Cybersecurity, cyber insurance and ransomware tend to go hand in hand. Both security and insurance providers work tirelessly to reduce the impact of ransomware on businesses which is one of the biggest threats facing businesses today.
Sophos has carried out research into the adoption of cyber insurance in hopes to give us a better understanding the three way relationship between cyber security, cyber insurance, and ransomware in 2023. We will also look at the importance of cyber defenses in order to obtain cyber insurance and how having such an insurance policy impacts ransomware response times.
As part of this research carried out by Sophos 3,000 IT professionals and cyber security experts took part in this survey conducted between January and February 2023 across 14 different countries.
This survey showed that:
- 91% of organizations have some for of cyber insurance coverage with standalone policies being a bit more popular than incorporating it in a broader business policy.
- It was also observed that as corporate revenue grows so does the adoption of Cyber insurance. Those organizations having high revenues are more likely to have cyber insurance coverage.
- 95% of businesses that have cyber insurance said that the quality of their cyber defense mechanisms greatly impacted their position when it came to getting such a policy, the cost of their policy as well as the terms of their policy.
- If a business pays the ransom this increases tremendously the role of cyber defenses to secure cyber coverage, but not on the cost of the policy.
- Those organizations that have cyber insurance are better positioned to recover their data after a ransomware attack, with almost all of them that had insurance getting their data back.
- Those businesses that have standalone cyber insurance policies and have had their data encrypted in a ransomware attack are more likely to pay the ransom, by a factor of 4, to get their data back than those that do not have any cyber insurance coverage.
2023 Adoption of Cyber Insurance
The research carried out by Sophos shows that cyber insurance is now the given norm regardless of where the business is located in the world, the industry the business is in or the companies revenue. A large number of organizations have a form of cyber insurance.
- 47% of businesses have a cyber standalone policy.
- 43% have cyber insurance as part of a broader business policy
- 8% of organizations do not have cyber insurance at the moment but plan on obtaining coverage within the next year
NOTE: due to rounding coverage sits at 91%
Industry Adoption of Cyber Insurance Policies
In this section we will look at the cyber insurance breakdown at the industry level.
- Higher and Lower Educational Institutions had the highest insurance coverage sitting at 96% even though they most likely had this coverage as part of a wider insurance policy instead of stand alone.
- Financial services are most likely to have a standalone cyber policy, sitting at 59%
- Retail stand alone policies sit at 56%
- 35% of IT, Telecom’s and Technology companies having standalone policies
- Energy, oil and gas, and utilities sit at 39% having a standalone policy
Country Adoption of Cyber Security Insurance Policies
In this section we will look at cyber security insurance adoption at the country level.
- 98% of businesses in South Africa had the highest rate of coverage out of 14 countries surveyed
- Coming in with 56%, Brazil had the highest level of standalone cybersecurity policy adoption
- The United States had 55% of standalone policy adoption putting it at the 2nd highest adoption rate
- Japan has the lowest level of coverage sitting at 82% even though 4 out of every 5 business had some form of cyber insurance
- At 39%, Italy had the lowest level of standalone policy adoption
Adoption of Cyber Security Policies by Revenue Generated
Probably what doesn’t come as a surprise, is that the higher the revenue the more likely the business will have a cyber security insurance policy in place.
Out of all businesses surveyed it was observed that 96% of the business that had an annual turnover of more than 5 billion US Dollars had some form of cyber security insurance coverage. This is compared to 79% of those business that had a revenue under 50 million US Dollars.
Those organizations that have higher revenues would have a greater tendency to go for a standalone cyber policy than those with lower revenues.
58% of organizations that have reported a revenue of over $5 billion would have a stand alone policy in comparison to 34% that have a revenue of less than $10 million.
What can be seen is that there is a gradual increase of standalone policy adoption as revenue increases.
How Organizational Cyber Defenses Impact the Purchase of Cyber Insurance
The quality of an organizations cyber defenses plays a major role in the ability for a company to secure cyber insurance coverage.
95% of organizations that purchased a policy in 2022 noted that the quality of their cyber security defenses had an impact on their cybersecurity insurance position.
60% had said that their ability to get cybersecurity insurance coverage was impacted by the quality of their defenses, and a further 62% had said that it impacted the cost of their policy.
Lastly 28% had reported that their cyber security defenses impacted the terms of their policy (Total amount of coverage etc).
The Role of Cyber defenses in Obtaining Coverage After Paying the Ransom of a Ransomware Attack
When a company that is compromised by ransomware pays the ransom this has a major impact in terms of its cyber defenses when security a cybersecurity insurance policy. The interesting thing though is that this does not have any bearing on the cost of the coverage.
81% of companies that paid the ransom in 2022 reported that the quality of their cybersecurity defenses made it harder to get cybersecurity insurance coverage by an increase of 35% over the average.
59% of business that paid the ransom reported that their cyber defense quality impacted the cost of the policy which is in line with the 62% global average.
99% that paid the ransom said that in one way or another their cyber defenses impacted their insurance position in one way or another.
What are they Standalone Policy Verses Wider Business Policy
When purchasing a cybersecurity insurance policy the role cyber defenses play in helping to obtain protection is much greater than those that have a Wider policy.
1% of the standalone policies had advised that the quality of their cyber defenses hindered their ability to obtain coverage. This is compared to 49% of those that had a more generic policy.
On the other hand the quality of a businesses cybersecurity defenses is more likely to have an impact on the cost of the policy when including it in a wider business policy (67%) than those with standalone coverage (58%).
Cyber Insurance & Ransomware
Recovery of Encrypted Data
Those corporations that have a cyber insurance policy in place are more likely able to recover their data after a ransomware attack than those that do not have any coverage.
Little difference was seen during this study, in terms of data recovery, between those that had a standalone policy verses those with a wider business policy.
Almost everyone that had some form of coverage were able to get some form of their data back.
On the other hand, looking at those corporations that didn’t have any cybersecurity insurance policy in place only 84% said that they could recover their data.
From all 3 groups the most commonly used method to recover data is backups followed by payment of the ransom.
21%, or one fifth, of businesses reported using multiple ways to recover their data.
Factors might include an organizations ability to tap into their policy to recover the data, which might include the following:
- Assistance from the insurance provider during the data recovery process
- Strong cyber controls requires the organization to have a secure policy which puts an organization in a better position to recover their data, such as secure backups and an incident response plan.
The Inclination to Pay the Ransom
This study also revealed that companies that have a standalone insurance policy are about 4 times more likely to pay the ransom in order to recover the data than those that do not have any cybersecurity insurance policy in place.
58% of businesses that had a standalone policy and their data encrypted in 2022 paid the ransom to get data back.
If you compare those businesses that have a broader insurance policy 36% paid the ransom, and 15% of those that do not have a cybersecurity insurance policy actually paid the ransom.