According to a recent report from Howden Insurance Brokers, global cyber insurance premiums have decreased by 15% since their peak in 2022. This decline is attributed to businesses improving their cyber hygiene practices.
Despite the increase in cyber threats, particularly ransomware attacks, businesses’ enhanced security measures have led to a significant reduction in insurance costs. The report highlights a notable rise in awareness and implementation of practices such as multifactor authentication, Endpoint Detection and Response (EDR), and cloud backups since 2022.
Although ransomware attacks have surged by 18% this year, Howden and NCC Group note that robust risk controls have diminished the necessity for companies to pay ransoms. However, the report also indicates that recovery costs are climbing again after a temporary dip in 2022.
Surge in Insurance Premiums in 2021-2022 Due to Remote Work Transition and Increased Cyber Threats
The COVID-19 pandemic led to a significant surge in insurance premiums during 2021 and 2022. As companies rushed to transition to remote work, threat actors exploited new network vulnerabilities. The widespread use of personal devices, increased access points, and loss of centralized data controls created ample opportunities for cybercriminals, resulting in a spike in claims.
Decline in Cyber Insurance Costs Explained by Howden’s Sarah Neild
Sarah Neild, head of cyber retail U.K. at Howden, outlined the reasons behind the decrease in cyber insurance costs. She told TechRepublic, “Increased risk awareness following persistent high-profile attacks is one reason. Insurers mandating minimum hygiene levels for businesses to access coverage has also significantly impacted costs.” Consequently, fewer claims are being made, leading to cheaper policies.
Neild emphasized, “Although the investment burden on companies is considerable, it has instilled much-needed resilience in policyholders. This is now paying off as they navigate a rapidly evolving threat environment.”
Howden’s data also indicates that indirect claims from third parties, not intentionally targeted in cyber incidents, are lower on average than direct claims. This suggests that companies are effectively managing their risks and mitigating losses.
Additionally, growing competition among insurers offering cyber insurance policies is driving prices down for customers. “Favorable dynamics have persisted into 2024, with the cost of cyber insurance continuing to fall despite ongoing attacks, heightened geopolitical instability, and the proliferation of Gen AI,” Neild said in a press release. “The market has never experienced this mix of conditions: a heightened threat landscape combined with a stable insurance market supported by robust risk controls.”
The Howden report projects that demand for cyber insurance in Europe will likely grow in the coming years. While penetration levels in the region are currently low, awareness of cyber risks and strategic security investments are increasing. Small and medium-sized organizations remain an underserved market.
Neild expects the low prices to continue but unlikely to drop further. She told TechRepublic, “Current dynamics—supply vs. demand, strong competition, etc.—suggest buyers will continue to benefit from favorable conditions. Capacity is up, and the recent strong performance of the market points to the cost of coverage being commensurate with loss costs. However, we are already seeing price decreases moderate following high-profile attacks in early 2024, particularly in the healthcare sector. We expect market conditions to stabilize from here and offer an attractive long-term proposition for both buyers and carriers.”
Why Cyber Insurance is Crucial for Businesses
Cyber insurance helps businesses withstand costs from successful cyberattacks or penalties for breaching increasingly stringent compliance regulations. According to IBM, data breach costs rose to $4.45 million per incident in 2023, partly due to the extended time required to investigate breaches.
A recent report from Splunk found that cybersecurity-related human errors, such as clicking phishing links, are the top cause of unplanned downtime within the world’s largest companies. Downtime costs these companies $400 billion annually, roughly 9% of their profits.
Cybersecurity incidents lead to financial losses through lost revenue, regulatory fines, and overtime wages for staff rectifying the issue. The report also highlighted hidden costs like diminished shareholder value, stagnant developer productivity, and reputational damage.
As cyberattacks become more successful, their associated costs rise. A study by Kaspersky in April revealed that devices infected with data-stealing malware increased sevenfold between 2020 and 2023. Last month, insurance broker Marsh reported receiving over 1,800 cyber claims from North American clients in 2023, a record high due to ransomware attacks.
Despite these challenges, there is evidence that companies are improving their defenses. A 2024 report from Mandiant showed that the median dwell time—the period attackers remain undetected within a target environment—decreased from 16 days in 2022 to 10 days in 2023, now at its lowest point in over a decade.