This Arctic Wolf commissioned a survey of over 1,400 senior IT decision-makers and business executives in the US, UK, and Canada. The initial publication of the findings dug deep into their thoughts and attitudes on many issues, including nation-state attacks and hybrid work.
In addition, however, their survey featured several questions on cyber insurance and interesting feedback. Here are some highlights from the survey by Odin Olsen from Arctic Wolf;
The top line stat of the research reveals that 60% of organizations have a comprehensive cyber insurance policy to protect them if they experience financial loss from a cyber attack. While that number is a good starting point, it also indicates that many organizations have yet to embrace cyber insurance, something we at Arctic Wolf consider a key component in a holistic and effective security operations program.
Diving deeper into the data, we can see that the adoption of cyber insurance varies significantly by several factors. From a geographic perspective, Canadian organizations have a slightly lower adoption rate (55%) compared to their peers in the US (63%) and the UK (62%).
There is also a significant disparity in the adoption rates by industry. For example, survey respondents from some highly regulated industries—such as financial services—have adoption rates that are 15% higher than the global average.
In contrast, the hospitality industry has the lowest adoption rate of all industries surveyed with just 35% of respondents from this vertical claiming to have a comprehensive cyber insurance policy.
So what could be the cause of such a low adoption rate for cyber insurance among hospitality firms? I’m sure the industry isn’t ignoring the role cyber insurance has in ending cyber risk. Still, I wonder if this industry’s financial hardships due to the pandemic have caused some belt-tightening in budgets, with some organizations deciding to remove (hopefully temporarily) cyber insurance from their risk management plans.
What the General Holdups Are
Getting back to the top-line findings, we asked the 40% of enterprises without cyber insurance why they don’t have an active policy. Almost half of the respondents (46%) believed they do not qualify for cyber insurance. A few industries—such as state and local government, education, and critical infrastructure—have challenges in securing cyber insurance because of the high-risk nature involved in their operations or the users on their network.
Based on my experience, the reality is that most businesses can secure cyber insurance coverage; it’s just a matter of cost. Are you willing to pay a high premium to offset the risk associated with your security posture?
For a future survey, I hope to dig into this response more because the second most popular reason for not having cyber insurance was cost, with 18% of respondents claiming it was the prohibitive reason for their lack of a policy. I’d also add that the cost of a policy isn’t the all-in cost for insurability in many cases; required technologies like backup, monitoring, and multi-factor authentication have substantial costs for which there was no money set aside.
Interestingly, those who cited cost as the primary reason for lacking cyber insurance are that middle management (manager or director level) was three times more likely to mention the cost for their lack of insurance than C-level executives (CEO/CIO/CISO/etc.). This disparity in response reveals a potential divide between IT teams and the board room on the importance of cyber insurance. We hypothesize that the middle management responsible for the day-to-day execution of a security program feels the money for insurance could be better spent on preventative measures to strengthen their security posture.
In contrast, the C-level leaders responsible for operating an entire organization understand cyber insurance’s essential role in business continuity and risk management.