Cyberattack recovery costs have outpaced insurance coverage according to a new report by online security solutions provider Sophos.
The survey titled “Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders,” shows that recovery costs from cyberattacks are outpacing insurance coverage with only one percent of those that made a claim saying that their carrier funded 100 percent of the costs incurred.
The most common reason for the policy not paying for the costs in full was because the total bill exceeded the policy limit.
According to The State of Ransomware 2024 survey, recovery costs following a ransomware incident increased by 50 percent over the last year, reaching $2.73 million (Sh353million) on average.
In the latest findings 97 per cent of those with cyber insurance improved their defenses to qualify for coverage, with 76 per cent saying it helped them get coverage, 67 per cent got better pricing, and 30 per cent secured improved policy terms.
The survey also revealed that recovery costs from cyberattacks are surpassing insurance coverage.
Only 1 per cent of claimants said their insurance covered all costs, with most facing bills that exceeded their policy limits.
Chester Wisniewski, Sophos’ Global Field CTO, noted that many cyber incidents result from not following basic cybersecurity practices, like timely patching.
“The Sophos Active Adversary report has repeatedly shown that many of the cyber incidents companies face are the result of a failure to implement basic cybersecurity best practices, such as patching in a timely manner.”
“In our most recent report, for example, compromised credentials were the number one root cause of attacks, yet 43 per cent of companies didn’t have multi-factor authentication enabled,” said Chester Wisniewski, director, global Field CTO.
Wisniewski emphasized that while cyber insurance encourages better security practices, it is just one part of a risk mitigation strategy.
Among 5,000 surveyed IT and cybersecurity leaders, 99 per cent of companies that improved their defenses for insurance purposes also reported broader security benefits, such as improved protection and fewer alerts.
Wisniewski added that investments in cyber defenses can lead to insurance savings, which can further enhance security.
He notes that as more companies adopt cyber insurance, their overall security will improve, even though insurance alone won’t eliminate ransomware attacks.
The survey included responses from 5,000 IT and cybersecurity leaders in 14 countries, covering organizations with 100 to 5,000 employees and revenues ranging from under $10 million to over $5 billion.