Evaluating the significance of cyber insurance claims is a reliable method to gauge the repercussions of cyberattacks on corporations. A heightened claim value denotes substantial financial and operational repercussions from the breach, while a diminished claim value indicates minimal disruption.
Decreasing the magnitude of cyber insurance claims is beneficial for all parties involved. Lower claims highlight enhanced cyber resilience for clients, while insurers profit from reduced payouts. This also initiates a positive cycle: As insurers spend less to cover claims, they can lower premiums, presenting added benefits to clients.
Despite the general agreement that fortified defenses diminish the financial and operational impacts of cyberattacks and the resulting claim values, no one has succeeded in measuring it. Until now.
Sophos recently initiated an impartial study to assess the financial implications of diverse cyber controls on cyber insurance claim values. The study exposes the divergent effects of endpoint protection solutions, EDR/XDR technologies, and MDR services on attack-related claims, offering valuable insights for insurers and organizations alike.
Key observations in this study include:
- Corporations utilizing MDR services report a reduction of 97.5% compared to those solely dependent on endpoint protection ($75,000 vs $3M).
- Entities employing EDR/XDR solutions claim one-sixth (1/6) of the amount claimed by organizations only using endpoint protection ($500,000 vs. $3M).
- Corporations utilizing MDR services exhibit the most predictable claims; whereas those utilizing EDR/XDR tools demonstrate the least predictability.
- Firms leveraging MDR services achieve the quickest recovery from significant cyberattacks, with almost half (47%) fully restored within a week, in contrast to only 18% relying on endpoint protection alone and 27% using EDR/XDR solutions.
- Organizations utilizing MDR services experience the most predictable recovery time in ransomware incidents, while EDR/XDR users display the least predictability.
The Significance of this Study
Corporations invest substantial amounts in cybersecurity annually. By evaluating the impact of cyber controls on cyberattack outcomes, this study enables organizations to channel their investments towards areas with the most promising yields.
Similarly, insurers wield substantial influence on cybersecurity expenses by mandating specific controls as prerequisites for coverage and providing discounts for compliant organizations. This research empowers them to ensure that they are encouraging investments that genuinely contribute to favorable incident outcomes and subsequent claim values.
Research Specifications
282 claim incidents from 232 companies employing 50 to 3,000 staff members were scrutinized in this research venture. Respondents utilized cybersecurity solutions from a wide array of suppliers, encompassing 19 distinct endpoint protection vendors and 14 separate MDR service providers. All entities were employing multi-factor authentication (MFA) at the time of the cyberattacks triggering the claims. The study was conducted on behalf of Sophos by Vanson Bourne.
Responses were categorized into three statistically valid groups based on the cybersecurity defenses deployed during the attacks that triggered the claims:
- Endpoint users: Employed an endpoint protection solution for a minimum of one year but did not use endpoint detection and response (EDR) or extended detection and response (XDR) tools or MDR services (n=63 organizations, 83 claim events).
- EDR/XDR users: Employed an endpoint protection solution and an EDR/XDR tool for at least a year but did not utilize MDR services (n=109 organizations, 129 claim events).
- MDR users: Employed an endpoint protection solution and an MDR service for at least a year (n=60 organizations, 70 claim events).
We employ these segment designations throughout the report.
For clarity, the investigation solely focuses on claims arising from cyberattacks and excludes claims related to a cyber insurance policy for other causes (e.g., the business repercussion of cybersecurity vendor outages or inadvertent data loss).
Insight #1: Corporations utilizing MDR services report 97.5% less compared to those dependent on endpoint protection alone
The study indicates that the median claim value of companies leveraging MDR services is 97.5% lower than that of endpoint users. The median claim by MDR users stood at merely $75,000 in contrast to $3M for endpoint users. From another perspective, endpoint users typically claim 40X more due to cyberattacks than MDR users. The decreased claim value likely signifies the ability of MDR services to swiftly identify and neutralize malicious activities, expelling adversaries before substantial damage occurs.
The data also validates the advantage of employing an EDR or XDRsecurity solution apart from endpoint protection, with the mean claim by EDR/XDR users standing at one-sixth (1/6) of that of endpoint users ($500,000 compared to $3M).
DISCOVERY #2: MDR users showcase the most consistent claims; EDR/XDR users exhibit the most uncertainty
Claim consistency is a vital gauge of the uniformity and dependability of cyber controls in lessening the consequences of cyberattacks. For a comparative analysis of various controls, a hypothetical claim example for an entity with a yearly revenue of $100M was simulated for each segment. This simulation is derived from the outcomes produced by the multivariate regression model employed for the assessment (refer to ‘About the survey’ at the conclusion of this blog for additional details).
The evaluation uncovers two crucial revelations:
- The claims of MDR users are the most foreseeable
- The claims of EDR/XDR users are the most unforeseeable
The predictability of MDR users’ claims illustrates the regularity with which MDR providers promptly detect and eliminate threats. With continuous 24/7 monitoring, analysis, and response provided by security specialists, MDR services can swiftly respond at any given time.
Uninterrupted monitoring is specifically vital as numerous adversaries deliberately target off-peak hours to conduct their assaults, aiming to delay detection until they achieve their objectives. Data analyzed by Sophos X-Ops reveals that 91% of ransomware attacks commence outside typical business hours, which are defined as 8 am – 6 pm, Monday to Friday.
The unpredictable nature of claims by EDR/XDR users indicates that the effectiveness of these tools in thwarting cyberattacks before significant harm ensues is entirely contingent on the capabilities and responsiveness of the user. While some establishments effectively utilize EDR/XDR tools to halt attacks swiftly and efficiently, others struggle to deliver proficient security operations despite investing in EDR/XDR technology – with anecdotal input suggesting this is frequently due to inadequate capacity to provide 24/7 coverage or a deficit in expertise.
The revelation that claims of EDR/XDR users span a broader spectrum than those of endpoint users additionally implies that the inefficient utilization of these tools can exacerbate the scenario. For example, organizations may postpone engaging external incident response professionals for assistance while attempting to tackle the situation autonomously.
DISCOVERY #4: MDR users boast the most consistent recovery time from ransomware incidents; EDR/XDR users demonstrate the least
Establishing recovery time based on a theoretical example of an organization confronted with a significant ransomware attack unveils notable disparities hinged on the security control adopted. This study modeled both the recovery timeframe (the duration between the quickest and slowest possible recovery) and the anticipated recovery time grounded on the reported average recovery time.
- Endpoint users reside in the middle ground with a 40-day recovery timeframe and an anticipated recovery time of 40 days.
- EDR/XDR users exhibit the slowest recuperation, featuring both the broadest recovery timeframe (66 days) and the lengthiest anticipated recovery time (55 days).
- MDR users recuperate the fastest, showing a five-day recovery timeframe and a predicted recovery time of merely three days.
These findings further affirm that employing an MDR service considerably mitigates the effects of cyberattacks on establishments. It also uncovers the highly erratic recovery duration of EDR/XDR users. It is crucial to consider that EDR/XDR solutions are tools, and their effectiveness and impact hinge on their proficient utilization.
Summary
The study validates a known fact: the implementation of cyber securities significantly influences cyber insurance claims. MDR users consistently have the lowest claim amounts with predictable figures. Endpoint users report the highest average claims, while EDR/XDR users have the most variable claim amounts.
Cyberattacks are an unavoidable reality. However, defensive strategies are within the realm of control. These results offer a valuable resource for businesses aiming to enhance their cyber defenses and maximize cybersecurity ROI, as well as for insurers seeking to lessen vulnerabilities and provide tailored policy options to customers.
Survey Insight
The research, conducted by Vanson Bourne for Sophos in the latter half of 2024, analyzed claims resulting from cyberattacks occurring in the preceding 12 months. All results underwent stringent statistical validation, utilizing multivariate regression models.
These models evaluate the primary variable (in this scenario, the security solution employed) and its impact on other crucial variables (like claim amounts and recovery duration). Incorporated into the models are control variables (business sector, size, cyber insurance type, security posture during attack, claim status). The deductions presented in this report stem from these analyses.
About Author
