to eradicate risk, but rather to manage it as efficiently as possible. Two primary approaches are treatment by deploying cyber controls and changing user behaviors, and transfer through cyber insurance. These approaches are interconnected: strong controls lower risk which facilitates access to coverage, while weak controls increase risk, making affordable policies harder to obtain.
Today we have published a new report that explores this relationship in depth. Based on an independent survey of 5,000 IT leaders it looks at cyber insurance adoption among mid-market organizations, highlighting purchase drivers, the impact of defense investments on insurability, and reasons why cyber incidents costs are not always covered in full.
Executive summary
In the face of inevitable cyberattacks, adopting a holistic approach to cyber risk management that takes advantage of the interplay between cyber defenses and cyber insurance will enable organizations to lower their overall total cost of ownership (TCO) of cyber risk management while reducing their likelihood of experiencing a major incident.
The research also reveals that investing in cyber defenses not only makes getting insurance easier and cheaper but also improves protection and reduces IT workload. This finding further emphasizes the importance of considering cyber risk investments holistically, rather than as individual components.
One area of concern highlighted by the survey is the potential for policy purchases to be misaligned to business needs. Cyber insurance is an investment, so policies must cover the right risks. All stakeholders, especially IT and cybersecurity teams, should be involved in choosing policies to ensure they meet the organization’s needs.
Adoption of cyber insurance is widespread
The survey confirms that adoption of cyber insurance is widespread among organizations with 100-5,000 employees, with 90% of organizations having some form of cyber coverage. 50% have a standalone policy while 40% have cyber as part of a wider business insurance policy, such as a general liability policy. Adoption levels are high across all 14 countries surveyed, with Singapore reporting the highest propensity to have coverage.
General awareness of the business impact of cyberattacks is the most common reason behind insurance adoption
Organizations adopt cyber insurance for multiple and various reasons, with nearly half (48%) citing awareness of the business impact of cyberattacks as the primary motivator. 45% reported it was part of their cyber risk mitigation strategy and 42% said that they need cyber insurance to work with clients or partners who require it.
Investing in cyber defenses to optimize insurance position is common practice – and its working
97% of organizations that purchased cyber insurance last year improved their defenses to optimize their insurance position. Nearly two-thirds (63%) made major investments, while 34% made minor ones.
These security investments are paying off, as the survey found that nearly every company that invested in improving their cyber defenses said it had a positive impact on their cyber insurance position (99.6%, 4,351 of 4,370 respondents).
Cyber insurance requirements are driving organizations to elevate their defenses (the “stick”), with 76% of respondents saying their investments secured coverage they couldn’t otherwise obtain. The “carrot” is that two-thirds (67%) were able to get better-priced coverage, and 30% received improved terms thanks to their improved protection (e.g., higher coverage limits).
Furthermore, organizations investing in security enjoyed benefits beyond just insurance. 99% reported wider benefits such as improved protection, fewer alerts and reduced IT workload.
Insurers almost always pay out in some capacity on a claim
Organizations that have invested in a cyber policy will be encouraged to learn that insurers almost always pay out in some capacity on a claim, with only one respondent saying their claim was fully rejected.
At the same time, in 99% of claims insurers did not cover the full incident cost. Overall, insurers typically paid 63% of the total incident cost, with the modal payout rate coming in at 71-80%.
Reasons for costs not being fully covered
The survey also revealed that recovery costs from cyberattacks are outpacing insurance coverage. The most common reason (63%) for the recovery bill not being paid in full was total costs exceeded policy limits. According to Sophos’ The State of Ransomware 2024 survey, recovery costs following a ransomware incident increased by 50% over the last year, likely resulting in misalignment between policies and expenses.
There is widespread uncertainty around what policies cover in the event of a cyber incident
Many cybersecurity/IT leaders are unsure about what their policy covers in the event of an incident. Among those with a policy, 40% think it covers ransom payments, and 41% think it covers income loss, but are not certain. These findings are cause for concern on several fronts:
- Organizations risk not getting the coverage they need – illustrated by 45% of those whose incident costs were not covered in full saying that some costs/losses were not covered by their insurance policy
- Organizations risk not getting the support they anticipate in the event of a claim
The lack of visibility into policy coverage likely results, at least in part, from a disconnect between those purchasing the policy and those on the frontline should a major incident occur.
Read the full report
For more detailed insights including a look at the impact of cyber insurance coverage on ransomware outcomes, and many other areas, download the full report.
About the survey
The report is based on the findings of an independent, vendor-agnostic survey commissioned by Sophos of 5,000 IT/cybersecurity leaders across 14 countries in the Americas, EMEA, and Asia Pacific. All respondents represent organizations with between 100 and 5,000 employees. The survey was conducted by research specialist Vanson Bourne between January and February 2024, and participants were asked to respond based on their experiences over the previous year.