Cyber Insurance Provides Both Carrot and Stick for Cyber Security
Although most medium-sized businesses have some form of cyber insurance, there is widespread uncertainty about what the coverage would provide in the event of a claim, while businesses that had filed a claim reported their coverage paid less than the full incident costs on average, according to new research by cybersecurity firm Sophos.
Despite some medium-sized business, those with 100 to 5,000 employees, expressing uncertainty about protections, the survey found that businesses that invested in cyber defenses not only improved their insurance coverage but also reduced their cyber risk.
Cyber insurance acts as both a carrot and a stick for cybersecurity investments, Sophis noted. “By setting minimum security control requirements to attain coverage — the ‘stick’ — the insurance industry is effectively forcing many organizations to elevate their cyber defenses. In parallel, by recognizing and rewarding strong defenses through lower premiums, higher policy limits and improved terms, cyber insurers are incentivizing risk reduction through superior protection,” the report noted.
Cyber insurance has become a crucial component of risk management for mid-sized organizations, with 90% of surveyed companies having some form of cyber coverage. Among those with insurance, 50% have opted for standalone cyber insurance policies, while 40% have cyber coverage as part of a wider business insurance policy, Sophos reported.
The adoption of cyber insurance is consistently high across organizations of different sizes and revenue levels. The survey found that 92% of companies with less than $50 million in annual revenue have coverage, while 93% of those with $1 billion or more in annual revenue have also invested in cyber insurance.
Several factors are driving the widespread adoption of cyber insurance, Sophos found. The most common reason, cited by 48% of respondents, is awareness of the business impact of cyberattacks and cybercrime. Another 45% of respondents stated that cyber insurance is part of their organization’s risk mitigation strategy. The ability to work with clients and partners who require cyber insurance is also a significant factor, with 42% of respondents citing this as a reason for their purchase.
Challenges with Cyber Insurance Coverage
A significant portion of companies are unclear about what their cyber insurance policies actually cover, Sophos found. For example, 40% of respondents think their policy covers ransom payments but are not certain, 42% think it covers breach notifications but are unsure, and 41% believe their policy covers income loss but are not sure.
This lack of clarity around coverage creates substantial risks for organizations. In the event of a cyber incident, they may find themselves without the coverage they need or expect, leaving them exposed to potentially devastating financial losses, Sophos noted. It’s crucial for companies to thoroughly review and understand their cyber insurance policies to ensure they have adequate protection.
“The lack of visibility into policy coverage likely results, at least in part, from a disconnect between those purchasing the policy (typically finance and/or compliance teams) and those on the frontline should a major incident occur (typically IT and cybersecurity functions),” the report’s authors said. “Organizations should be sure to involve all stakeholders in the purchase decision, and to ensure that all parties are aware of what the policy does and does not cover.”
Even when organizations do have cyber insurance, insurers rarely cover the full cost of an incident. The median payout rate is just 71% to 80% of total cyber incident costs, with only 1% of respondents reporting that their carrier funded 100% of the expenses incurred, according to the survey.
The most common reason for not receiving a full payout was total costs exceeded policy limits (63%), followed by costs were incurred without the insurer’s permission (58%), and companies had costs or losses that were not covered by the policy (45%). Also, 14% of companies that did not have their full claim covered by cyber insurance said it was because they did not have the required cyber defenses.
Cyber insurers typically require security controls as a condition of coverage, such as multi-factor authentication, regularly patching software vulnerabilities and deploying endpoint detection and response solutions.
These findings highlight the importance of not only having cyber insurance but also ensuring that the policy provides sufficient coverage limits and clearly outlines the requirements for making a claim, Sophos stated.
Investing in Cyber Defenses Improves Insurability
The good news for organizations considering spending on improving cyber defenses is that almost every company (99.6%) that invested in this area said it had a positive impact on their cyber insurance position. Over three-quarters (76%) of respondents said that their investment enabled them to get insurance coverage that they would not have been able to secure otherwise.
In addition to expanding access to coverage, investing in cyber defenses can also lead to more favorable terms and pricing. Two-thirds of organizations were able to access better priced coverage, such as lower premiums or lower deductibles, as a result of their investments in their cyber defenses, the survey found. Another 30% said their improved protection enabled them to get better terms, like higher coverage limits.
Investing in cyber defenses pays other dividends, according to Sophos. In addition to easier and cheaper access to cyber insurance coverage, 99% said it provided other benefits, with 70% said it delivered “a lot of wider benefits” and 29% reporting “a few wider benefits.”
View the full report on Sophos website. &