Cybersecurity Insurance: Signals Maturity to Partners, Improved Security Response

Cybersecurity insurance coverage is both growing in use and proving essential for small and mid-sized to signal to partners and customers that they have a mature security program. A newly released report, Forrester’s The State of Cyber, 2024 finds about 83% of organizations currently maintain cybersecurity insurance, and such policyholders tend to possess improved ability to detect and respond to attacks.

According to S&P Global, the global cybersecurity insurance market reached $12 billion at the end of 2022 and is expected to grow to $23 billion by next year — an annual clip of 25% to 30%.

The amount of insurance bought by individual companies varies significantly by company size, with large enterprises having more complex business-technology environments, more data to protect and more costs associated with incidents, including potential regulatory and recovery costs and larger potential losses due to business disruption. Forrester found a mix in how organizations choose their coverage, with 26% having stand-alone policies, 32% holding coverage through an endorsement, and 25% included within another business insurance policy.

According to Forrester, enterprises are more likely to acquire greater amounts of coverage compared with SMBs; 37% of enterprise respondents have $100 million or more in coverage, whereas 73% of SMBs have less than $50 million in coverage. “However, the coverage that SMBs seek is still sizable. It also reflects how SMBs as third parties present significant risk as part of a greater supply chain and the need for these organizations to signal confidence in their risk posture to partners,” Forrester concludes.

Insurance Companies and Assessments

Good cybersecurity insurance helps to mitigate some of that perceived higher degree of risk. Firms with cybersecurity insurance typically must prove that their level of maturity reaches a level that’s acceptable for the insurance companies to accept the risk. “Most insurance companies today do assessments and audits before providing a policy,” says Michael Farnum, an advisory CISO at technology services provider Trace3. Typically, Farnum explains, insurance companies want to know that, in addition to having the essential security tools and processes in place before signing a policy, the potential policyholder has adequate ability to identify and respond to data breaches are in place. “They want to know that if you suffer a breach, are you ready to effectively respond,” he explains.

Policyholders Have Better Security Outcomes

Forrester found that the tighter standards set to qualify for cybersecurity insurance have better data breach response times. According to Forrester’s findings, there’s a recurring pattern of improved detection and response for organizations with standalone cybersecurity insurance policies. Regarding the mean time to detect a breach (a common metric), 25% of global enterprise respondents with standalone cyber insurance policies reported that they could do so in seven days or fewer, compared to 19% of those without cyber insurance.

Similarly, 29% of those with a standalone cybersecurity insurance policy can respond to breaches within seven days, compared to only 19% without cybersecurity insurance.

Other areas of improvement include breach or malware eradication times and overall recovery from incidents. Finally, those with cybersecurity insurance are more likely to be further underway in building zero-trust architectures than those without insurance.