Cyber cover worth paying for? 58% say yes, survey finds
A joint Marsh-Microsoft survey of more than 650 decision makers globally has found 58% of respondents say it is worth paying for insurance to safeguard against the risks and costs of a cyber attack.
Almost two-thirds said insurance was an important part of their cyber risk management strategy, while 61% had purchased some type of cyber coverage – up around 30% since 2019.
The adoption of certain controls has become a minimum requirement for a majority of insurers, with “potential insurability on the line” for those seeking cover, Marsh says, and 41% of respondents said these insurer demands had influenced decisions to augment existing cyber control measures, or adopt new ones.
Insurance "influences the adoption of best practices and controls,” the State of Cyber Resilience report said.
Marsh also found cyber risk management to be “a mishmash of roles and responsibilities” with “no clear leader for decisions around cyber insurance”. Companies with cyber insurance were likely to have taken more actions to build security and to have stricter controls in place.
Insurance creates a “valuable feedback loop,” the report says, as underwriting teams learn from related claims and adjust their requirements to reflect controls that could have mitigated them.
Marsh says organisations should adopt a dozen controls which have come into focus due to this ability of insurers to identify the effect on corresponding cyber incidents and claims.
Here are the 12 recommended controls:
- Email filtering and web security
- Logging and monitoring/network protections
- Secured, encrypted, and tested backups
- Patch management/vulnerability management
- Cybersecurity awareness training/phishing testing
- Multi-factor authentication (MFA) for remote access and admin privileged access
- Endpoint detection and response (EDR)
- End-of-life systems should be replaced or protected
- Hardening techniques including remote desktop protocol (RDP) mitigation
- Cyber incident response planning and testing
- Privileged access management (PAM)
- Vendor/digital supply chain risk management