Cyber insurance is driving improvements to cyber defenses. This was one of the key findings of the Sophos’ The State of Ransomware 2022 report, released today. No one was more pleasantly surprised by this finding than Chet Wisniewski, a principal research scientist at Sophos. “For the first time ever, I’m sat here saying really good things about cyber insurance,” he laughs.
The vendor-agnostic survey of 5600 IT professionals, conducted by Vanson Bourne, found that 98% of businesses hit by ransomware had cyber insurance that covered ransomware and that the policy paid out in the most significant attack. In addition, the survey reveals an increase in the payment of clean-up costs (77%) and a decrease in ransom payments by insurers (40%).
According to the report’s data, 66% of organizations were hit by ransomware in the last year, a statistic that Wisniewski says makes the way that cyber insurance policies were historically issued “untenable.” This is why he says there has been a dramatic evolution in the cyber insurance space and one that has evolved his own personal perception of it. Initially, he saw cyber-insurance as “a negative force,” but thanks to its maturity curve, he now describes it as “a super positive thing.”
Wisniewski considers one of the main issues with cyber insurance in the past was that organizations treated it as a way of shifting risk, therefore failing to mitigate it. “That gravy train is done,” he says, “the millions of pounds of pay-outs were a problem. A year ago, cyber insurance started to rocket in price. The insurance industry had had enough.”
Wisniewski reveals that they laid a “trap question” in the survey. “We asked ‘why do you think you have protection from cyber-attacks?’ and we listed cyber insurance as an answer to see how many people consider it to be a mitigation tool.” Although he could not recall the exact numbers, he recalls that many respondents chose that answer.
"When an incident occurs, cyber insurance companies swoop in, negotiate and know how to do incident response. They disconnect systems, kick off and create a roadmap of incident response, and do it really quickly"
As cyber insurers started to require organizations to demonstrate a determined level of security practice, maturity and resilience to issue an insurance policy, we should celebrate the positive impact on cybersecurity posture, argues Wisniewski. “When an incident occurs, cyber insurance companies swoop in, negotiate and know how to do incident response. They disconnect systems, kick off and create a roadmap of incident response, and do it really quickly.” This rapid expert response limits damage and causes the cost of the incident to drop, he adds.
When asked, “if you were a CISO, would you be investing in cyber insurance?” Wisniewski answers without hesitation: “Absolutely, it’s an incredibly useful service. Obviously, I’d evaluate it, and if the price and terms were right, I absolutely would.”
Infosecurity poses the same question to Sophos senior security advisor, John Shier: “Yes, I absolutely would too,” he said. “It would also be my incentive to improve the security of the business and get the C-suite to buy into that,” he says.
Too Many Staff, Plenty of Budget
Cyber insurance revelations aside, another interesting and, frankly shocking, piece of data to come out of the report is that the majority of cybersecurity professionals believe they have enough – or more than enough – budget and staff. Given extensive and longstanding industry discussions regarding the skills gap and strained budgets, this information has understandably shocked both Shier and Wisniewski.
“The most surprising part of the entire report is that professionals have too much budget and too many staff. Despite this, only around a third of them are actually getting it right, so where’s the disconnect?” ponders Shier. “I was so shocked I thought it must be a mistake – I had to re-check the data,” adds Wisniewski.
64% of those hit by ransomware in the last year say that they have more cybersecurity budget than they need
Sixty-four percent of those hit by ransomware in the last year say they have more cybersecurity budget than they need, while a further 24% say they have the right amount. Similarly, 65% of ransomware victims say they have more cybersecurity headcount than they need, and a further 23% say they have the right level of staffing.
This perspective is certainly new, and, as noted in the report, “the findings suggest that many organizations are struggling to deploy their resources effectively in the face of the accelerating volume and complexity of attacks.”
The Ransomware Challenge Continues to Rocket
Certainly not surprising is the revelation that the proportion of organizations directly impacted by ransomware has almost doubled in twelve months, from just over a third in 2020 to two-thirds in 2021.
Many businesses are choosing to reduce the monetary risk of attack by taking cyber insurance. With cyber insurers demanding stricter levels of security to issue said policies, however, organizations must evolve their security posture in order to be granted insurance. It’s a new dawn and one that, in the words of Wisniewski, can only be a “really, really positive thing.”