Cyber insurance creates a “valuable feedback loop” as underwriting teams learn from related claims and adjust their requirements to reflect controls that could have mitigated them, Marsh says.

A survey of more than 650 decision makers globally, conducted jointly by Marsh and Microsoft, found 61% of respondents had purchased some type of cyber coverage, up around 30% since 2019.

The adoption of certain controls has become a minimum requirement for a majority of insurers, with “potential insurability on the line” for those seeking cover, Marsh says, and 41% of respondents said these insurer demands had influenced decisions to augment existing cyber control measures, or adopt new ones.

Almost two-thirds said insurance was an important part their cyber risk management strategy and 58% said it was worth paying for insurance to safeguard against the risks and potential costs of an attack.

“Insurance is an important part of cyber risk management strategy, and influences the adoption of best practices and controls,” it said.

Cyber resilience is only achieved when a combined role is played by insurance alongside implementing cybersecurity measures, undertaking robust data and analytics, and creating adequate incident response plans, the State of Cyber Resilience report says.

Some organisations are still struggling to adopt best practice, due to the cost or not understanding the need.

Cyber risk is especially pervasive as risk comes from so many sources such as an employee or vendor firing up their laptop from home, a user connecting a new product to the Internet of Things introduces risk, and even risk from deciding not to launch a new product fearing cyber threats.

"Every organisation can expect a cyberattack,” the report said, listing ransomware, phishing/social engineering, privacy breaches, and business interruption due to an external supplier being attacked.

Just 3% of firms surveyed rated their cyber hygiene as excellent. More than half said they do not risk assess new technology beyond implementation.

Firms “widely overlook” their vendors/digital supply chains, Marsh says, with only 43% conducting this risk assessment.

Marsh also found cyber risk management to be “a mishmash of roles and responsibilities” with risk management and insurance professionals generally absent from discussions of cybersecurity tools and services.

“There is no clear leader for decisions around cyber insurance,” it said. More than a quarter of risk managers and finance professionals surveyed were not involved in cyber incident management, and Marsh says role clarity and clear authority for decision making would maximise investment efficiency.

"Even the best tools and activities are unlikely to meet their potential if there is not effective communication,” it said.

Only 41% of organizations looked beyond cybersecurity and insurance to engage their legal, corporate planning, finance, operations or supply chain management functions in making cyber risk plans.

Cyber controls can include email filtering, encrypted back ups, training and phishing testing, multi-factor authentication, endpoint detection and response, managing end-of-life systems, and privileged access management.