This August we commissioned a survey of over 1,400 senior IT decision-makers and business executives in the US, UK, and Canada. Our initial publication of the findings dug deep into their thoughts and attitudes on many issues, including nation-state attacks and hybrid work.
In addition, however, our survey featured several questions on cyber insurance. So in this article, we’ll provide the cyber insurance insights shared by the survey respondents.
What the Numbers Say on Cyber Insurance Adoption
The top line stat of the research reveals that 60% of organizations have a comprehensive cyber insurance policy to protect them if they experience financial loss from a cyber attack. While that number is a good starting point, it also indicates that many organizations have yet to embrace cyber insurance, something we at Arctic Wolf consider a key component in a holistic and effective security operations program.
Diving deeper into the data, we can see that the adoption of cyber insurance varies significantly by several factors. From a geographic perspective, Canadian organizations have a slightly lower adoption rate (55%) compared to their peers in the US (63%) and the UK (62%).
There is also a significant disparity in the adoption rates by industry. For example, survey respondents from some highly regulated industries—such as financial services—have adoption rates that are 15% higher than the global average.
In contrast, the hospitality industry has the lowest adoption rate of all industries surveyed with just 35% of respondents from this vertical claiming to have a comprehensive cyber insurance policy.
So what could be the cause of such a low adoption rate for cyber insurance among hospitality firms? I’m sure the industry isn’t ignoring the role cyber insurance has in ending cyber risk. Still, I wonder if this industry’s financial hardships due to the pandemic have caused some belt-tightening in budgets, with some organizations deciding to remove (hopefully temporarily) cyber insurance from their risk management plans.
What the General Holdups Are
Getting back to the top-line findings, we asked the 40% of enterprises without cyber insurance why they don’t have an active policy. Almost half of the respondents (46%) believed they do not qualify for cyber insurance. A few industries—such as state and local government, education, and critical infrastructure—have challenges in securing cyber insurance because of the high-risk nature involved in their operations or the users on their network.
Based on my experience, the reality is that most businesses can secure cyber insurance coverage; it’s just a matter of cost. Are you willing to pay a high premium to offset the risk associated with your security posture?
For a future survey, I hope to dig into this response more because the second most popular reason for not having cyber insurance was cost, with 18% of respondents claiming it was the prohibitive reason for their lack of a policy. I’d also add that the cost of a policy isn’t the all-in cost for insurability in many cases; required technologies like backup, monitoring, and multi-factor authentication have substantial costs for which there was no money set aside.
Interestingly, those who cited cost as the primary reason for lacking cyber insurance are that middle management (manager or director level) was three times more likely to mention the cost for their lack of insurance than C-level executives (CEO/CIO/CISO/etc.). This disparity in response reveals a potential divide between IT teams and the board room on the importance of cyber insurance. We hypothesize that the middle management responsible for the day-to-day execution of a security program feels the money for insurance could be better spent on preventative measures to strengthen their security posture.
In contrast, the C-level leaders responsible for operating an entire organization understand cyber insurance’s essential role in business continuity and risk management.
How Arctic Wolf Can Help
As threat actors become more sophisticated in terms of the tools and techniques used to launch their strikes, no company or organization is impervious to a breach, regardless of the technology and security experts they have in their arsenal. For that reason, companies of all sizes and industries need cybersecurity insurance to manage the wide range of costs such as ransomware payments, funds lost to fraud, legal liability, regulatory fines, and business income that come with a data breach.
Arctic Wolf believes that both insurability and risk are dramatically improved by 24×7 security operations and we’re backing it up. Earlier this year, we launched Arctic Wolf Service Assurance to supplement remediation costs of security incidents. It has proved a valuable supplement to insurance policies. Hopefully we can continue to improve the insurability of those 40% that still have an incomplete approach without insurance in place.
To learn more about Arctic Wolf Service Assurance eligibility requirements, along with more details and information on the events covered, download our datasheet.