Improved cyber hygiene among businesses has seen cyber insurance premiums fall by 15% globally over the past two years, despite cyber threats, particularly ransomware attacks, becoming more prevalent, according to a new report from Howden Insurance Brokers.
Awareness of cyber hygiene practices such as multi-factor authentication, EDR, and cloud backups has grown significantly since 2022.
According to Howden and NCC Group, ransomware attacks increased by 18% this year, but effective risk controls reduced the need for businesses to pay ransoms. However, recovery costs are rising again after a brief decline in 2022.
Insurance premiums skyrocketed in 2021 and 2022 as the COVID-19 pandemic forced businesses to rush their transition to remote work. Threat actors actively exploited new network vulnerabilities resulting from the use of personal devices, increased access points, and loss of centralized data controls, leading to more claims.
Sarah Neild, UK retail cyber manager at Howden, explained why the cost of cyber insurance has fallen. In an email to TechRepublic, she told us: “One reason is increased awareness of the risks in the wake of persistent, high-profile attacks.
“The requirement by insurers for minimum levels of hygiene for companies to be able to access their capacity has also had a major impact.” As a result, fewer claims are being filed, so policies are becoming cheaper.
Neild added: “Despite the significant investment burden that businesses have had to bear, it has helped to build much-needed resilience for policyholders. This is now paying off as they face a rapidly changing threat environment.”
Howden's data also showed that the number of indirect claims from third parties that were not intentionally targeted in a cyber incident has been lower than direct claims on average, further indicating that businesses are effectively managing their risks and mitigating losses.
Competition among insurers is also increasing as more are offering cyber insurance policies, helping to drive down prices for customers, the report says.
“The favorable momentum has continued through 2024, with the cost of cyber insurance continuing to decline despite ongoing attacks, increased geopolitical instability and the proliferation of next-generation artificial intelligence,” Neild said in a press release.
“At no other time has the market experienced the current combination of conditions: an intensified threat landscape combined with a stable insurance market supported by robust risk controls.”
The Howden report also concluded that demand for cyber insurance in Europe is likely to grow in the coming years. Penetration levels in the region are currently low, but awareness of cyber risks and strategic investments in security are increasing. Small and medium-sized organisations are also an underserved market.
Neild said she expects low prices to continue. However, they are unlikely to fall further. She told TechRepublic: “Current dynamics (supply versus demand, strong competition, etc.) suggest that buyers will continue to benefit from favorable conditions. Capacity has increased, and the strong recent market performance indicates that the cost of hedging is proportional to the costs of losses.
“That said, we are already seeing moderate price declines following the high-profile attacks in the first half of 2024, particularly in the healthcare sector. We therefore expect market conditions to stabilise from here and reach a landing point that offers an attractive long-term proposition for both buyers and operators.”
Why cyber insurance is increasingly important for businesses
Cyber insurance can help businesses withstand the costs associated with a successful cyberattack or penalties for failing to comply with increasingly stringent compliance regulations. Data breach costs rose to $4.45 million per incident in 2023, according to IBM, in part due to the fact that it was taking longer to investigate breaches.
A Splunk report released last month found that the leading cause of unplanned downtime at the world’s largest companies was cybersecurity-related human error, such as clicking on a phishing link. Downtime overall costs them $400 billion a year, or about 9% of their revenue.
Downtime caused by a cybersecurity incident directly results in financial losses in the form of lost revenue, regulatory fines, and overtime wages for staff fixing the problem. The report also revealed hidden costs that take longer to have an impact, such as decreased shareholder value, stagnant developer productivity, and reputational damage.
In addition to the rising costs associated with cyberattacks, they are also becoming more successful. In April, a Kaspersky study found that the number of devices infected with data-stealing malware increased sevenfold between 2020 and 2023. Last month, insurance broker Marsh revealed that it had received more than 1,800 cyber claims from North American clients in 2023 – a record – as businesses were hit by ransomware.
SEE: 87% of UK businesses are unprepared for cyber attacks
Despite this, there is evidence that companies are improving their defenses against cyberattacks. According to a 2024 report from Mandiant, the average dwell time (the length of time attackers remain undetected within a targeted environment) for global organizations decreased from 16 days in 2022 to 10 days in 2023 and is now at its lowest point in more than a decade.
