6 Signs You Need an IT Consultant
If you're the owner of a small business, you may be doing it all. Many times, CEO's and company...
Cyber insurance coverage has changed over the last year according Sophos’ annual study* of the real-world experience of IT professionals at the front line. It also shows the impact cyber insurance has had on their cyber defenses. With ransomware as a major driver of both cyber insurance purchase and claims, the study also highlights how often cyber insurance policies pay out in the event of an attack and the types of costs that are addressed, including how often insurers pay the ransom.
Overall, 92% of all respondents said that their organization currently has some level of cyber insurance coverage in place. 83% of respondents have cyber insurance that covers ransomware, although 41% of them (34% of all respondents) say there are exceptions and exclusions in their ransomware coverage.
Cyber insurance adoption has increased over the last two years. In the 2020 survey (which reflected organizations’ experiences in 2019), 84% of the 5,000 respondents said their organization had cyber insurance and only 64% had cyber insurance that covered ransomware.
On a per-country basis, European countries top the cyber insurance coverage, with respondents in the Czech Republic (99%), Sweden and Belgium (both 98%) most likely to report that their organization has coverage. Hungary reported the lowest level of cyber insurance coverage (82%) while Israel has the lowest rate of coverage against ransomware (66%).
At a sector level, the energy, oil/gas and utilities sector have the highest levels of cyber insurance coverage (96%), together with retail, and the highest level of coverage against ransomware (89%). This is unsurprising given that this sector is a major target for attacks (for example, the Colonial Pipeline ransomware incident of 2021), and also has high levels of legacy infrastructure that is often hard to keep up to date, increasing exposure to attack.
At the other end of the scale, manufacturing and production have both the lowest level of cyber insurance coverage (86%) and the lowest level of coverage against ransomware (75%).
This high overall rate of cyber insurance coverage is understandable given the growing cyber threat challenge facing IT teams. Over the last year, 57% of respondents experienced an increase in the volume of cyber attacks on their organization, 59% saw the complexity of attacks increase, and 53% said the impact of attacks had increased.
Ransomware is the number one driver of cyber insurance claims and over the last year there was a 78% increase in the percentage of organizations that experienced an attack: up from 37% in 2020 to 66% in 2021. As hackers have become more capable at executing attacks, it follows that demand for cyber insurance has also increased.
Organizations hit by ransomware in the last year are much more likely to have cyber insurance that covers them against ransomware than those that avoided falling victim to an attack. Among those that were hit, 89% have cyber insurance that covers ransomware compared with 70% of those not hit.
The cause-and-effect is not clear here. It may be that direct experience of a ransomware incident has driven many organizations to take out insurance to help mitigate the impact of future attacks. Alternatively, adversaries may target their attacks on organizations that they know have insurance coverage to increase their chances of a ransom pay out. Another option is that some organizations took out coverage to balance known weaknesses in their defenses. The reality is likely a combination of all three.
It's worth noting that a prior claim can make securing new or renewed coverage more difficult without a significant investment in a changed approach to cybersecurity as insurers look to reduce the risk of a major payout.
As previously noted, many organizations have exceptions or exclusions to their ransomware coverage. For example, should an organization choose not to include having the provider pay the ransom component of a ransomware attack, that will often bring down the overall price of coverage. When evaluating what to include in a policy, it’s helpful to understand the reality of ransom payments today.
965 respondents whose organization paid the ransom shared the exact amount, revealing that average ransom payments have increased considerably over the last year. However, there is considerable variation in ransom payment by country and/or sector.
Overall, over the last year there has been an almost threefold increase in the proportion of victims paying ransoms of US$1 million or more: up from 4% in 2020 to 11% in 2021. In parallel, the percentage paying less than US$10,000 dropped from one in three (34%) in 2020 to one in five (21%) in 2021.
Globally, the average ransom payment came in at US$812,360, a 4.8X increase from the 2020 average of US$170K (based on 282 respondents). While this headline sum is influenced by 15 eight-digit payments, it’s clear from the data that ransoms are trending upwards across the board.
There is considerable sector variation, with adversaries extracting the highest sums from those they consider most able to pay:
Reassuringly for those with cyber insurance coverage, 98% that were hit by ransomware and had cyber insurance that covered ransomware said the policy paid out in the most significant attack – up from 95% in 2019. In a number of countries, this rose to a full 100% payout rate: Switzerland (n=52), Mexico (n=131), Sweden (n=68), Belgium (n=66), Poland (n=75), Turkey (n=51), UAE (n=49), India (n=218) and Singapore (n=91). The survey reveals an increase in the payment of cleanup costs and a decrease in ransom payments by cyber insurers.
77% of respondents reported that their insurer paid cleanup costs i.e., costs incurred to get the organization up and running again – up from 67% in 2019. Higher education (universities, colleges and equivalent institutions) reported the highest level of cleanup cost coverage (87%). Conversely, there was a drop in ransom payout rates by insurers with 40% reporting that the insurer footed the ransom bill, down from 44% in 2019. However, the rate of ransom payout rates varied considerably by sector. The highest rates were reported in lower education (K-12/primary/secondary) (53%), local/state government (49%), and healthcare (47%), and the lowest in manufacturing and production (30%) and financial services (32%).
It’s interesting to note that the sectors with the lowest rate of ransom payment are also the ones that reported being able to recover fastest from an incident, emphasizing the importance of disaster recovery planning and preparation. In all cases, it’s worth remembering that cyber insurance will help get you back to your previous state, it doesn’t cover ‘betterment’ i.e., when you need to invest in better technologies and services to address weaknesses that led to or enabled the attack.
Observers of the cyber insurance market likely will agree that the changes over the past year have been astonishing. While most organizations have some form of cyber insurance, most survey respondents have experienced a change in their experience of securing coverage over the last year, including higher premiums and more stringent cyber controls. Qualifying for cyber insurance today requires a concerted effort to do all you can to reduce your risk profile. Those who get the best terms, rates and limits will be those who pose the least risk to the underwriters. If you want to obtain cyber insurance in 2022 you should have in place strong technological defenses combined with educated and trained users, plus up-to-date procedures, including the use of deception technologies.
With some providers leaving the market, getting your organization’s cybersecurity defenses in place and submitting your application early could help you obtain a policy before the supply runs out. If you have questions about what your insurance provider requires, bringing them into the conversation sooner rather than later could help you direct your cybersecurity investments to meet the criteria they are setting to qualify for coverage.
The good news is that cyber insurance firms have diligently been holding to their side of the agreement, with a 98% payout rate on cyber insurance claims reported by survey respondents.
*Findings from an independent, vendor-agnostic survey of 5,600 IT professionals in mid-sized organizations across 31 countries.