Dive Brief:
- In an effort to qualify for cyber insurance three-quarters of companies have invested in cyber defense, according to a report released Wednesday by Sophos and Vanson Bourne.
- These investments were either required to obtain coverage, helped organizations secure lower premiums or, in other cases, improved the coverage terms of their insurance plans. The research is based on a survey of 5,000 IT and cybersecurity leaders across 14 countries in the Americas, Asia Pacific and Europe, the Middle East and Africa.
- Despite the investments,significant gaps remain between recovery costs and the coverage provided by insurance providers, Sophos found.
Dive Insight:
There are financial implications to cyber risk and enterprises need to develop a comprehensive strategy to maintain business continuity, especially as ransomware threats surge, unabated.
Recovery costs for ransomware rose more than 50% over the past year to an average of $2.73 million per incident, according to the 2024 State of Ransomware survey from Sophos. And those recovery costs exceeded what companies received in terms of coverage.
Insurance providers are incentivizing companies to improve their cyber defenses, not only by meeting minimum cyber defense standards, but also linking premium costs and depth of coverage to maintaining those standards.
“Raising the minimum bar is always criticized by experts as not going far enough, yet we have seen time and time again with requirements like PCI-DSS, slowly improving the minimums incrementally having the desired effect over time,” said Chester Wisniewski, director and global field CTO at Sophos, said via email.
PCI-DSS is a standard for how companies enforce the security of card payments. Card data is often stolen by malicious hackers and resold to commit fraudulent transactions.
Despite those additional investments, gaps remain between recovery costs and what insurance companies will pay out.
During 2022 and 2023, combined claim recovery at Marsh was about 80%, according to Meredith Schnur, regional cyber practice leader at the global insurance brokerage and risk advisory firm. If you take out retentions, that percentage gap grows even higher.
“There is no question that cyber insurance policies are effective in paying claims,” Schnur said via email. “However, they are not meant to be carte blanche.”
Prior research from CYE showed policyholders can get stuck with significant gaps between the actual cost of an attack and the coverage provided by a cyber insurance policy. The average incident had a gap of more than $27 million, according to that report.