The Global State of Cyber Insurance | 2022

The Global State of Cyber Insurance

Risk never goes away. The fact is, how an organization manages risk will ultimately dictate their risk profile and their ability to obtain and maintain cyber insurance.

Explore highlights from our survey of 500 IT and corporate executives in North America, Europe, and South Africa and gain insights into how they are managing risk in order to qualify and purchase cyber insurance.
Download Full Report

Source: Arctic Wolf 2022 Cyber Insurance Survey

Motivations for Obtaining Cyber Insurance

“Over the past two to three years, cyber claims have become more frequent than what was seen in the past. Much of this can be attributed to the growth in cyber vulnerabilities for small to mid-sized businesses…It is essential that companies understand the insurance coverage they have purchased and how it can help.”

Linda Comerford

AVP of Cyber Services and Incident Response at AmTrust
The rise in ransomware incidents and payments are driving the desire for cyber insurance. In many cases, organizations are contractually required by their business partners to maintain certain levels to spread out the risk.
THIS MEANS:
Defending against ransomware is a risk management best practice and a business imperative.
Animated Graph of 38 percent
Risk management best-practice
Animated Graph of 34 percent
Requirement of other insurance policy
Animated Graph of 26 percent
Mandate from board of directors
(Motivations for obtainnig cyber insurance among respondants of the Arctic Wolf 2022 Cyber Insurance Survey)
quote-icon-white-40-percent.png

"Highly touted security controls that are often considered obligatory by cyber insurers, such as data loss prevention and cyber security awareness training, received much lower citations as key motivators."

- Arctic Wolf 2022 State of Cyber Insurance

Expectations of
Coverage

As with any insurance offering, cyber insurance products vary greatly, and often contain exclusions, including more costly and challenging issues such as ransomware. Typical exclusions include wrongful acts that occur prior to coverage; loss of portable devices; security maintenance failures; third-party breaches; bodily injury and property damage resulting from a cyber incident; and war, invasion, and terrorism.
THIS MEANS:
Some enterprises have been required to obtain multiple policies to cover their risk transference goals. Getting your company’s cybersecurity defenses in place and submitting your applications early could help you obtain a policy that meets your coverage expectations.

52% of Survey Respondents:

Expected their cyber insurance coverage to take care of 61%-80% of the costs associated with a data breach.

61%

80%

Expected Cost Coverage

48% of Survey Respondents:

Expected their cyber insurance coverage to take care of 81%-100% of the costs associated with a data breach.

81%

100%

Expected Cost Coverage

"Cover Everything"

By Country

The number of respondents who fall into the “cover everything” category varies by country.
Animated graph 40 percent
United States and Germany
Animated graph 33 percent
Canada
Animated graph 30 percent
South Africa
Animated graph 29 percent
United Kingdom
Animated graph 28 percent
Netherlands
Animated graph 24 percent
Sweden
However, if you exclude ransomware, the “cover everything” numbers change drastically.
Animated graph 42 percent
Canada
Animated graph 38 percent
Sweden and South Africa
Animated graph 32 percent
United Kingdom
Animated graph 30 percent
United States
Animated graph 26 percent
Netherlands
Animated graph 14 percent
Sweden
2 out of every 3 organizations have had their cyber insurance policy for one year or less.

Crucial Controls

Respondents confirmed what insurance carriers and brokers have been asserting: implementing mission-critical cybersecurity controls can lead to lower rates. But there’s a disconnect between carriers’ most commonly required controls and the security controls that have the biggest impact on your organization’s risk — and your cyber insurance rate.
Required by Carriers
Insurance carriers and brokers often require, or at least strongly suggest, security controls that policyholders are expected to have in place in order to maintain their policies. Globally, the top five most common security controls requested by carriers are:

Anti-Virus Software

47%

Virtual Private Networks (VPN)

41%

Cloud Monitoring Software

26%

Firewalls

23%

Multi-factor Authentication (MFA)

19%

GLOBAL Breakdown

The U.S. and U.K. tend to emphasize VPNs, anti-virus software, and cloud monitoring. Canada and the rest of Europe and South Africa go beyond just those three controls, however, by including firewalls, multi-factor authentication, and vulnerability scanning and management — providing a much broader set of controls to address potential vulnerabilities.