Cyber Insurance Drives Major Security Improvements, But Recovery Costs Surge, Sophos Report Finds

A Sophos survey reveals that 97% of organizations with cyber insurance have improved their cybersecurity measures to qualify for coverage, but recovery costs from cyberattacks often exceed insurance limits. The report highlights the importance of basic security practices and the role of cyber insurance in driving better cybersecurity.


27 June 2024 – Sophos, a global leader in innovative security solutions, has unveiled its latest findings in the report “Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders.” The report underscores the pivotal role of cyber insurance in driving companies to bolster their cyber defenses, with 97% of insured organizations investing in security improvements to aid in obtaining and maintaining coverage.

The survey, which collected data from 5,000 IT and cybersecurity leaders across 14 countries, reveals that 76% of organizations enhanced their cybersecurity measures to qualify for insurance, 67% to secure better pricing, and 30% to obtain improved policy terms. This push for better defenses is yielding significant security benefits, with 99% of those organizations reporting broader advantages such as improved protection, reduced IT workload, and fewer security alerts.

Despite these improvements, the report highlights a concerning trend: recovery costs from cyberattacks are outstripping insurance coverage. Only 1% of companies that made a claim reported that their insurance covered all incurred costs. The main issue is that recovery expenses frequently exceed policy limits, especially as the average cost of ransomware recovery surged by 50% over the last year, reaching an average of $2.73 million.

Chester Wisniewski, Global Field CTO at Sophos, pointed out that many cyber incidents stem from a lack of basic cybersecurity practices, such as timely patching and enabling multi-factor authentication. The Sophos Active Adversary report identifies compromised credentials as the leading cause of attacks, yet 43% of companies surveyed had not implemented multi-factor authentication.

Wisniewski emphasizes that while cyber insurance plays a crucial role in compelling companies to adopt essential security measures, it should be viewed as part of a comprehensive risk mitigation strategy. “Cyber insurance is making a difference, driving organizations to improve their defenses, which has a positive ripple effect. However, companies must continue to strengthen their cybersecurity posture to protect against operational and reputational impacts of cyberattacks,” he said.

The survey’s findings illustrate that investments in cyber defenses not only facilitate insurance coverage but also contribute to an organization’s overall security resilience. As cyber insurance adoption grows, the hope is that organizational security will continue to advance, making cyber insurance an integral component of the broader cybersecurity ecosystem.

Author: Terry KS

Share This Post On